{"id":22681,"date":"2026-05-28T10:30:00","date_gmt":"2026-05-28T17:30:00","guid":{"rendered":"https:\/\/new-cm-edgedigital.pages.dev\/insidetrack\/blog\/?p=22681"},"modified":"2026-05-28T10:56:26","modified_gmt":"2026-05-28T17:56:26","slug":"transforming-our-approach-to-sensitivity-labels-at-microsoft-with-microsoft-entra","status":"publish","type":"post","link":"https:\/\/new-cm-edgedigital.pages.dev\/insidetrack\/blog\/transforming-our-approach-to-sensitivity-labels-at-microsoft-with-microsoft-entra\/","title":{"rendered":"Transforming our approach to sensitivity labels at Microsoft with Microsoft Entra"},"content":{"rendered":"\n

Security groups serve as the backbone of our approach to access control across the Microsoft corporate tenant. These groups determine who has access to different resources across our network, including Azure subscriptions, Power BI reports, SharePoint sites, and more.<\/p>\n\n\n\n

For years, our security groups operated without consistent, policy\u2011based guardrails. As a result, we couldn\u2019t uniformly control guest access to sensitive resources or apply governance consistently across different group types.<\/p>\n\n\n\n

Addressing this required a complex, coordinated effort by our team here in Microsoft Digital, the company\u2019s IT organization, and the Microsoft Entra product team.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cBecause IT security is our highest priority at Microsoft, we knew we needed a better approach to limiting access to groups within our tenant. And we realized that Microsoft Entra was a powerful in-house solution that represented our best path forward to solve for this challenge.\u201d<\/p>\nDavid Johnson, principal product manager architect, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n

The result is a new approach to sensitivity labels across the organization that strengthens our security posture, which benefits Microsoft and our customers.<\/p>\n\n\n\n

\u201cBecause IT security is our highest priority at Microsoft, we knew we needed a better approach to limiting access to groups within our tenant,\u201d says David Johnson, a principal product manager architect in Microsoft Digital. \u201cAnd we realized that Microsoft Entra was a powerful in-house solution that represented our best path forward to solve for this challenge.\u201d<\/p>\n\n\n\n

\n
\n
\"\"<\/figure>\n<\/div>\n\n\n\n
\n

Go deeper<\/strong><\/p>\n\n\n\n

Learn how to assign sensitivity labels to Microsoft Entra security groups.<\/a><\/p>\n<\/div>\n<\/div>\n\n\n\n

Closing the security gap<\/h2>\n\n\n\n

Sensitivity labels for Microsoft 365 groups are labels that govern join and access restrictions for membership and sharing. They have been a product feature since 2020. But sensitivity labels for security groups\u2014labels that enforce rules about who can join a group\u2014had no equivalent.<\/p>\n\n\n\n

This meant that organizations that wanted to govern who could join a security group or determine if guests are permitted and how group membership is managed had to either lock down the group creation process entirely, or rely on reactive scanning after the fact.<\/p>\n\n\n\n

“Security groups are a key piece of our efforts to secure sensitive resources,” says Mohit Bhargava, a principal product manager on the Microsoft Entra team, which manages the Entra family of identity and network access products. \u201cWe wanted to apply policies to protect who could be in security groups so that the sensitive resources in those groups would remain secure.”<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

“Whoever gets into an Azure security group can have access to all the resources associated with the Azure subscription. That’s a potential high-severity threat.”<\/p>\nBasanth Kakumani, software engineer II, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n

The security risk is real. If an unauthorized guest account ends up as a member of a security group that governs access to an Azure subscription, that guest gains access to every resource inside that subscription.<\/p>\n\n\n\n