This chapter covers Microsoft Loop admin controls, a critical topic for the MS-102 exam under Tenant Management (Objective 1.3). Loop is a collaborative workspace in Microsoft 365 that allows real-time co-authoring of flexible components like tables, task lists, and text. As an administrator, you must control who can create Loop workspaces, what components are allowed, and how data is shared and retained. Exam questions on Loop admin controls typically account for 2-3% of the total, often appearing as scenario-based questions where you must choose the correct PowerShell cmdlet or admin center setting to enforce a specific policy.
Jump to a section
Imagine a city where anyone can build a new room onto their house instantly using magical construction blocks. The building permit office (Microsoft Loop admin controls) must decide: which neighborhoods (tenants) can use these blocks, who in each house (users/groups) is allowed to build, what types of rooms (Loop workspaces) are permitted, and how long the magic lasts before the room vanishes (data retention). The permit office has a master list of approved block types (Loop components: tables, task lists, etc.) and can ban certain blocks city-wide (block specific components). When a resident tries to build, the permit office checks: Is the neighborhood allowed? Is this person authorized? Is this block type banned? If all clear, the magic works instantly. The permit office also sets rules for sharing rooms with visitors from other cities (external sharing) and can require that all rooms be locked with a special key (sensitivity labels). If the permit office misconfigures a rule, entire neighborhoods might be unable to build, or worse, unapproved structures could appear. Just like a real permit office, the Loop admin controls are centralized, policy-driven, and enforce rules before any construction begins.
What is Microsoft Loop and Why Admin Controls Matter
Microsoft Loop is a new collaborative canvas that enables teams to co-create and iterate on ideas in real time. It consists of Loop workspaces (persistent, shared pages) and Loop components (portable pieces like tables, task lists, or paragraphs that can be shared across Microsoft 365 apps like Teams, Outlook, and Word). From an admin perspective, Loop introduces new data residency, security, and compliance considerations. Without proper controls, users could inadvertently share sensitive information or create workspaces that violate organizational policies.
How Loop Admin Controls Work Internally
Loop admin controls are configured at the tenant level via the Microsoft 365 admin center or PowerShell. The settings are stored in Azure Active Directory and enforced by the Loop service. When a user attempts to create a Loop workspace or share a component, the service checks several policy layers:
Tenant-level toggle: The overall Loop experience can be enabled or disabled for the entire tenant. If disabled, no user can create or access Loop workspaces.
Group-level assignment: If the tenant toggle is on, you can restrict Loop workspace creation to specific security groups. Users not in an allowed group will see an error when trying to create a workspace.
Component-level restrictions: You can block specific Loop component types (e.g., task lists, voting tables) tenant-wide. This is useful for preventing use of components that don't meet compliance requirements.
External sharing: You can control whether Loop workspaces can be shared with external users (guests). This setting works in conjunction with Azure AD external sharing policies.
Data retention: Loop workspaces are stored as SharePoint sites under the covers. Retention policies from the Microsoft Purview compliance portal apply to Loop content just like any other SharePoint site.
Sensitivity labels: You can require that all new Loop workspaces have a sensitivity label applied, ensuring consistent classification.
Key Components, Values, Defaults, and Timers
Default state: Loop is enabled for all users in the tenant by default (when first released). However, Microsoft may change defaults over time; always verify.
PowerShell cmdlets: Use the Set-SPOTenant cmdlet with parameters like -IsLoopEnabled, -LoopDefaultSharingLinkType, and -LoopOverrideBlockList. For group restrictions, use Set-SPOTenant -LoopWorkspaceCreationGroupId <group-object-id>.
Admin center path: Settings > Org settings > Loop. Here you toggle the service, manage component blocking, and configure external sharing.
Component block list: An array of component types (e.g., "TaskList", "VotingTable", "Kanban"). You can get the full list via Get-SPOTenant | Select -ExpandProperty LoopComponentBlockList.
Retention: There is no separate Loop retention timer; it inherits SharePoint retention policies. By default, content is retained indefinitely unless a policy is applied.
