Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
This article discusses classic Entra classification and sensitivity labels.
These services support sensitivity labels.
For complete info about sensitivity labels, see Learn about sensitivity labels.
To learn more about sensitivity labels and their behavior for sites and Microsoft 365 groups, see Use sensitivity labels to protect collaborative workspaces (groups and sites).
For best practices when migrating from classic Entra classification to sensitivity labels, see the following scenarios.
Scenario 1: Tenant never used classic Entra classifications or sensitivity labels for documents and emails
- Tenant admin enables sensitivity labels for groups by setting the tenant flag
EnableMIPLabelsto true by using a Microsoft Graph PowerShell cmdlet. - Tenant admin creates the sensitivity labels in the Microsoft Purview portal.
- Tenant admin can choose file and email-related actions like encryption and watermarking.
- Tenant admin can choose Microsoft 365 Groups and SharePoint Online site-related actions to the sensitivity labels.
- Tenant admin publishes the policy.
- Compatible workloads show sensitivity labels. Use the sensitivity labels to create groups. Compatible workloads are the services that support sensitivity labels.
- Noncompatible workloads are the services that don't support sensitivity labels yet. You can create groups, but you can't associate the sensitivity label through noncompatible workloads. To associate such groups with sensitivity labels, tenant admins can run PowerShell cmdlets.
Table 1. Behavior of compatible and noncompatible workloads – create, edit, or delete groups
| Workload | What label list does user see in group window? | Create new group | Edit group | Delete group |
|---|---|---|---|---|
| Compatible | sensitivity labels. | No change in behavior. | No change in behavior. | No change in behavior. |
| Noncompatible | No sensitivity labels visible. | User can create a group without selecting sensitivity label. Note, the admin can run cmdlets to apply sensitivity labels in the background. |
Case 1: No sensitivity label previously selected. User can edit a group. Case 2: sensitivity label applied previously in the background using cmdlet. User can edit a group successfully, excluding the case where user selects invalid combination of privacy setting with respect to the label. |
No change in behavior. |
Note
In the case of the Outlook desktop client, after you've enabled sensitivity labels for the tenant, and users are on an older version of this Outlook client:
- User sees sensitivity labels appear on the older version of the Outlook desktop client.
- However, when the user edits a group, and saves the group with a sensitivity label, the selected privacy setting is overridden by the privacy setting of the applied sensitivity label.
We recommend that your users on an old version of Outlook client upgrade to the newer version.
Scenario 2: Tenant is already using classic Microsoft Entra ID classifications
Case A: Tenant never used sensitivity labels for documents and emails
- In the Microsoft Purview portal, create sensitivity labels with the same name as the existing classic Entra ID labels.
- Use the PowerShell cmdlet to apply these sensitivity labels to existing Microsoft 365 groups and SharePoint sites by using name mapping.
- Admins can choose to delete the classic Entra ID labels:
- Compatible workloads show these sensitivity labels and groups get created with them.
- Noncompatible workloads work when creating groups, but no sensitivity label is attached to them.
- Admins can run PowerShell cmdlets to apply sensitivity labels to these groups with no labels.
- Alternatively, an admin can choose to keep the classic Entra ID labels:
- Compatible workloads show these sensitivity labels, and groups get created with them. Compatible workloads are the services that support sensitivity labels.
- Noncompatible workloads work when creating groups, and show classic Entra ID labels. These classic Entra ID labels are attached to these groups created with noncompatible workloads.
- Alternatively, an admin can choose to keep the classic Entra ID labels:
- We highly recommend that admins run PowerShell cmdlets to apply sensitivity labels to these groups with classic Microsoft Entra ID labels.
Table 2. Behavior of compatible and noncompatible workloads – create, edit, or delete groups
| Workload | What label list does user see in group window? | Create new group | Edit group | Delete group |
|---|---|---|---|---|
| Compatible | sensitivity labels. | No change in behavior. | No change in behavior. | No change in behavior. |
| Noncompatible | Old classic Entra ID labels. | User can create a group with classic Entra ID label selected. Note, the admin can run cmdlets to apply sensitivity labels in the background. |
Case 1: No sensitivity label previously selected. User can edit a group. Case 2: Classic Entra ID labels previously selected. User can edit a group. Case 3: sensitivity label previously applied in the background using cmdlet. User should be able to edit a group, excluding one case where user selects invalid combination of privacy setting with respect to the label. |
User can delete a group. |
Note
In the case of the Outlook desktop client, after you've enabled sensitivity labels for the tenant, and users are on an older version of this Outlook client:
- User sees sensitivity labels appear on the older version of the Outlook desktop client.
- However, when the user edits a group, and saves the group with a sensitivity label, the selected privacy setting is overridden by the privacy setting of the applied sensitivity label.
We recommend that users on an old version of the Outlook client upgrade to the newer version.
Case B: Tenant uses sensitivity labels for documents and emails
- When an admin enables the sensitivity label feature on the tenant by setting the tenant flag
EnableMIPLabelsto true, the document and email sensitivity labels appear in the group, site, and team create and edit dialog boxes. - An admin can use the same document and email sensitivity labels to enforce privacy and external user access on the group, site, and team by specifying related group settings:
- In the Microsoft Purview portal, select the Sites and Groups scope.
- Edit a document or email sensitivity label.
Sample script
For a sample script to migrate groups with classic Entra ID labels to sensitivity labels, see Classic Microsoft Entra group classification.