Windows News
Microsoft has moved sensitivity labels for Microsoft Entra cloud security groups into public preview, enabling administrators to apply Microsoft Purview-governed access controls to static, non-mail-enabled security groups. This expansion brings proactive guest control and fine-grained permissions to a broader set of group objects, closing a gap that previously only covered Microsoft 365 groups, Teams, and SharePoint sites.
Sensitivity labels have been a cornerstone of Microsoft Purview’s information protection framework, traditionally used to classify and protect documents, emails, and container-level objects like Teams and Microsoft 365 groups. With this preview, security groups—the backbone of access management in Entra ID—can now inherit the same label-driven policies, allowing organizations to enforce governance at the point of group creation and maintenance.
How Sensitivity Labels Work for Security Groups
Sensitivity labels for containers have existed since 2018, but they were limited to Microsoft 365 groups, Teams, and SharePoint Online sites. When an administrator publishes a label policy, end users see a sensitivity dropdown when creating or editing a supported group. Choosing a label triggers automatic configuration of settings such as privacy (public/private), external user access, and guest permissions.
For security groups, the functionality mirrors this pattern. In the Entra admin center, under Groups > Sensitivity labels, you can now create and manage label associations for security groups. Once a label is published and scoped to security groups, members with the appropriate permissions (typically group owners or admins) can select a sensitivity label when creating a new security group via the portal, Microsoft Graph API, or PowerShell. The label then enforces:
- Proactive guest control: Restrict whether guests can be added to the group. When a label blocks guests, any attempt to add an external user is automatically denied.
- Group privacy settings: Designate the group as public or private at the tenant level.
- Group membership governance: While not yet available for security groups in this preview, future iterations may include membership expiration and access reviews tied to labels.
Proactive guest control is the standout feature. Administrators can define in the label’s settings that guest access is never allowed, allowed but with justification, or allowed without restrictions. This policy is enforced not only at creation but also when editing the group, ensuring that changes to the membership do not introduce unintended guest accounts without triggering a policy violation.
Getting Started with the Preview
To test sensitivity labels for security groups, your tenant must meet specific prerequisites:
- A Microsoft Entra ID P1 or P2 license (depending on the sensitivity label features used).
- Microsoft Purview Information Protection licensing (typically included in Microsoft 365 E5, E5 Compliance, or standalone Information Protection licenses).
- Administrative access to both the Microsoft Purview compliance portal and the Entra admin center.
Enable the Preview
- Opt into the preview: As of now, the feature is not enabled by default. Global administrators must navigate to the Entra admin center, go to Groups > Sensitivity labels, and toggle the preview switch. Alternatively, you may need to sign up for the public preview via a Microsoft 365 roadmap item or feature flag.
- Create or migrate labels: In the Microsoft Purview compliance portal, create new sensitivity labels or edit existing ones. Under Define the scope, ensure Groups & sites is selected, then check the box for Microsoft Entra security groups. Note that labels already scoped to Microsoft 365 groups will not automatically apply to security groups unless you explicitly add this scope.
- Configure label settings: For each label, define guest access rules, group privacy (if applicable), and any other container-management settings. The preview currently supports control over guest access and privacy. Additional settings like external sharing and access reviews are not yet available for security groups.
- Publish the label: Using a label policy, publish the label to the desired users or groups. Only published labels appear in the sensitivity dropdown when creating a security group.
- Test group creation: Sign in as a user in scope, navigate to the Entra admin center or use Microsoft Graph API to create a new security group. You should see a Sensitivity field. Applying a label that blocks guest access will immediately prevent the addition of external members.
Known Limitations
Being in public preview, several capabilities are absent or constrained:
- Static groups only: Dynamic security groups (query-based membership) and mail-enabled security groups are not supported. The label applies solely to static, non-mail-enabled security groups.
- No retroactive application: You can only assign a label at creation time or when editing a group. Labels cannot be applied in bulk to existing groups through the UI, though this may be possible via script.
