Sensitivity labels can also protect content in Microsoft Teams sites, Microsoft 365 groups, and SharePoint sites. The feature is not enabled for containers by default and must be activated using PowerShell. The steps are included in the document
Enable sensitivity label support in PowerShell
- Open a PowerShell prompt on your computer and run the following commands to prepare to run the cmdlets in Powershell
set-executionpolicy remotesigned
Press “Y” on the prompt screen
2. Enable sensitivity label support in PowerShell
To apply published labels to groups, you must first enable the feature. These steps enable the feature in Microsoft Entra ID. The Microsoft Graph PowerShell SDK comes in two modules, Microsoft.Graph and Microsoft.Graph.Beta
Install-Module Microsoft.Graph -Scope CurrentUser
Multiple prompts will appear and Press “Y” or “A” for each prompt
Install-Module Microsoft.Graph.Beta -Scope CurrentUser
Press “Y” or “A” for the prompt screen
3. Connect to your tenant.
Connect-MgGraph -Scopes “Directory.ReadWrite.All”
Enter your Tenant administrator username and password. Authenticate with MFA if enabled.
Accept the Permissions Requested
4. Fetch the current group settings for the Microsoft Entra organization and display the current group settings.
$grpUnifiedSetting = Get-MgBetaDirectorySetting | Where-Object { $_.Values.Name -eq “EnableMIPLabels” } $grpUnifiedSetting.Values
Note: If no group settings were created for this Microsoft Entra organization, you get an empty screen. Then follow Step 5 otherwise follow step 6
5. Create settings at the directory level
In the Directory Settings cmdlets, you must specify the ID of the Settings Template you want to use. If you don’t know this ID, this cmdlet returns the list of all settings templates:
Get-MgBetaDirectorySettingTemplate
First you need to get the SettingsTemplate object that defines EnableMIPLabels, that is, the Group. Unified template
$TemplateId = (Get-MgBetaDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
$Template = Get-MgBetaDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
6. Apply the new settings.
$params = @{
templateId = “$TemplateId”
Values = @(
@{
Name = “EnableMIPLabels”
Value = “True”
}
)
}
For new use the below command
New-MgBetaDirectorySetting -BodyParameter $params
For existing parameters,
Update-MgBetaDirectorySetting -DirectorySettingId $grpUnifiedSetting.Id -BodyParameter $params
7. Verify that the new value is present.
$Setting = Get-MgBetaDirectorySetting -DirectorySettingId $grpUnifiedSetting.Id $Setting.Values
If you receive a Request_BadRequest error, it’s because the settings already exist in the tenant. When you try to create a new property:value pair, the result is an error.
8. Enable Azure Label Sync
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName email address removed for privacy reasons
Execute-AzureAdLabelSync
Disconnect-ExchangeOnline
9. We are able to select the scope for Groups and Sites