Sensitivity label requirement: Set via Set-SPOTenant -LoopRequireSensitivityLabel $true. If enabled, users must pick a label when creating a workspace.
Configuration and Verification Commands
To check current Loop settings:
Get-SPOTenant | Select IsLoopEnabled, LoopDefaultSharingLinkType, LoopComponentBlockList, LoopRequireSensitivityLabel, LoopWorkspaceCreationGroupIdTo enable Loop for the tenant:
Set-SPOTenant -IsLoopEnabled $trueTo restrict workspace creation to a specific group:
Set-SPOTenant -LoopWorkspaceCreationGroupId "12345678-1234-1234-1234-123456789abc"To block specific components:
Set-SPOTenant -LoopComponentBlockList @("TaskList","VotingTable")To require sensitivity labels:
Set-SPOTenant -LoopRequireSensitivityLabel $trueInteraction with Related Technologies
SharePoint: Loop workspaces are stored as SharePoint sites. All SharePoint admin policies (e.g., site creation limits, storage quotas) apply.
Azure AD: User and group membership for Loop restrictions rely on Azure AD groups.
Microsoft Purview: Data Lifecycle Management (retention) and Information Protection (sensitivity labels) directly affect Loop content.
Microsoft Teams: Loop components can be embedded in Teams chats and channels. Teams policies (e.g., guest access) may override Loop external sharing settings if more restrictive.
Power Automate: Loop workspaces can trigger flows; admin controls do not block this, but DLP policies can.
Enable Loop for the tenant
Navigate to the Microsoft 365 admin center > Settings > Org settings > Loop. Toggle 'Let users create and share Loop workspaces' to On. Alternatively, use PowerShell: Set-SPOTenant -IsLoopEnabled $true. This step does not require any license assignment beyond the base Microsoft 365 subscription (E3, E5, etc.). Once enabled, all users can create workspaces unless further restricted.
Restrict workspace creation to specific groups
If you want only certain users to create Loop workspaces, create a security group in Azure AD and obtain its Object ID. Then run: Set-SPOTenant -LoopWorkspaceCreationGroupId <group-id>. Only members of that group can create workspaces. Note: All users can still view and edit workspaces they are invited to. This restriction applies only to creation.
Block specific Loop component types
To prevent use of certain components (e.g., task lists that may store sensitive data), use the LoopComponentBlockList parameter. Example: Set-SPOTenant -LoopComponentBlockList @("TaskList","VotingTable"). The block list is tenant-wide. Users will see an error when trying to insert a blocked component. To see available component types, check Microsoft documentation or use Get-SPOTenant to view the current block list.
Configure external sharing for Loop workspaces
In the Loop admin settings, under 'External sharing', choose one of three options: 'Only people in your organization' (no external), 'Existing guests' (only current Azure AD guests), or 'Anyone' (anyone with the link). This works with SharePoint sharing settings but is independent. For PowerShell, use Set-SPOTenant -LoopDefaultSharingLinkType (values: None, Internal, Direct).
Require sensitivity labels on new workspaces
To enforce that all new Loop workspaces have a sensitivity label, enable: Set-SPOTenant -LoopRequireSensitivityLabel $true. Users will be prompted to select a label when creating a workspace. If they cancel, the workspace is not created. Existing workspaces are not affected. Ensure sensitivity labels are published to users in Microsoft Purview.
Enterprise Scenario 1: Financial Services Firm Restricts Loop Usage
A large bank wants to adopt Loop for agile project management but must ensure no sensitive customer data leaks. The admin enables Loop tenant-wide but restricts workspace creation to a security group containing only the innovation team (50 users). They block the 'VotingTable' component because it could be used to collect unencrypted PII. External sharing is set to 'Only people in your organization'. They also require sensitivity labels, with a default 'Confidential' label auto-applied via a label policy. This configuration took 30 minutes to implement using PowerShell scripts. The main challenge was educating the innovation team about the restrictions; some users initially complained they couldn't share workspaces with external consultants. The admin had to create a separate guest access policy in Azure AD to allow limited external collaboration on a case-by-case basis.
