Merge pull request #96462 from iainfoulds/96169-curtis-groups

[AzureAD] Sensitivity labels for groups

Author: ktoliver

articles/active-directory/users-groups-roles/TOC.yml

@@ -86,6 +86,8 @@
       href: groups-members-owners-search.md
     - name: Create a group (Azure portal)    
       href: /azure/active-directory/fundamentals/active-directory-groups-create-azure-portal?context=azure/active-directory/users-groups-roles/context/ugr-context
+    - name: Assign sensitivity labels (preview)
+      href: groups-assign-sensitivity-labels.md
     - name: Manage groups PowerShell for Graph (v2)   
       href: groups-settings-v2-cmdlets.md
     - name: Manage groups PowerShell MSOnline    

articles/active-directory/users-groups-roles/groups-assign-sensitivity-labels.md

@@ -0,0 +1,168 @@
+---
+title: Assign sensitivity labels to groups - Azure AD | Microsoft Docs
+description: How to create membership rules to automatically populate groups, and a rule reference.
+services: active-directory
+documentationcenter: ''
+author: curtand
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.subservice: users-groups-roles
+ms.topic: article
+ms.date: 11/19/2019
+ms.author: curtand
+ms.reviewer: krbain
+ms.custom: it-pro
+ms.collection: M365-identity-device-management
+---
+
+# Assign sensitivity labels to Office 365 groups in Azure Active Directory (preview)
+
+Azure Active Directory (Azure AD) supports applying sensitivity labels published by the [Microsoft 365 compliance center](https://sip.protection.office.com/homepage) to Office 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. This feature is currently in public preview.
+
+> [!IMPORTANT]
+> Using Azure AD sensitivity labels for Office 365 groups requires an Azure Active Directory Premium P1 license.
+
+## Group settings controlled by labels
+
+There are two settings that can be associated with a label:
+
+- **Privacy**: Admins can associate a privacy setting with the label to control whether a group is public or private.
+- **Guest access**: Admins can enforce the guest policy for all groups that have the label assigned. This policy specifies whether guests can be added as members or not. If the guest policy is configured for a label, any groups that you assign the label to won't allow the AllowToAddGuests setting to be changed.
+
+## Enable sensitivity label support in PowerShell
+
+To apply published labels to groups, you must first enable the feature. These steps enable the feature in Azure AD.
+
+1. Open a Windows PowerShell window on your computer. You can open it without elevated privileges.
+1. Run the following commands to prepare to run the cmdlets.
+
+    ```PowerShell
+    Import-Module AzureADPreview
+    Connect-AzureAD
+    ```
+
+    In the **Sign in to your account** page, enter your admin account and password to connect you to your service, and select **Sign in**.
+1. Fetch the current group settings for the Azure AD organization.
+
+    ```PowerShell
+    $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
+    ```
+
+    > [!NOTE]
+    > If no group settings have been created for this Azure AD organization, you must first create the settings. Follow the steps in [Azure Active Directory cmdlets for configuring group settings](https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-settings-cmdlets) to create group settings for this Azure AD organization.
+
+1. Next, display the current group settings.
+
+    ```PowerShell
+    $Setting.Values
+    ```
+
+1. Then enable the feature:
+
+    ```PowerShell
+    $Setting["EnableMIPLabels"] = "True"
+    ```
+
+1. Then save the changes and apply the settings:
+
+    ```PowerShell
+    Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
+    ```
+
+That's it. You've enabled the feature and you can apply published labels to groups.
+
+## Assign a label to a new group in Azure portal
+
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com).
+1. Select **Groups**, and then select **New group**.
+1. On the **New Group** page, select **Office 365**, and then fill out the required information for the new group and select a sensitivity label from the list.
+
+   ![Assign a sensitivity label in the New groups page](./media/groups-assign-sensitivity-labels/new-group-page.png)
+
+1. Save your changes and select **Create**.
+
+Your group is created and the policies associated with the selected label are then automatically enforced.
+
+## Assign a label to an existing group in Azure portal
+
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a Global admin or Groups admin account, or as a group owner.
+1. Select **Groups**.
+1. From the **All groups** page, select the group that you want to label.
+1. On the selected group's page, select **Properties** and select a sensitivity label from the list.
