Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
How can I apply Sensitivity Labels to a Group in a Commercial Tenant using the Graph API without Delegated Permissions? (PATCH groups/{groupId})
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 22%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Sean Arthur
1
Reputation point
In a GCCH Tenant, this endpoint works using Application Permissions (i.e. NOT delegated permissions) - I know this limitation is documented here:
But since it works in GCCH using Application Permissions, it should work the same in Commercial. I have code that connects to both GCCH tenants and Commercial tenants, and the same calls fail in Commercial which succeed in GCCH.
Example:
PATCH groups/4*****d-e8a8-4d1a-****-93e*****e60b
with JSON body:
"{\"assignedLabels\":[{\"labelId\":\"72***b19-****-42c3-****-cde6*****42d\"}]}"
Gives back a response like this:
"{\r\n \"@odata.context\":\"https://substrate.office.com:444/CompliancePolicy/$metadata#Microsoft.Exchange.Compliance.Policy.Environment.MicrosoftGraphException\",\"error\":{\r\n \"code\":\"Unauthorized\",\"message\":\"App-only token is not supported.\",\"innerError\":{\r\n \"request-id\":\"cf042112-cbbf-448c-82f2-a8dd8bc14849\",\"date\":null\r\n }\r\n }\r\n}"
This was asked over a year ago here without a response:
Azure Information Protection
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-12-12T17:16:14.067+00:00 Hi @Sean Arthur , thanks for the question. I reached out to the product group for some more information. I'll let you know when I have an answer.
Best,
James -
Ravi Kanth Koppala 3,396 Reputation points Microsoft Employee Moderator2022-12-20T04:14:13.98+00:00 To apply sensitivity labels to a group in a commercial tenant using the Graph API, you will need to have the necessary permissions. Specifically, you will need to be an administrator of the tenant or have been granted the appropriate permissions by an administrator.
If you do not have delegated permissions, you can still apply sensitivity labels to a group by using the Graph API with an app-only token. To do this, you must create an app in the Azure Active Directory (AAD) associated with your tenant and grant it the necessary permissions to manage sensitivity labels.
Here is an example of how you can apply a sensitivity label to a group using the Graph API with an app-only token:
First, register an app in the Azure Active Directory associated with your tenant and grant it the necessary permissions to manage sensitivity labels.
Next, use the app's client ID and client secret to obtain an app-only access token for the Graph API.
Use the Graph API to retrieve the group to which you want to apply the sensitivity label. You can do this by making a GET request to the /groups endpoint and specifying the ID of the group in the id parameter.
Use the Graph API to apply the sensitivity label to the group. To do this, make a PATCH request to the /groups/{id} endpoint, where {id} is the ID of the group, and include the following JSON payload in the request body:{ "sensitivityLabel": { "id": "ID of the sensitivity label that you want to apply" } }That's it. I hope this worked for you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 0%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZY%3C/text%3E%3C/svg%3E)
Zehui Yao_MSFT 5,881 Reputation points2022-12-26T10:29:05.46+00:00 Hi @Sean Arthur , did the above reply help you, if you still need any help, please feel free to comment here.
-
Sean Arthur 1 Reputation point
2023-01-03T19:50:04.087+00:00 Hi - sorry, was not able to re-test this before the holiday break.
Notably, this JSON request does not match any of the objects described in the graph API documentation, nevertheless I have attempted to use it.
PATCH groups/<redacted guid>
body:
`"{"sensitivityLabel":{"id":"<redacted guid>"}}"Results: 400 Bad Request
"Invalid property 'sensitivityLabel'."I have executed this both against the beta and v1.0 endpoints.
If you look at the documentation link I provided in the original post, you'll see the expected body is actually...
{ "assignedLabels": [ { "labelId" : "<guid>" } ] }and this is what produces the "App-only token is not supported" in commercial only, not GCCH.
Sign in to comment
Sign in to answer