Enable Microsoft Information Protection (MIP) Label Preview for SharePoint Online and Microsoft Teams

Microsoft have announced the ability to classify an Office 365 Group via the creation of a SharePoint Online Team Site, or Microsoft Team with Unified Labelling.

This is a great feature to have, and effectively starts to really drive adoption of classification for these services - although the feature is in preview and still needs additional work to be a feature complete solution.

So how do you enable it for your tenancy? Let's take a look!

First of all ensure you have the latest preview version of the AzureAD PowerShell module. You can grab it here. For help on installing the module, see here.

Once you have the latest preview version of the AzureAD module then we'll all set to start making some configuration changes. We need to configure and enable 'EnableMIPLabels' for our Azure AD directory settings for the tenancy we're performing this work on. You can grab the below script from Microsoft here. Save this to a powershell file.

$setting=(Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ) if ($setting -eq $null) { $template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b $setting = $template.CreateDirectorySetting() $setting["EnableMIPLabels"] = "True" New-AzureADDirectorySetting -DirectorySetting $setting } else { $setting["EnableMIPLabels"] = "True" Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting }


To check for the change, see the directory setting 'EnableMIPLabels' by running this command i Get-AzureADDirectorySetting -Id "62375ab9-6b52-47ed-826b-58e47e0e304b" | select -ExpandProperty values

You should see 'EnableMIPLabels' is now set to 'True'.

So what now? Well the truth of the matter is this change does take a little while to propagate across your tenant. I waited a few hours before I saw it working when creating SharePoint Online Team sites and Microsoft Teams.

So what's next? Well let's create a Unified Label specifically for this test. Go the the Security & Compliance Center and create a new sensitivity label.

You will see there's the new option to configure 'Site and group settings'

I have changed the defaults here to change the privacy to 'Private - only members can access the site', and I have disallowed external user access. I then save the label and push it to a label policy.


The label may take a while to show up. However when it does and the AzureAD directory settings have also invoked you should see this in Microsoft Teams when creating a new Team.

First of all you'll notice that I have the ability of selecting both a public and private team with the sensitivity label being set to 'none'.

Now see what happens if I select the label I created.

You can see Microsoft Teams immediately removes the ability for it to be Public based on the privacy settings applied to the unified label.

OK so if I go ahead and create the Team how can I easily see if there's a label applied? Well you'll see it applied in the top right hand corner of the client.

Can I add external users? If you remember I explicitly disallowed this in the unified label I created. Let's take a look.

You can see I get the same experience as if Azure Guest access isn't enabled. But it is. Let's take a look at another Team and try and add the same external user.

You can see it works just fine.

Similarly if I try and edit the settings of the Team to public from it's current private setting you'll see the label continues to push your compliance on the Team.

So what's SharePoint Online look like? Currently the sensitivity label support is only present in the SharePoint Admin Center when you create a new Team site, rather than directly in SharePoint Online for users to be able to take advantage of - like the current Microsoft Teams experience. Let's take a look.

Go to the SharePoint Admin Center | Sites | Active Sites and select 'Create'. When selecting a Team Site you will see under 'advanced settings' that sensitivity label support is now present.

Let's take a look with the Public label selected - you will notice the privacy settings are Public.

Versus my unified label where I specified Private.

So the Preview appears to be off to a flying start, but as stated more work is needed. Giving SharePoint Online the same end user creation capability for a Team Site with label that Microsoft Teams gets will be a welcome addition. And there's a fundamental issue where files aren't currently protected with the label that you set in the document stores, for example I can share files to an external user if I so wished, but I am sure these will be improvements that get baked into the functionality as it matures and comes out of Preview and generally available.

If this is all to much for your production tenant, then simply revert 'EnableMIPLabels' back to 'False'. I would suggest testing on a demo tenant to ensure you are happy if you want to enable and play with preview features.

Have fun!

@OliverMoazzezi

Enabling Azure Information Protection Unified Labelling Preview

Microsoft currently have Unified Labelling in preview, but if you are looking at migrating your Azure Information Protection labels over to the Compliance Center what do you need to do?
First and foremost I would advise against do this in a real in-life tenant right now unless you are well prepared and ready for users to utilise it in Office.

Migrating the labels and having a Unified Labelling experience is one thing, but currently not all settings are migrated and you have to check each migrated label with care and attention - and reconfiguring the labels as and where necessary.

If you have a test Office 365 tenant however, this is a great place to test the unified experience to help plan for when the service becomes generally available, and will also allow you to test out the experience in Microsoft Office clients with the Unified Label plug-in.

So - how do we unify the label experience to help us plan for the change as a administrator for when Microsoft push this change to the service later in the year?

First things first, let's take a look at what's in the Compliance Center | Classifications | Labels. You will see these have now been split into 'Sensitivity' and 'Retention'.

In my test tenant, any previous labels I had created before this change would have been for Retention only, as Sensitivity was not an option. So you can see I have zero Sensitivity labels available.

So how do we migrate labels from the Azure Portal to Compliance Center? If we login to the Azure Portal and select Azure Information Protection, you'll see 'Unified labeling (Preview)' at the bottom of the blade. You'll see that it is a one way process and cannot be undone was activated, you'll see any labels with duplicate names across the service will be renamed (so best to check this, or test it out like I did). The one thing it doesn't state is not all your settings are migrated over! Which is pretty poor to be honest and something it should absolutely state You can read up about this further at this docs.microsoft.com AIP documentation.

Let's take a look and then activate.

Once activated you will see your AIP labels appear in Compliance Center under 'Sensitivity'.

So comparing the migrated labels you'll see some settings are migrated, and others are not. So make sure you verify each and every migrated label. However it is generally pretty good at carrying most things over. Confirm all protection settings and headers and footers to re-affirm your configuration settings.

You can see for example the encryption settings and users specified for a label have been carried over succesfully in this example label.

So once you have tested the experience, you now need to ensure you have downloaded and installed the unified label plug-in for Microsoft Office. It requires a specific version of .Net and there's a specific KB to install to allow it to work on Windows 7 machines. It also supports Office 2010 which is a surprise too - you'll find all the caveats to these here.

Have fun!

@OliverMoazzezi

Using the Win32 Application Packaging Tool for Intune deployment

First of all Happy 2019!

Hopefully by now you are using Microsoft Intune to manage some of your device estate - even if the concentration is purely for mobile and tablet MDM purposes. Intune is a great way to manage Windows 10 devices - especially with Autopilot and AAD joins. But how do you push Win32 apps to your devices?

In comes the Win32 Application packaging tool. You can get the build from Github here.

It's fairly easy to use to convert your msi and exe files to the .intunewin standard for uploading into the Intune console.

In this example I am packaging Notepad++, in the root of the folder that houses the IntuneWinAppUtil.exe create a folder that houses the application you want to convert, ensuring any ancillary files are included, and also create another folder to push the converted file format out to.

From here open PowerShell or the command prompt and run:

"IntuneWinAppUtil.exe -c "Source Folder containing the application files" -s The name of the .exe -o "The output folder to put the .intunewin package to"

The switches are explained below, and -h is for help.

Sample commands to use for the Microsoft Win32 Content Prep Tool:

IntuneWinAppUtil -h
This will show usage information for the tool.
IntuneWinAppUtil -c -s -o <-q>
This will generate the .intunewin file from the specified source folder and setup file.
For MSI setup file, this tool will retrieve required information for Intune.
If -q is specified, it will be in quiet mode. If the output file already exists, it will be overwritten.
Also if the output folder does not exist, it will be created automatically.
IntuneWinAppUtil
If no parameter is specified, this tool will guide you to input the required parameters step by step.
Command-line parameters available

-h Help
-c Setup folder for all setup files. All files in this folder will be compressed into .intunewin file.
Only the setup files for this app should be in this folder.
-s Setup file (e.g. setup.exe or setup.msi).
-o Output folder for the generated .intunewin file.

It will then package your file.

And you'll have your .intunewin packcage to upload to Intune.

You'll now be able to upload the package to the Intune console.

Have fun!

@OliverMoazzezi

Microsoft 365 Business, E3 and E5 preview

Please see my latest webinar on Microsoft 365. This covers the Business, E3 and E5 SKUs and informs you on the benefits Microsoft 365 brings with Windows 10 Creators update, Office 365 and the Enterprise Mobility + Security suite.

Have Fun!

Oliver Moazzezi
@OliverMoazzezi