+
+   ![Assign a sensitivity label on the overview page for a group](./media/groups-assign-sensitivity-labels/assign-to-existing.png)
+
+1. Select **Save** to save your changes.
+
+## Remove a label to an existing group in Azure portal
+
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a Global admin or Groups admin account, or as a group owner.
+1. Select **Groups**.
+1. From the **All groups** page, select the group that you want to label.
+1. On the **Group** page, select **Properties**.
+1. Select **Remove**.
+1. Select **Save** to apply your changes.
+
+## Office 365 app support for sensitivity labels
+
+The following Office 365 apps and services support the sensitivity labels in this preview:
+
+- Azure AD admin center
+- Microsoft 365 compliance center
+- SharePoint
+- Outlook on the web
+- Teams
+- SharePoint admin center
+
+For more information about Office 365 apps support, see [Office 365 support for sensitivity labels](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#support-for-the-new-sensitivity-labels).
+
+## Using classic Azure AD classifications
+
+After you enable this feature, Office 365 no longer supports the “classic” classifications for new groups. Classic classifications are the old classifications you set up by defining values for the `ClassificationList` setting in Azure AD PowerShell. When this feature is enabled, those classifications will not be applied to groups.
+
+## Troubleshooting issues
+
+### Sensitivity labels are not available for assignment on a group
+
+The sensitivity label option is only displayed for groups when all the following conditions are met:
+
+1. Labels are published in the Microsoft 365 Compliance Center for this tenant.
+1. The feature is enabled, EnableMIPLabels is set to True in PowerShell.
+1. The group is an Office 365 group.
+1. The tenant has an active Azure Active Directory Premium P1 license.
+1. The current signed-in user has access to published labels.
+1. The current signed-in user has sufficient privileges to assign labels. The user must be either a Global Administrator, Group Administrator, or the group owner.
+1. The current signed-in user has an Office 365 license assigned. For more information about license requirements, see [Sensitivity labels in Office apps](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-office-apps).
+
+Please make sure all the conditions are met in order to assign labels to a group.
+
+### The label I want to assign is not in the list
+
+If the label you are looking for is not in the list, this could be the case for one of the following reasons:
+
+- The label might not be published in the Microsoft 365 Compliance Center. This could also apply to labels that are no longer published. Please check with your administrator for more information.
+- The label may be published, however, it is not available to the user that is signed-in. Please check with your administrator for more information on how to get access to the label.
+
+### How can I change the label on a group?
+
+Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows:
+
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a Global or Group administrator account or as group owner.
+1. Select **Groups**.
+1. From the **All groups** page, select the group that you want to label.
+1. On the selected group's page, select **Properties** and select a new sensitivity label from the list.
+1. Select **Save**.
+
+### Group setting changes to published labels are not updated on the groups
+
+As a best practice, we don't recommend that you change group settings for a label after the label is applied to groups. When you make changes to group settings associated with published labels in [Microsoft 365 compliance center](https://sip.protection.office.com/homepage), those policy changes aren't automatically applied on the impacted groups.
+
+If you must make a change, use an [Azure AD PowerShell script](https://github.com/microsoftgraph/powershell-aad-samples/blob/master/ReassignSensitivityLabelToO365Groups.ps1) to manually apply updates to the impacted groups. This method makes sure that all existing groups enforce the new setting.
+
+## Next steps
+
+- [Use sensitivity labels with Microsoft Teams, Office 365 groups, and SharePoint sites](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites)
+- [Update groups after label policy change manually with Azure AD PowerShell script](https://github.com/microsoftgraph/powershell-aad-samples/blob/master/ReassignSensitivityLabelToO365Groups.ps1)
+- [Edit your group settings](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-settings-azure-portal)
+- [Manage groups using PowerShell commands](https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-settings-v2-cmdlets)