- Limited control set: Only guest access and privacy settings are configurable. Features like site sharing, conditional access, or membership expiration are not part of this preview.
- Admin roles: Some admin roles, such as Groups Administrator, can overwrite label-enforced settings, so careful role management is necessary to prevent policy bypass.
- Visual indicators: Unlike labels on documents, there are no visual markings (headers, footers) on security groups. The label is purely a metadata and policy enforcement mechanism.
Why This Matters: Proactive Guest Governance
Guest accounts represent a significant risk vector. Without proper controls, any group owner can invite external users to a security group, potentially granting them access to shared resources like applications, SharePoint, or Azure resources. Sensitivity labels close this gap by embedding governance into the group itself.
Consider a security group used to grant access to a critical line-of-business application. In the past, an admin might forget to audit guest membership, leaving outsiders with persistent access. With a sensitivity label that blocks guests, the system enforces the restriction from the outset. Even if an owner later tries to add a guest through the API, the label’s policy will reject the change. This shift from reactive auditing to proactive prevention reduces the burden on IT and security teams.
Additionally, labels provide a self-service categorization method. When users create groups, they can select a label like “Internal Only – No Guests” or “External Collaboration Allowed,” which drives consistent access posture across the organization. This is especially powerful in dev/test environments where developers spin up ad-hoc groups for resource access.
Comparison with Existing Container Labels
Sensitivity labels for Microsoft 365 groups, Teams, and SharePoint sites already support a rich set of container-management settings:
| Setting | Microsoft 365 Groups / Teams | Security Groups (Preview) |
|---|---|---|
| Privacy (public/private) | Yes | Yes |
| Guest access control | Yes (proactive) | Yes (proactive) |
| External user access | Yes | No |
| Device access / Conditional Access | Yes | No |
| Site sharing policies | Yes | No |
| Default link type for SharePoint | Yes | No |
| Access reviews | Yes | No |
As the table shows, the preview for security groups focuses on the most critical governance knob: guest containment. Microsoft is likely to expand parity over time, but currently, administrators should view security group labels as a targeted tool for access governance rather than a full-blown container management solution.
Deployment Best Practices
- Start with a pilot group: Roll out the feature to a small set of test users and groups to observe the behavior. Validate that label application works as expected from the portal, Graph API, and PowerShell.
- Define clear label taxonomy: Align sensitivity labels with your data classification schema. Standardize a few labels like “Highly Confidential,” “Internal,” and “External” to avoid confusion.
- Educate group creators: Users accustomed to creating groups without labels may overlook the new dropdown. Provide guidance on when to use each label.
- Monitor with audit logs: Use Microsoft Purview audit logs to track label assignments and policy violations. This helps identify rogue guest additions or mislabeled groups.
- Plan for automation: For larger environments, script the application of labels to existing security groups using Microsoft Graph API or PowerShell once the feature reaches general availability.
The Road Ahead
Microsoft has not announced a general availability date, but public previews typically last a few months. Organizations should provide feedback through the Microsoft Entra admin center feedback button or the public roadmap. Key requests from early adopters include:
- Support for dynamic groups and mail-enabled security groups.
- Integration with Privileged Identity Management (PIM) for just-in-time group membership.
- Inheritable labels that flow from parent groups to nested groups.
- Customizable policy tips that warn users when a label restricts guest access.
If adopted widely, sensitivity labels for security groups could become the canonical method for enforcing access governance across all Entra ID group types. This aligns with Microsoft’s Zero Trust vision, where every access attempt is verified and every container is governed by consistent policies.
Try It Out
To get hands-on, visit the Entra admin center and navigate to Groups > Sensitivity labels. Review the official documentation on Microsoft Learn and the Microsoft Purview guidelines. The feature is available to all Entra ID tenants with appropriate licensing, but you must explicitly enable the preview.
With a few clicks, you can start enforcing guest-free security groups today—paving the way for tighter access control and simpler compliance.