Configuring Office 365 Group Classification

Recently Microsoft released the ability to create classifications for Office 365 groups that allow end users set.  For example, you can now set classifications such as: internal, confidential, external, secret, top secret, low, medium, high, etc..  Group classifications are new and I am not sure the full story of how these will be utilized moving forward.  There are enhancements coming around classification within the security and compliance center that I hope this will be able to tie into at at some point.

Here is some info on the current setup of group classification (as of 10/31/2016):

• They don’t actually technically do anything yet…
• They are not on by default
• The choices can only be set via PowerShell
• They currently don’t show anywhere else other than “edit group” via Outlook
• You can only have 1 set of classifications for a tenant
• If you change a classification value, it does NOT go back and update existing groups that were classified but the existing groups that were classified do not lose the classification
• It takes some time for classification changes to be visible in the GUI
• Don’t put spaces between the comma delimited values (i.e. “internal,external” NOT “internal, external”)
• You can use spaces within comma eliminated values (i.e. “secret,top secret”)
• I tested some special characters such as ? and ! and they worked
• I am not aware of a classification limit, i did a test with 15 without an issue

Here is the description of the new property:

Prerequisites:

• Azure AD module for PowerShell version 1.1.117.0 or later (currently preview)

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.”

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History

Steps to set values for Group Classification

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value[“ClassificationList”] = “Internal,External,Confidential”
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

3b – If you have NO settings returned it will look like this a new template will need to be created

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“ClassificationList”] = "Internal,External,Confidential"
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Classification’s are available for Groups

Get-MsolAllSettings | ForEach Values

You will now see it through the GUI when editing a group and will have the ability to set it.

And once you set a classification it will be viewable.

You can also set a classification using the Set-UnifiedGroup and New-UnifiedGroup cmdlets.

Set-UnifiedGroup interestgroup1@drewmadelung.com -Classification Internal