Hi All, welcome to How to Migrate from Azure Information Protection Labels to Sensitive Labels and use them in Teams. In a recent announcement Microsoft added the possibility to use Sensitivity Labels with Microsoft Teams, Office 365 groups, and SharePoint sites, at this moment in Public Preview.
Here you can find an overview of Sensitivity Labels https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels
In this article:
– How to migrate Azure Information Protection labels to unified sensitivity labels
– How to enable Sensitive Labels preview in Teams
– Create Sensitivity Labels for Teams
– Publish labels
– Test the label policy
– Change the label to allow Guest
– What happens to the Guest in the team if you apply a label that block Guests?
How to migrate Azure Information Protection labels to unified sensitivity labels
If you are using Azure Information Protection Labels, this is the right time to start to plan the migration to the new Unified Sensitivity Labels.
To check if you need to migrate AIP to unified labels, go to Azure > Azure Information Protection > Unified labeling and verify the status.
If your subscription was created on June 2019 or later, the status should be “Activated”, otherwise you need to upgrade.
As the alert said, before you activate the unified labeling, go to Office 365 Security & Compliance > Classification > Sensitivity labels
https://protection.office.com/sensitivity?viewid=sensitivitylabels to check if you have some Sensitivity Labels with the same name of AIP labels.
If you do not have any Sensitivity Labels or there aren’t any overlap, you can safely activate the migration to unified labeling
The complete process is documented here https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels
How to enable Sensitive Labels preview in Teams
To enable Sensitive Labels preview in Teams, we have to use AzureADPreview module
To install this module from PowerShell Gallery, run this command from a PowerShell session:
| 1 | Install-Module AzureADPreview |
then connect to Azure AD with:
| 1 | Connect-AzureAD |
If you receive this error
PS C:\Windows\system32> Get-AzureADDirectorySetting
Get-AzureADDirectorySetting : The term 'Get-AzureADDirectorySetting' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1
+ Get-AzureADDirectorySetting
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
you probably have installed both AzureAD and AzureADPreview modules.
Run the following command to check your installed modules
man Get-AzureADDirectory*
PS C:\Windows\system32> man Get-AzureADDirectory*
Name Category Module Synopsis
---- -------- ------ --------
Get-AzureADDirectoryRole Cmdlet AzureAD Gets a directory role.
Get-AzureADDirectoryRoleMember Cmdlet AzureAD Gets members of a directory role.
Get-AzureADDirectoryRoleTemplate Cmdlet AzureAD Gets directory role templates.
Get-AzureADDirectorySetting Cmdlet AzureADPreview Get-AzureADDirectorySetting...
Get-AzureADDirectoryRole Cmdlet AzureADPreview Get-AzureADDirectoryRole...
Get-AzureADDirectorySettingTem... Cmdlet AzureADPreview Get-AzureADDirectorySettingTemplate...
Get-AzureADDirectoryRoleTemplate Cmdlet AzureADPreview Get-AzureADDirectoryRoleTemplate...
Get-AzureADDirectoryRoleMember Cmdlet AzureADPreview Get-AzureADDirectoryRoleMember...
If this is your situation, open a new PowerShell session and run the following command, now you should have the cmdlet that we need.
AzureADPreview\Connect-AzureAD
To check the current AzureADDirectorySetting configuration you can use
$FormatEnumerationLimit =-1
Get-AzureADDirectorySetting | where {$_.DisplayName -eq "Group.Unified"} | fl
To enable the preview, we need to set the EnableMIPLabels setting to True
Run the following commands to create or modify the Directory Settings
$setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
if ($setting -eq $null)
{
$template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
$setting = $template.CreateDirectorySetting()
$setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $setting
}
else
{
$setting["EnableMIPLabels"] = "True"
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
}
Create Sensitivity Labels for Teams
To create the new Sensitivity Labels for Teams go to Office 365 Security & Compliance > Classification > Sensitivity labels and click on Create a label
https://protection.office.com/sensitivity?viewid=sensitivitylabels
First I create a “Private Team with Guests” label
for the purpose of this test, skip to Site and group settings, enable it, set Privacy of Office 365 group-connected team sites to Private, and flag External users access to allow Guests
Now create a new label “Private Team without Guests“
Verify to have two Labels
Publish labels
To use the new labels you have to publish them with a Label Policy.
Click on Publish labels and follow these easy steps.
Then wait 24 hours to have the Policy applied.
Note: you really have to wait 24 hours to have the Policy applied, it’s not a joke
Test the label policy
After 24 hours you can test the new Label Policy.
Creating a new team in Teams, now appear a new Sensitivity option
In this example I choose the label “Private Team without Guests” and, correctly, the Public and Org-wide team option are disabled
Note: if you get the message "You are not authorized" you probably do not have an Azure Information Protection P1
If I try to add a Guest to this team I’ll get this message, maybe in the future it will be changed to inform the user that Guests are not allowed in this team
Change the label to allow Guest
Now I change the label to “Private Team with Guests” to allow external access
It’s now possible to add Guests to this team
What happens to the Guest in the team if you apply a label that block Guests?
I was wondering about what happens to the Guest in the team if you apply a label that block Guests.
So I changed the label again to “Team without Guests”
The present Guest in the team is not removed after this change. Take care!
Correctly I cannot add new Guests
For more news check out our resource centre
About the Author:
Microsoft Office Apps & Services MVP
MCSE | SfB and Teams Enterprise Voice Specialist
Ribbon SBC | KalliopePBX | DECT Specialist
Cloud Video Interop Solutions | EICC Solutions
Reference:
Vitali, L. (2020). How to migrate from Azure Information Protection Labels to Sensitive Labels and use them in Teams. Available at: https://lucavitali.wordpress.com/2019/12/20/how-to-migrate-from-aip-labels-to-sensitive-labels-in-teams/ [Accessed: 24th November 2020].
Check out more great Microsoft Teams Content here or join our mailing list to stay up to date.
