Configuring Office 365 Group Classification

group1

Recently Microsoft released the ability to create classifications for Office 365 groups that allow end users set.  For example, you can now set classifications such as: internal, confidential, external, secret, top secret, low, medium, high, etc..  Group classifications are new and I am not sure the full story of how these will be utilized moving forward.  There are enhancements coming around classification within the security and compliance center that I hope this will be able to tie into at at some point.

Here is some info on the current setup of group classification (as of 10/31/2016):

  • They don’t actually technically do anything yet…
  • They are not on by default
  • The choices can only be set via PowerShell
  • They currently don’t show anywhere else other than “edit group” via Outlook
  • You can only have 1 set of classifications for a tenant
  • If you change a classification value, it does NOT go back and update existing groups that were classified but the existing groups that were classified do not lose the classification
  • It takes some time for classification changes to be visible in the GUI
  • Don’t put spaces between the comma delimited values (i.e. “internal,external” NOT “internal, external”)
  • You can use spaces within comma eliminated values (i.e. “secret,top secret”)
  • I tested some special characters such as ? and ! and they worked
  • I am not aware of a classification limit, i did a test with 15 without an issue

Here is the description of the new property:

2016-10-30-16_07_07-start

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History


Steps to set values for Group Classification

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

4 – Review your updated settings; now Classification’s are available for Groups

2016-10-30-16_14_29-start

You will now see it through the GUI when editing a group and will have the ability to set it.

2016-10-30-16_19_20-new-notification

And once you set a classification it will be viewable.

2016-10-30-16_20_55-photos

You can also set a classification using the Set-UnifiedGroup and New-UnifiedGroup cmdlets.

 


4 Comments

  • Jordan Haisley

    December 16, 2016

    Get-MsolAllSetting returns blank for me, any idea why?

    Reply
    • Drew Madelung

      December 16, 2016

      That means that you do not have a settings object currently configured. You can create a new object using the New-MsolSettings cmdlet:

      $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
      $setting = $template.CreateSettingsObject()
      New-MsolSettings –SettingsObject $setting

      You can use the $settings variable to pass in the parameters you want to set when the object is created. Or you can update the settings after, both of which I highlighted above in this post.

      Reply
    • Drew Madelung

      January 15, 2017

      That means that you do not have any settings yet and will need to run the New commands to get settings established.

      Reply
  • Jim Duncan

    June 29, 2017

    Does anyone know if the Classification value for a Group’s site is available as a Crawled or Managed Property in SharePoint Search?

    We have a solution that lists SharePoint Sites based on a Search Query and would like to filter some out based on their Classification.

    Reply

Leave a Reply