Enterprise Scenario 2: Education Institution Enables Open Collaboration
A university wants all students and faculty to use Loop for group projects. They enable Loop for everyone and allow external sharing with 'Anyone' to facilitate collaboration with external researchers. They do not block any components but enforce a retention policy of 90 days for Loop workspaces (via Microsoft Purview) to comply with data minimization regulations. They do not require sensitivity labels because students often forget to apply them. The IT team monitors usage via the Loop analytics in the admin center. A common issue is that students accidentally share workspaces publicly, so the admin sets the default sharing link to 'Internal' (people in the organization only) but allows users to change it to 'Anyone' per workspace. This required a custom PowerShell configuration: Set-SPOTenant -LoopDefaultSharingLinkType Internal.
Enterprise Scenario 3: Misconfiguration Causes Outage
A global retailer accidentally disabled Loop for the entire tenant while testing settings in the admin center. Users across the company lost access to existing Loop workspaces and could not create new ones. The helpdesk was flooded with tickets. The admin realized the error after 4 hours and re-enabled Loop. This incident highlighted the need for change management and testing in a pilot tenant first. The lesson: always use a test tenant or a small group before making tenant-wide changes.
What MS-102 Tests on Loop Admin Controls
The exam focuses on Objective 1.3: 'Manage tenant settings for Microsoft 365 workloads'. Specifically, you need to know:
How to enable/disable Loop at the tenant level.
How to restrict workspace creation to specific groups.
How to block specific component types.
How to configure external sharing for Loop workspaces.
How to require sensitivity labels.
The PowerShell cmdlets and parameters used.
Common Wrong Answers
Choosing 'Loop is enabled by default and cannot be disabled' – This is false. You can disable Loop entirely via admin center or PowerShell. Candidates think because it's a relatively new feature, Microsoft forces it on. Reality: it's a configurable setting.
Using Set-AzureADDirectorySetting instead of Set-SPOTenant – Candidates confuse Loop settings with Azure AD policy settings. Loop settings are SharePoint Online tenant settings.
Thinking group restriction applies to both creation and access – The group restriction only controls who can CREATE workspaces. Any user can be invited to an existing workspace regardless of group membership.
Assuming external sharing for Loop is controlled by SharePoint sharing settings alone – While SharePoint settings can override, Loop has its own external sharing setting that is independent.
Specific Numbers and Terms
The PowerShell module required is SharePoint Online (SPO).
The parameter for enabling Loop: -IsLoopEnabled.
The parameter for group restriction: -LoopWorkspaceCreationGroupId.
The parameter for component block list: -LoopComponentBlockList.
The parameter for default sharing link: -LoopDefaultSharingLinkType (values: None, Internal, Direct).
The parameter for sensitivity label requirement: -LoopRequireSensitivityLabel.
Edge Cases and Exceptions
If you disable Loop after users have created workspaces, those workspaces become inaccessible but are not deleted. Re-enabling restores access.
The component block list does not affect components shared from outside the tenant. If an external user shares a blocked component, internal users may still see it but cannot create new ones.
Sensitivity label requirement only applies to new workspaces, not existing ones. To enforce on existing, you must use a label policy with auto-labeling.
How to Eliminate Wrong Answers
If a question asks about restricting who can create workspaces, look for 'group' or 'security group' in the answer. Any answer mentioning 'everyone' or 'all users' is likely wrong.
If the question involves blocking specific components, the answer must reference the LoopComponentBlockList parameter.
If the question involves external sharing, remember the three options: Only organization, Existing guests, Anyone.
Loop admin controls are configured in the M365 admin center or via SharePoint Online PowerShell (Set-SPOTenant).
Enable/disable Loop with -IsLoopEnabled; default is enabled for all users.
Restrict workspace creation to a specific security group using -LoopWorkspaceCreationGroupId.
Block specific component types tenant-wide using -LoopComponentBlockList (e.g., @("TaskList","VotingTable")).
External sharing for Loop has three options: Only organization, Existing guests, Anyone; set via -LoopDefaultSharingLinkType.
Require sensitivity labels on new workspaces with -LoopRequireSensitivityLabel $true.
Loop workspaces are stored as SharePoint sites; retention and DLP policies from Purview apply.
Disabling Loop does not delete workspaces; it only hides them.
The component block list is tenant-wide and cannot be scoped to groups.
Group restriction only applies to creation, not to viewing or editing existing workspaces.
Always test Loop configuration in a pilot tenant before rolling out to production.
Use Get-SPOTenant to verify current Loop settings.
These come up on the exam all the time. Here's how to tell them apart.
Loop Workspace Creation Restriction
Controls who can create new Loop workspaces using a security group.
Set via LoopWorkspaceCreationGroupId parameter.
Only affects creation; existing workspaces and editing are unaffected.
Useful for limiting Loop to a pilot group.
Requires an Azure AD security group object ID.
Loop Component Blocking
Blocks specific component types tenant-wide (e.g., TaskList).
Set via LoopComponentBlockList parameter as an array.
Affects all users; cannot be scoped to groups.
Useful for compliance (e.g., blocking voting tables to prevent data collection).
Does not block components shared from external sources.
Mistake
Loop admin controls are part of Microsoft Teams admin center.
Correct
Loop settings are managed in the Microsoft 365 admin center under Settings > Org settings > Loop, or via SharePoint Online PowerShell. They are not in Teams admin center.
Mistake
Disabling Loop deletes all existing workspaces.
Correct
Disabling Loop only prevents creation and access to existing workspaces. The data is not deleted; it remains in SharePoint. Re-enabling restores access.
Mistake
The group restriction for workspace creation also restricts viewing and editing workspaces.
Correct
The group restriction only controls who can create new workspaces. Any user can be invited to an existing workspace, regardless of group membership.
Mistake
Loop components can be blocked per user or per group.
Correct
The component block list is tenant-wide. You cannot block components for specific users or groups. To restrict components for certain users, you would need to disable Loop for them entirely.
Mistake
External sharing for Loop is controlled solely by SharePoint external sharing settings.
Correct
Loop has its own external sharing setting independent of SharePoint. However, if SharePoint external sharing is more restrictive, it will override Loop's setting.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Go to Microsoft 365 admin center > Settings > Org settings > Loop, then toggle 'Let users create and share Loop workspaces' to On. Alternatively, use PowerShell: Set-SPOTenant -IsLoopEnabled $true. No additional licenses are required beyond your Microsoft 365 subscription.
Yes. Create a security group in Azure AD and note its Object ID. Then run: Set-SPOTenant -LoopWorkspaceCreationGroupId <group-object-id>. Only members of that group can create new workspaces. All users can still be invited to existing workspaces.
Use PowerShell: Set-SPOTenant -LoopComponentBlockList @("TaskList","VotingTable"). You can specify multiple component types. To view the current block list, run Get-SPOTenant | Select -ExpandProperty LoopComponentBlockList. This setting is tenant-wide.
Existing workspaces become inaccessible to users, but they are not deleted. The underlying SharePoint sites remain. When you re-enable Loop, users regain access. This is a common exam scenario: disabling Loop does not delete data.
Run: Set-SPOTenant -LoopRequireSensitivityLabel $true. Users must select a label when creating a workspace. Ensure labels are published in Microsoft Purview. This setting only applies to new workspaces, not existing ones.
Yes. Loop has its own external sharing setting. In the admin center, you can choose 'Only people in your organization', 'Existing guests', or 'Anyone'. In PowerShell, use -LoopDefaultSharingLinkType (None, Internal, Direct). However, if SharePoint external sharing is more restrictive, it overrides.
You need the SharePoint Online Management Shell. Install-Module -Name Microsoft.Online.SharePoint.PowerShell. Then connect to SharePoint Online: Connect-SPOService -Url https://<tenant>-admin.sharepoint.com. All Loop settings are managed via Set-SPOTenant.
You've just covered Microsoft Loop Admin Controls — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?