AzureAD

Execute-AzureADLabelSync does not look to work correctly

Execute-AzureADLabelSync does not look to work correctly. How to enable labels in groups and SharePoint.

I was recently implementing labels in my test Microsoft 365 tenant and I found that I wasn’t able to using labels in SharePoint and the option for SharePoint when defining the scope of the label was greyed out.

As highlighted in the image below, you can see that the option for Groups & Sites in greyed out. Even though its looks like its enabled with the tick in the box, it is not and we are unable to uncheck it.

Define the scope for this label

The grey, highlighted text that asks you to complete steps to be able to apply labels in Teams, SharePoint and Microsoft 365 Groups will take you to this Microsoft help page.

It will ask you to connect to your tenants Security & Compliance PowerShell and then ask you to run the following command:

1

Execute-AzureADLabelSync

When running this command it doesn’t give you any indication that it has changed anything. I personally waited 24 hours before checking if I was able to enable Groups & Sites in the labels scope and I still wasn’t able to.

The Fix!

So to resolve this, we are going to need to run a few PowerShell commands.

  1. Run the following commands to connect to Azure AD. If you havent already installed the AzureADPreview module these commands will install it for you.
1
2
3

Install-Module AzureADPreview
Import-Module AzureADPreview
AzureADPreview\Connect-AzureAD

  1. Sign in to your tenant with your admin account.

  2. Fetch the current group settings for your Azure AD organisation and display them.

1
2
3

$grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
$Setting = $grpUnifiedSetting
$grpUnifiedSetting.Values

If nothing is returned then then there are no group settings configured. If it has been configured previously then you will see EnableMIPLabels = True in the output.

  1. If nothing is returned then run the below to enable it.
1

$Setting["EnableMIPLabels"] = "True"

You may get the following error:

1
2
3
4
5
6

Cannot index into a null array.
At line:1 char:1
+ $Setting["EnableMIPLabels"] = "True"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

If you do then jump down to the next section.

  1. Check that the new settings have applied.
1

$Setting.Values
  1. Now save the settings and apply to the tenant.
1

Set-AzureADDirectorySetting -Id $grpUnifiedSetting.Id -DirectorySetting $Setting

For more information regarding this see here.

Cannot Index into a null array error

If you get the error “Cannot index into a null array”, you will need to edit the “Group.Unified” template to be able to add EnableMIPLabels setting.

  1. Run the following commands to connect to Azure AD. If you havent already installed the AzureADPreview module these commands will install it for you.
1
2
3

Install-Module AzureADPreview
Import-Module AzureADPreview
AzureADPreview\Connect-AzureAD

  1. Sign in to your tenant with your admin account.

  2. List all the settings template and check that you have a template called “Group.Unified”.

1

Get-AzureADDirectorySettingTemplate

You should see the following output.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

Id                                   DisplayName                          Description
--                                   -----------                          -----------
08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest                  Settings for a specific Unified Group
4bc7f740-180e-4586-adb6-38b2e9024e6b Application                          ...
5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule Settings               ...
62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified                        ...
80661d51-be2f-4d46-9713-98a2fcaec5bc Prohibited Names Settings            ...
898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy Settings               ...
aad3907d-1d1a-448b-b3ef-7bf7f63db63b Prohibited Names Restricted Settings ...
dffd5d46-495d-40a9-8e21-954ff55e198a Consent Policy Settings              ...

As you can see there is one there already called “Group.Unified”.

  1. Now you need to edit this template to be able to add the setting you need. You are going to get the Settings Template object.
1
2

$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
  1. Next you are going to create a new settings object based on the template.
1

$Setting = $Template.CreateDirectorySetting()
  1. You can now add the setting you need to be able to use labels in SharePoint.
1

$Setting["EnableMIPLabels"] = "True"
  1. Now you need to apply the new setting.
1

New-AzureADDirectorySetting -DirectorySetting $Setting

You can also view the view the values.

1

$Setting.Values

For more information regarding this see [here](https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-cmdlets.

Back to the compliance portal

Now when you go to edit an existing label or create a new label in the compliance portal, the scope option for applying labels to “Groups & Sites” will be enabled and available to check or uncheck.

Define the scope for this label enabled

© 2020 - 2024 Owen Murr
Built with Hugo
Theme Stack designed by Jimmy