Updated April 20, 2026: We have updated the timeline. Thank you for your patience.
Introduction
Purview Information Protection admins can now exclude modern Microsoft 365 groups and scope sensitivity label policies to dynamic and non-mail enabled security groups. These capabilities give admins more flexibility, expanding policy targeting beyond individual users and mail-enabled groups.
This message is associated with Microsoft 365 Roadmap ID 558685.
When this will happen:
- Public Preview: We will begin rolling out late April 2026 and expect to complete by mid-May 2026.
- General Availability: We will begin rolling out late May 2026 (previously mid-June) and expect to complete by early June 2026 (previously late June).
How this affects your organization:
Who is affected:
- Information Protection admins managing sensitivity label publishing policies
What will happen:
- Admins can exclude modern Microsoft 365 groups from label publishing policies
- Admins can include non-mail-enabled security groups, including dynamic security groups
- Existing policies and configurations remain unchanged
- No user impact unless admins update policy scope
What you can do to prepare:
- No action is required
- Optionally review and update label publishing policies to take advantage of expanded scoping
Learn more: Create and publish sensitivity labels | Microsoft Learn (will be updated before rollout)
Compliance considerations:
| Compliance question |
Explanation |
| Does the change modify Information Protection labels or policy configuration capabilities? |
This update expands how sensitivity label publishing policies can be scoped by allowing admins to exclude modern Microsoft 365 groups and include non-mail-enabled security groups. |
| Does the change include an admin control and can it be controlled through Entra ID group membership? |
Admins can scope sensitivity label publishing policies using non-mail-enabled security groups, including dynamic security groups in Microsoft Entra ID. |