How to migrate from Azure Information Protection Labels to Sensitive Labels and use them in Teams

Hi All,

in a recent announcement Microsoft added the possibility to use Sensitivity Labels with Microsoft Teams, Office 365 groups, and SharePoint sites, at this moment in Public Preview.

Here you can find an overview of Sensitivity Labels
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels

In this article:
How to migrate Azure Information Protection labels to unified sensitivity labels
How to enable Sensitive Labels preview in Teams
Create Sensitivity Labels for Teams
Publish labels
Test the label policy
Change the label to allow Guest
What happens to the Guest in the team if you apply a label that block Guests?

How to migrate Azure Information Protection labels to unified sensitivity labels

If you are using Azure Information Protection Labels, this is the right time to start to plan the migration to the new Unified Sensitivity Labels.

To check if you need to migrate AIP to unified labels, go to Azure > Azure Information Protection > Unified labeling and verify the status.
If your subscription was created on June 2019 or later, the status should be “Activated”, otherwise you need to upgrade.

As the alert said, before you activate the unified labeling, go to Office 365 Security & Compliance > Classification > Sensitivity labels
https://protection.office.com/sensitivity?viewid=sensitivitylabels to check if you have some Sensitivity Labels with the same name of AIP labels.

If you do not have any Sensitivity Labels or there aren’t any overlap, you can safely activate the migration to unified labeling

The complete process is documented here
https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels

How to enable Sensitive Labels preview in Teams

To enable Sensitive Labels preview in Teams, we have to use AzureADPreview module

To install this module from PowerShell Gallery, run this command from a PowerShell session:

Install-Module AzureADPreview

then connect to Azure AD with:

Connect-AzureAD

If you receive this error

PS C:\Windows\system32> Get-AzureADDirectorySetting
Get-AzureADDirectorySetting : The term 'Get-AzureADDirectorySetting' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1
+ Get-AzureADDirectorySetting
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

you probably have installed both AzureAD and AzureADPreview modules.
Run the following command to check your installed modules

man Get-AzureADDirectory*

PS C:\Windows\system32> man Get-AzureADDirectory*

Name                              Category  Module                    Synopsis
----                              --------  ------                    --------
Get-AzureADDirectoryRole          Cmdlet    AzureAD                   Gets a directory role.
Get-AzureADDirectoryRoleMember    Cmdlet    AzureAD                   Gets members of a directory role.
Get-AzureADDirectoryRoleTemplate  Cmdlet    AzureAD                   Gets directory role templates.
Get-AzureADDirectorySetting       Cmdlet    AzureADPreview            Get-AzureADDirectorySetting...
Get-AzureADDirectoryRole          Cmdlet    AzureADPreview            Get-AzureADDirectoryRole...
Get-AzureADDirectorySettingTem... Cmdlet    AzureADPreview            Get-AzureADDirectorySettingTemplate...
Get-AzureADDirectoryRoleTemplate  Cmdlet    AzureADPreview            Get-AzureADDirectoryRoleTemplate...
Get-AzureADDirectoryRoleMember    Cmdlet    AzureADPreview            Get-AzureADDirectoryRoleMember...

If this is your situation, open a new PowerShell session and run the following command, now you should have the cmdlet that we need.

AzureADPreview\Connect-AzureAD

To check the current AzureADDirectorySetting configuration you can use

$FormatEnumerationLimit =-1
Get-AzureADDirectorySetting | where {$_.DisplayName -eq "Group.Unified"} | fl

To enable the preview, we need to set the EnableMIPLabels setting to True
Run the following commands to create or modify the Directory Settings

$setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
if ($setting -eq $null)
{
$template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
$setting = $template.CreateDirectorySetting()
$setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $setting
}
else
{
$setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
}

Create Sensitivity Labels for Teams

To create the new Sensitivity Labels for Teams go to Office 365 Security & Compliance > Classification > Sensitivity labels and click on Create a label
https://protection.office.com/sensitivity?viewid=sensitivitylabels

First I create a “Private Team with Guests” label

for the purpose of this test, skip to Site and group settings, enable it, set Privacy of Office 365 group-connected team sites to Private, and flag External users access to allow Guests

Now create a new label “Private Team without Guests

In this label do not flag the External users access option to prevent Guests

Verify to have two Labels

Publish labels

To use the new labels you have to publish them with a Label Policy.
Click on Publish labels and follow these easy steps.
Then wait 24 hours to have the Policy applied.

Note: you really have to wait 24 hours to have the Policy applied, it’s not a joke 🙂

Test the label policy

After 24 hours you can test the new Label Policy.
Creating a new team in Teams, now appear a new Sensitivity option

In this example I choose the label “Private Team without Guests” and, correctly, the Public and Org-wide team option are disabled

Note: if you get the message "You are not authorized" you probably do not have an Azure Information Protection P1

If I try to add a Guest to this team I’ll get this message, maybe in the future it will be changed to inform the user that Guests are not allowed in this team

Change the label to allow Guest

Now I change the label to “Private Team with Guests” to allow external access

It’s now possible to add Guests to this team

What happens to the Guest in the team if you apply a label that block Guests?

I was wondering about what happens to the Guest in the team if you apply a label that block Guests.
So I changed the label again to “Team without Guests”

The present Guest in the team is not removed after this change. Take care!

Correctly I cannot add new Guests

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: