🛡️ How to apply sensitivity labels on your teams?

We're thrilled to share that Powell Teams is now Powell Governance, marking our expanded focus on Microsoft 365 governance.

Powell_Governance_V1 1.png

Expect documentation updates to reflect this change in the coming days. For more information please have a look at this article.


Sensitivity labels are a Microsoft Purview Information protection allowing a classification and protection over your organization data. It has been available first for documents, emails and apps and the option is now associable to containers (teams, groups and SharePoint sites).

Team privacy and guest access are configurable directly in Powell Governance templates.

Applying sensitivity labels on your teams allows you to control the access of the content stored in the team. The following governance configurations are taken in account: privacy settings, external user access and external sharing, and access from unmanaged devices. To be able to enable sensitivity labels on containers, please follow the instruction of the next paragraph.

Powell Governance has no technical possibility to be able to get the sensitivity labels feature of Microsoft to reuse them in Powell Governance templates. 


Enable sensitivity labels on Azure AD

A Microsoft documentation is available here for more details.


1. Open a Windows PowerShell window on your computer. You can open it without elevated privileges.


2. Run the following commands to prepare to run the cmdlets.

Install-Module AzureADPreview
Import-Module AzureADPreview

In the Sign in to your account page, enter your admin account and password to connect you to your service, and select Sign in.


3. Fetch the current group settings for the Azure AD organization and display the current group settings.

$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
$Setting = $grpUnifiedSetting


4. Enable the feature:

$Setting["EnableMIPLabels"] = "True"


Synchronize your sensitivity labels to Azure AD and activate it for containers

1. To synchronize your sensitivity labels to Azure AD, you need first, to connect to Security & Compliance PowerShell.

For example, in a PowerShell session that you run as administrator, sign in with a global administrator account.


2. Then run the following command to ensure your sensitivity labels can be used with Microsoft 365 groups:



3. You are now able to enable sensitivity labels on groups and sites here while creating or editing a label in Microsoft Purview Information.



Create a sensitivity label

Now that all the prerequisites have all been checked, you are able to create a new sensitivity label in Microsoft Purview Information.


Provide a name and description to your label:


Define the scope of your label to let it applied on groups and sites:


Configure your protection settings:


First with external user access settings:


And then with external sharing and device access



The last step is now to publish this new label:


Here you can select the default label you want to apply while creating a new team.:


And finaly name your policy:



Apply sensitivity labels



What about teams classification?

Team's classification labels are text strings you associate with a Microsoft 365 group, but they do not have any associated controls or policies.

The team's classification labels are simply metadata; for security, you will need to use Sensitivity labels and policies. The classification labels need adding using PowerShell, and you cannot combine them with Sensitivity labels.


Was this article helpful?
0 out of 0 found this helpful