In my first blog post I will give you how to get started with labels in Microsoft Teams. There is still some limitation but over all basics it works well. With labels you can allow or blow guest users in Microsoft Teams with specific label. Today you can classify both from GUI and from PowerShell.

The following apps and services support the sensitivity labels in this preview:

  • Microsoft 365 compliance center
  • SharePoint
  • Outlook on the web
  • Teams
  • SharePoint admin center
  • Azure AD admin center

You can’t use the following apps and services to create Office 365 groups with the new sensitivity labels:

  • Outlook for the Mac
  • Outlook mobile
  • Outlook desktop for Windows
  • Forms
  • Dynamics 365
  • Yammer
  • Stream
  • Planner
  • Project
  • PowerBI
  • Teams admin center
  • Microsoft 365 admin center
  • Exchange admin center

Primary focus will be public/private settings and guest access to automatedly configure that by a sensitivity label. Before you begin create/update labels you need to know that changes can take between 24-48h to proceed. Fastest way is to create a new label.

Get started to set up your sensitivity labels in Security & Compliance portal. In this demo I will use 2 different sensitivity labels. https://protection.office.com/sensitivity?viewid=sensitivitylabels

If you want to configure Site and groups settings you need to configure privacy for the label. You can only choose between public and private. Not both or let users decide.

  • Public is open to allow guest access and only open for privacy: public
  • Internal is closed for guest access and only open for privacy: private

You’re now ready to enable the preview of sensitivity labels with Microsoft Teams, Office 365 groups, and SharePoint sites

Start to install or update the latest Azure AD Preview PowerShell module.

# Install
Install-Module AzureADPreview
# Update
Update-Module AzureADPreview

Connect to Azure AD:

Connect-AzureAD

Run the following commands:

$setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
if ($setting -eq $null)
{
$template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
$setting = $template.CreateDirectorySetting()
$setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $setting
}
else
{
$setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
}

If you already have the ClassificationList item, this will be automatedly disabled. Even the DefaultLabel if that is configured. When public preview is enabled you need to do a sync with following commands. First connect to the SSC portal.

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

Execute-AzureAdLabelSync

If you have MFA enabled which is normal, then you need to connect from Exchange portal and the Exchange Online PowerShell module that have support for MFA.

Configure the site and group settings when you create or edit sensitivity labels

After you enabled the public preview, update the sensitivity labels to allow or not allow guest and set the privacy of the sensitivity label. Modify a label can take up to 48h before you will se the result. If you create and publish a new label, then it will take up to 24h instead. Keep in mind to make this setting at the start when you create the label in SCC portal.

From Microsoft Teams you can now create new Microsoft Teams and set the label directly from the GUI. Choose between Public or Internal label. You will also see that one of the privacy settings is greyed out based on which label you use.

When the Microsoft Team is created you will see the settings and verify if you are able to invite guest users. You can try from GUI but also get the information from PowerShell. Connect to Exchange Online module.

Connect-ExchangeOnline

Get-UnifiedGroup -Identity SE-Internal | select DisplayName, AllowAddGuests, ExternalDirectoryObjectId, SensitivityLabel | fl

Get-UnifiedGroup -Identity se-public | select DisplayName, AllowAddGuests, ExternalDirectoryObjectId, SensitivityLabel | fl

From above pictures you will see the SensitivityLabel and AllowAddGuest. All current members will still have the access to the Microsoft Teams but you are not able to invite new guests. SensitivityLabel is just an id and to get the information which label that match this number you need to connect to the SCC PowerShell module again.

From PS module run following command:

Get-Label -Identity Internal | Select Name, ImmutableId

Get-Label -Identity Public | Select Name, ImmutableId

Verify the output label against the output from Get-UnifiedGroup command earlier.

If you have current Microsoft Teams that you want to deploy these labels on, you can do it with PowerShell.

Set-UnifiedGroup -Identity SE-Public -SensitivityLabelId "5606fb1a-7165-4d34-baa2-9b156ef39cff"