articles/active-directory/users-groups-roles/groups-settings-cmdlets.md

@@ -110,16 +110,17 @@ Here are the settings defined in the Group.Unified SettingsTemplate. Unless othe
 |  <ul><li>EnableGroupCreation<li>Type: Boolean<li>Default: True |The flag indicating whether Office 365 group creation is allowed in the directory by non-admin users. This setting does not require an Azure Active Directory Premium P1 license.|
 |  <ul><li>GroupCreationAllowedGroupId<li>Type: String<li>Default: “” |GUID of the security group for which the members are allowed to create Office 365 groups even when EnableGroupCreation == false. |
 |  <ul><li>UsageGuidelinesUrl<li>Type: String<li>Default: “” |A link to the Group Usage Guidelines. |
-|  <ul><li>ClassificationDescriptions<li>Type: String<li>Default: “” | A comma-delimited list of classification descriptions. The value of ClassificationDescriptions is only valid in this format:<br>$setting[“ClassificationDescriptions”] ="Classification:Description,Classification:Description"<br>where Classification matches the strings in the ClassificationList.|
-|  <ul><li>DefaultClassification<li>Type: String<li>Default: “” | The classification that is to be used as the default classification for a group if none was specified.|
+|  <ul><li>ClassificationDescriptions<li>Type: String<li>Default: “” | A comma-delimited list of classification descriptions. The value of ClassificationDescriptions is only valid in this format:<br>$setting[“ClassificationDescriptions”] ="Classification:Description,Classification:Description"<br>where Classification matches the strings in the ClassificationList.<br>This setting does not apply when EnableMIPLabels == True.|
+|  <ul><li>DefaultClassification<li>Type: String<li>Default: “” | The classification that is to be used as the default classification for a group if none was specified.<br>This setting does not apply when EnableMIPLabels == True.|
 |  <ul><li>PrefixSuffixNamingRequirement<li>Type: String<li>Default: “” | String of a maximum length of 64 characters that defines the naming convention configured for Office 365 groups. For more information, see [Enforce a naming policy for Office 365 groups](groups-naming-policy.md). |
 | <ul><li>CustomBlockedWordsList<li>Type: String<li>Default: “” | Comma-separated string of phrases that users will not be permitted to use in group names or aliases. For more information, see [Enforce a naming policy for Office 365 groups](groups-naming-policy.md). |
 | <ul><li>EnableMSStandardBlockedWords<li>Type: Boolean<li>Default: “False” | Do not use
 |  <ul><li>AllowGuestsToBeGroupOwner<li>Type: Boolean<li>Default: False | Boolean indicating whether or not a guest user can be an owner of groups. |
 |  <ul><li>AllowGuestsToAccessGroups<li>Type: Boolean<li>Default: True | Boolean indicating whether or not a guest user can have access to Office 365 groups content.  This setting does not require an Azure Active Directory Premium P1 license.|
 |  <ul><li>GuestUsageGuidelinesUrl<li>Type: String<li>Default: “” | The url of a link to the guest usage guidelines. |
-|  <ul><li>AllowAddGuests<li>Type: Boolean<li>Default: True | A boolean indicating whether or not is allowed to add guests to this directory.|
-|  <ul><li>ClassificationList<li>Type: String<li>Default: “” |A comma-delimited list of valid classification values that can be applied to Office 365 Groups. |
+|  <ul><li>AllowToAddGuests<li>Type: Boolean<li>Default: True | A boolean indicating whether or not is allowed to add guests to this directory. <br>This setting may be overridden and become read-only if *EnableMIPLabels* is set to *True* and a guest policy is associated with the sensitivity label assigned to the group. |
+|  <ul><li>ClassificationList<li>Type: String<li>Default: “” |A comma-delimited list of valid classification values that can be applied to Office 365 Groups. <br>This setting does not apply when EnableMIPLabels == True.|
+|  <ul><li>EnableMIPLabels<li>Type: Boolean<li>Default: “False” |The flag indicating whether sensitivity labels published in Microsoft 365 Compliance Center can be applied to Office 365 Groups. For more information, see [Assign Sensitivity Labels for Office 365 groups](groups-assign-sensitivity-labels.md). |
 
 ## Example: Configure Guest policy for groups at the directory level
 1. Get all the setting templates: