Recently Microsoft released the ability to create classifications for Office 365 groups that allow end users set. For example, you can now set classifications such as: internal, confidential, external, secret, top secret, low, medium, high, etc.. Group classifications are new and I am not sure the full story of how these will be utilized moving forward. There are enhancements coming around classification within the security and compliance center that I hope this will be able to tie into at at some point.
Here is some info on the current setup of group classification (as of 10/31/2016):
- They don’t actually technically do anything yet…
- They are not on by default
- The choices can only be set via PowerShell
- They currently don’t show anywhere else other than “edit group” via Outlook
- You can only have 1 set of classifications for a tenant
- If you change a classification value, it does NOT go back and update existing groups that were classified but the existing groups that were classified do not lose the classification
- It takes some time for classification changes to be visible in the GUI
- Don’t put spaces between the comma delimited values (i.e. “internal,external” NOT “internal, external”)
- You can use spaces within comma eliminated values (i.e. “secret,top secret”)
- I tested some special characters such as ? and ! and they worked
- I am not aware of a classification limit, i did a test with 15 without an issue
Here is the description of the new property:
Prerequisites:
NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.”
My scripts below are using Version 1.1.143.0. Azure AD PowerShell Module Version Release History
Steps to set values for Group Classification
1 – Connect to Azure AD via PowerShell
Connect-MsolService
2 – Review if you have any MsolSettings currently configured in your tenant
Get-MsolAllSettings | ForEach Values
3a – If you have settings returned it will look like this (properties subject to change over time)
Run this command to set ClassificationList to a comma separated list of values that you want. (In my example I included “Internal,External,Confidential”)
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId $value = $singlesettings.GetSettingsValue() $value[“ClassificationList”] = “Internal,External,Confidential” Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value
3b – If you have NO settings returned it will look like this a new template will need to be created
Run this command to set ClassificationList to a comma separated list of values that you want. (In my example I included “Internal,External,Confidential”)
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”} $setting = $template.CreateSettingsObject() $setting[“ClassificationList”] = "Internal,External,Confidential" New-MsolSettings –SettingsObject $setting
4 – Review your updated settings; now Classification’s are available for Groups
Get-MsolAllSettings | ForEach Values
You will now see it through the GUI when editing a group and will have the ability to set it.
And once you set a classification it will be viewable.
You can also set a classification using the Set-UnifiedGroup and New-UnifiedGroup cmdlets.
Set-UnifiedGroup interestgroup1@drewmadelung.com -Classification Internal
Jordan Haisley
December 16, 2016Get-MsolAllSetting returns blank for me, any idea why?
Drew Madelung
December 16, 2016That means that you do not have a settings object currently configured. You can create a new object using the New-MsolSettings cmdlet:
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
New-MsolSettings –SettingsObject $setting
You can use the $settings variable to pass in the parameters you want to set when the object is created. Or you can update the settings after, both of which I highlighted above in this post.
Drew Madelung
January 15, 2017That means that you do not have any settings yet and will need to run the New commands to get settings established.
Jim Duncan
June 29, 2017Does anyone know if the Classification value for a Group’s site is available as a Crawled or Managed Property in SharePoint Search?
We have a solution that lists SharePoint Sites based on a Search Query and would like to filter some out based on their Classification.