Table of Contents
One Container Management Label Setting Applies to Entra ID Security Groups
Those who saw Microsoft’s announcement about support for sensitivity labels to apply settings through container management sensitivity labels might have appreciated some of the same challenges explained by Microsoft Digital (Microsoft’s IT department): security groups are used extensively to control access to important resources, but up to now, there’s been no way to achieve consistency in how the groups function. The problem is addressed by allowing container management labels to control the settings for security groups, albeit in a much more restrictive sense than the implementation for Microsoft 365 groups.
This is a preview feature that does precisely one thing: control whether guest members can be in security groups. Although its scope is limited, the new functionality is not a bad thing. In fact, it’s a very good thing because it can stop guest members ending up in the membership of sensitive security groups, which is something that no one wants.
What Container Management Sensitivity Labels Do
Container management sensitivity labels are intended to control the settings of Microsoft 365 groups, and by extension, the teams, Viva Engage communities, and SharePoint Online sites connected to Microsoft 365 groups. When an administrator or group owner assigns a container management label to a Microsoft 365 group, the group inherits the settings contained in the label. Over the years, Microsoft has added an array of settings to container management labels, dealing with anything from guest access to the kind of sharing available to group members. This script reports container management label settings.
Because container management labels focus on Microsoft 365 groups, it follows that only settings shared with security groups can be applied through labels. For now, the only container management setting that can be applied to security groups is the control for External user access (Figure 1). If set on, group owners can add guest members. If unchecked, they cannot.
Applying sensitivity labels to security groups requires the presence of at least one Entra P1 license in the tenant. Naturally, you’ll also need to create at least one container management label and make sure that the tenant is configured to use container management labels.
Making Container Management Labels Available in the Entra Admin Center
Like Microsoft 365 groups, Entra ID stores the settings to control security groups in a directory settings object. Before the Entra admin center displays the AI necessary to assign container management labels to security groups, an administrator must create the tenant-specific directory settings object from the Group.Security directory settings template object. The template object has the identifier d209f6fa-3839-4d70-b83f-60b1c64d0e8f (same value in all tenants).
This code uses the Microsoft Graph PowerShell SDK to connect an interactive session that checks if the tenant-wide directory settings object is available. If not, it creates the object from the template and sets the EnableMIPLabels and AllowToAddGuests settings to true. The first setting instructs the Entra admin center to display the UI, the second allows guests by default in all security groups:
Connect-MgGraph -Scopes GroupSettings.ReadWrite.All
$SecurityGroupPolicy = Get-MgGroupSetting | Where-Object {$_.TemplateId -eq "d209f6fa-3839-4d70-b83f-60b1c64d0e8f"}
If (!($SecurityGroupPolicy)) {
Write-Host "Adding security groups directory setting object for the tenant"
New-MgGroupSetting -TemplateId d209f6fa-3839-4d70-b83f-60b1c64d0e8f -Values (@{'name'='EnableMIPLabels';'value'='true'}, (@{'name'='AllowToAddGuests';'value'='true'}))
}
Once the directory settings for security groups are effective, the Entra admin center displays a sensitivity label field for security groups (Figure 2):
It’s possible to assign a container management label to a security group with PowerShell using the same code that works with Microsoft 365 groups. For example:
$Group = Get-MgGroup -Filter "displayName eq 'Security Department'"
$AssignedLabels = @{}
$AssignedLabels.Add("LabelId", "d6cfd185-f31c-4508-ae40-229ff18a9919")
Update-MgGroup -GroupId $Group.Id -AssignedLabels @($AssignedLabels)
Restrictions
Documentation is available online and describes some important current limitations. I assume that the limitations exist for the preview and will be lifted for general availability. Apart from not being able to change or remove a container management label once assigned to a security group, the following limitations apply:
- No support for security groups synchronized from on-premises Active Directory.
- No support for security groups with dynamic membership rules (probably because the membership rule computation for groups doesn’t take label restrictions into account).
- Nested security groups are supported, but nested groups must have the same or an equally restrictive label. For example, if a group has a label that blocks guest access, then all nested groups must have a label that applies the same restriction.
- Mail-enabled security groups are not supported. These are Exchange Online objects rather than Entra ID objects.
Label Immutability for Now
Many of the restrictions are a result of label immutability. Security groups are security principals. When a security group is used with a resource like a conditional access policy, Entra ID evaluates the group membership when it decides if an account is allowed use the resource. The effective membership of the group includes nested groups. The logic currently deployed only evaluates membership to check if guest members are allowed on the creation of a security group or when a container management label is assigned to an existing group. If the validation passes, Entra ID allows the creation or update operation. By making label assignment immutable, Entra ID can operate on the basis that it doesn’t need to keep on checking for guest members.
Remember that this is a preview. Microsoft says that “controlled label mutability will be introduced in a subsequent update” after they’ve worked through the various scenarios where guest members can participate in security groups.
According to Microsoft “the next step along the way is to block agents from joining sensitive security groups.” It looks like more settings are coming to container management labels to control how security groups operate.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive insights updated monthly into what happens within Microsoft 365, why it happens, and what new features and capabilities mean for your tenant.