Applying sensitivity labels to groups - best practice and advice

Thanks for the reply.

I've looked over this and unfortunately we don't have E5 license, which the label policy wizard say we need in order to use Admin Units.

Thanks for the reply.

I've had a look over this. Unfortunately the label policy wizard says we need E5 licenses to use Admin Units, which we don't have. https://video2.skills-academy.com/en-us/purview/purview-admin-units

@PRADEEPCHEEKATLA-MSFT Thanks for the response. Just looking over your suggestion, I have a couple of follow-ups:

'One option you could consider is using dynamic groups in Azure AD' - Can you elaborate which type of group. This can't be a dynamic security group or dynamic dlist as these aren't supported with labels.

' you can set the group type to "Security" instead of "Unified", which will prevent the group from having a shared mailbox, calendar, or OneDrive' - Can you explain what you mean by this. I understood that a unified group is another name for an M365 group and always have associated resources created. What command can you run to create an M365 group that doesn't also create the associated mailbox, onedrive or calendar?

'it's worth noting that mail-enabled security groups are designed specifically for email distribution, while security groups are designed for granting access to resources.' This is the point of my query. Sensitivity Labels are not specifically related to email distribution and are a resource that I need to grant access to.

'applying a sensitivity label to a large group may impact performance' - has there been any internal Microsoft testing around applying labels to many 10's of 1000's of users via a group? The use of the group is purely to assign the label, would the group be queried every time the label is used? If so, would this cause delays when working on resources protected by this label.

@Jon Kilner - Let me address your follow-up questions

• Regarding dynamic groups in Azure AD, you are correct that dynamic security groups and dynamic distribution lists are not supported with labels. However, you can create a dynamic group in Azure AD that is based on user attributes such as department name or location. You can then assign a sensitivity label to this group. To create a dynamic group in Azure AD, you can use PowerShell or the Azure portal. Here is an example PowerShell command to create a dynamic group based on department name: New-AzureADGroup -DisplayName "Dynamic Group" -MailEnabled $false -SecurityEnabled $true -GroupTypes "DynamicMembership" -MembershipRule "(user.department -eq 'Sales')" -MembershipRuleProcessingState "On"
• Regarding creating an M365 group without associated resources, you are correct that a unified group is another name for an M365 group and always has associated resources created. I apologize for the confusion. If you want to create a security group without associated resources, you can use the following PowerShell command: New-AzureADGroup -DisplayName "Security Group" -MailEnabled $false -SecurityEnabled $true -GroupTypes "Security"
• Regarding applying sensitivity labels to large groups, Microsoft has not published any specific guidance on performance impact when applying labels to large groups. However, it's worth noting that applying a sensitivity label to a large group may impact performance when accessing resources protected by the label. This is because the group membership needs to be queried every time the label is used to determine if a user has access to the resource. If you have concerns about performance impact, you may want to consider applying sensitivity labels to smaller groups or individual users instead of large groups.

Hope this helps. Do let us know if you any further queries.

@PRADEEPCHEEKATLA-MSFT sorry, I have some further follow-ups :)- ' you can create a dynamic group in Azure AD that is based on user attributes' I don't see how this is possible the previous line in your answer contradicts this by stating 'you are correct that dynamic security groups and dynamic distribution lists are not supported with labels'. The powershell command also states -MailEnabled $false, which we know won't works as only mail enabled groups are visible in Sensitivity Labels.

• In the second point, the powershell command New-AzureADGroup -DisplayName "Security Group" -MailEnabled $false -SecurityEnabled $true -GroupTypes "Security" creates a mail enable security group. My original post stated these weren't suitable for us as they can't contain dynamic members.
• This is the problem, we need to apply the label to many 10s of 1000s of users.

@Jon Kilner - I apologize for the confusion in my previous response. You are correct that dynamic security groups and dynamic distribution lists are not supported with sensitivity labels. I apologize for the mistake in my previous response.

Regarding your concern about creating a security group that can contain dynamic members, you can use Azure AD dynamic groups to create a group that automatically adds or removes members based on their attributes. You can then apply a sensitivity label to the dynamic group.

To create a dynamic group in Azure AD, you can use the following PowerShell command:

New-AzureADMSGroup -DisplayName "Dynamic Group" -MailEnabled $false -SecurityEnabled $true -GroupTypes "DynamicMembership"

This will create a security group that can contain dynamic members. You can then define the dynamic membership rules based on user attributes such as department name or location matching a string.

I hope this helps clarify things. Let me know if you have any further questions.