Enable sensitivity labels for SPO sites


Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organization’s data, while making sure that user productivity and their ability to collaborate isn’t hindered. If you are trying to use it for SharePoint online sites but the option is disabled as in the following image, you will need Azure AD admin to configure the setting first and enable the option and then you can use it for SPO.

image 1- groups & sites option is disabled

Configure Azure AD

To configure this option in Azure AD settings, the following is required

To configure this feature, there must be at least one active Azure Active Directory Premium P1 license in your Azure AD organization.

If no group settings have been created for this Azure AD organization, you will get an empty screen. In this case, you must first create the settings. Follow the steps in Azure Active Directory cmdlets for configuring group settings to create group settings for this Azure AD organization.

Steps can be summarized as:

  • Open windows PowerShell as admin and Install AzzureADPreview module by running the following cmdlet Install-Module AzureADPreview
  • Create settings settings at the directory level. Run the following cmdlets Get-AzureADDirectorySetting & Get-AzureADDirectorySettingTemplate
image 2- Get cmdlets to get the settings

the output should look like image 3

image 3- AD settings
  • Add a usage guideline URL, first you need to get the SettingsTemplate object that defines the usage guideline URL value; that is, the Group.Unified template:

$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified”

$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ

image 4 – add usage guidelines
  • Create a new settings object based on that template: $Setting = $Template.CreateDirectorySetting()
image 5 – new setting object
  • Then update the settings object with a new value. The two examples below change the usage guideline value and enable sensitivity labels. Set these or any other setting in the template as required:

$Setting[“UsageGuidelinesUrl”] = “https://guideline.example.com”

$Setting[“EnableMIPLabels”] = “True”

image 6 – update settings
  • Apply settings: New-AzureADDirectorySetting -DirectorySetting $Setting the result should look like image 7
image 7- the settings
  • You can read the values using $Setting.Values and the results should look like image 8
image 8- the updated settings
  • Update settings at the directory level for Group.Unified SettingsTemplate:

$Setting = Get-AzureADDirectorySetting | ? { $_.DisplayName -eq “Group.Unified”}

$Setting.Values and the results should like look image 9

image 9- updated settings for group unified template

Now, if you check the label scope settings, you should find the option for group & sites should be enabled. check image 10

image 10 – SPO option is enabled

To enable the integration with SPO sites, from SPO Management shell execute the following command with admin account

Set-SPOTenant -EnableAIPIntegration $true

The next stage is to create sensitivity labels.