Monday 24 February 2020

Enable Microsoft Information Protection (MIP) Label Preview for SharePoint Online and Microsoft Teams

Microsoft have announced the ability to classify an Office 365 Group via the creation of a SharePoint Online Team Site, or Microsoft Team with Unified Labelling.

This is a great feature to have, and effectively starts to really drive adoption of classification for these services - although the feature is in preview and still needs additional work to be a feature complete solution.

So how do you enable it for your tenancy? Let's take a look!

First of all ensure you have the latest preview version of the AzureAD PowerShell module. You can grab it here. For help on installing the module, see here.

Once you have the latest preview version of the AzureAD module then we'll all set to start making some configuration changes. We need to configure and enable 'EnableMIPLabels' for our Azure AD directory settings for the tenancy we're performing this work on. You can grab the below script from Microsoft here. Save this to a powershell file.

$setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ) if ($setting -eq $null) { $template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b $setting = $template.CreateDirectorySetting() $setting["EnableMIPLabels"] = "True" New-AzureADDirectorySetting -DirectorySetting $setting } else { $setting["EnableMIPLabels"] = "True" Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting }

To check for the change, see the directory setting 'EnableMIPLabels' by running this command i Get-AzureADDirectorySetting -Id "62375ab9-6b52-47ed-826b-58e47e0e304b" | select -ExpandProperty values

You should see 'EnableMIPLabels' is now set to 'True'.

So what now? Well the truth of the matter is this change does take a little while to propagate across your tenant. I waited a few hours before I saw it working when creating SharePoint Online Team sites and Microsoft Teams.

So what's next? Well let's create a Unified Label specifically for this test. Go the the Security & Compliance Center and create a new sensitivity label.

You will see there's the new option to configure 'Site and group settings'

I have changed the defaults here to change the privacy to 'Private - only members can access the site', and I have disallowed external user access. I then save the label and push it to a label policy.

The label may take a while to show up. However when it does and the AzureAD directory settings have also invoked you should see this in Microsoft Teams when creating a new Team.

First of all you'll notice that I have the ability of selecting both a public and private team with the sensitivity label being set to 'none'.

Now see what happens if I select the label I created.

You can see Microsoft Teams immediately removes the ability for it to be Public based on the privacy settings applied to the unified label.

OK so if I go ahead and create the Team how can I easily see if there's a label applied? Well you'll see it applied in the top right hand corner of the client.

Can I add external users? If you remember I explicitly disallowed this in the unified label I created. Let's take a look.

You can see I get the same experience as if Azure Guest access isn't enabled. But it is. Let's take a look at another Team and try and add the same external user.

You can see it works just fine.

Similarly if I try and edit the settings of the Team to public from it's current private setting you'll see the label continues to push your compliance on the Team.

So what's SharePoint Online look like? Currently the sensitivity label support is only present in the SharePoint Admin Center when you create a new Team site, rather than directly in SharePoint Online for users to be able to take advantage of - like the current Microsoft Teams experience. Let's take a look.

Go to the SharePoint Admin Center | Sites | Active Sites and select 'Create'. When selecting a Team Site you will see under 'advanced settings' that sensitivity label support is now present.

Let's take a look with the Public label selected - you will notice the privacy settings are Public.

Versus my unified label where I specified Private.

So the Preview appears to be off to a flying start, but as stated more work is needed. Giving SharePoint Online the same end user creation capability for a Team Site with label that Microsoft Teams gets will be a welcome addition. And there's a fundamental issue where files aren't currently protected with the label that you set in the document stores, for example I can share files to an external user if I so wished, but I am sure these will be improvements that get baked into the functionality as it matures and comes out of Preview and generally available.

If this is all to much for your production tenant, then simply revert 'EnableMIPLabels' back to 'False'. I would suggest testing on a demo tenant to ensure you are happy if you want to enable and play with preview features.

Have fun!