Enable Sensitivity Labels in M365 for Groups ,Teams, Sharepoint Sites - Preparation
Updated: Mar 1, 2022
In addition to using sensitivity labels to classify and protect documents and emails, you can also use sensitivity labels to protect content in the following containers: Microsoft Teams sites, Microsoft 365 groups (formerly Office 365 groups), and SharePoint sites. For this container-level classification and protection, use the following label settings:
Privacy (public or private) of teams sites and Microsoft 365 groups
External user access
External sharing from SharePoint sites
Access from unmanaged devices
Authentication contexts (in preview)
Default sharing link for a SharePoint site (PowerShell-only configuration)
P1 License
To configure this feature, there must be an Azure Active Directory Premium 1 license in your Tenant.
Use App enforced restrictions in Azure with Conditional Access
Set the site-level setting by using PowerShell, or a sensitivity label Block unmanaged devices ,site Level: Setting the Site Level with Power Shell
One way to do it, Limitations: By default, a setting that includes web access allows users to view and edit files in their web browser. To change this, see Advanced configurations My way preferred to do it, Block unmanaged devices, site Level: with Sensitivity labels Limitations: Sensitivity labels for containers aren't supported with Office 365 Content Delivery Networks (CDNs). https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide Which includes following step:
Enable sensitivity labels for containers and synchronize labels Import the Azure-AD-Preview model https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-labels Install-module AzureADPreview ( note : you can not run on the same Computer the Module AzureAD)
Import the module Run the following commands to prepare to run the cmdlets. PowerShell
Import-Module AzureADPreview Connect-AzureAD ( I am getting an error message, that I have the wrong Architecture for the module, I tried with 64 bit version - That worked !) Conclusion for PowerShell and 64 bit version: Most Architectures need the 64 amd version of Powershell : Here to find: C:\Windows\System32\WindowsPoweShell\v1.0\powershell.exe
The next step would be to fetch the group settings, where I got unfortunately the error: "Cannot bind argument to parameter 'Id" According to Microsoft I needed to configure the O365 groupsettings in Power Shell and do the following steps: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-cmdlets PLEASE NOTE: I setup the URL like in the example and needs to be updated for the real Guideline URL: $Setting["UsageGuidelinesUrl"] = "https://guideline.example.com" $Setting["EnableMIPLabels"] = "True" UPDATE:I updated the settings so that the URL is : none $Setting["UsageGuidelinesUrl"] = "" The output was correct and successful. But... I Could not see the labels as described in Azure for groups. Another thing to do: synchronize your sensitivity labels to Azure AD. First, connect to Security & Compliance Center PowerShell. Install the Exov2 module from the PowerShell Gallery Set the Execution Policy for Local Machine on "RemoteSigend" to install the ExchangeOnlineManagement Shell Get connected the Security and Compliance Center Connect-IPPSSession -UserPrincipalName navin@contoso.com Then run the following command to ensure your sensitivity labels can be used with Microsoft 365 groups Execute-AzureADLabelSync Jipeeh. Its working . Side Note: Thanks Microsoft, that makes any cloud admin nuts..
Suggestion:
I hope that Microsoft will just enable this feature with a button !
NEXT: How does the implementation looks in real world of Teams, SharePoint and OneDrive? Wait for the next post...
コメント