Share via

Azure Information Protection sensitivity labels. Encryption labels created with "Assign permissions now": Microsoft Information Protection SDK does not allow to enumerate exactly which users listed

Sergey Ivanou 21 Reputation points
Dec 17, 2022, 8:50 AM

Hello!

We are trying to classify protected content with AIP in organization. We use Microsoft Information Protection SDK Overview - https://learn.microsoft.com/en-us/information-protection/develop/overview#microsoft-information-protection-sdk the current version 1.12.101

An Administrator created multiple Azure Information Protection sensitivity labels. Encryption labels created with "Assign permissions now" and exactly which users get which permissions to content were defined. See https://learn.microsoft.com/en-us/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide

Trying to automate classification I want to get exact list of users and their permissions. And I realized, that sensitivity labels created with option "Assign permissions now" stored in file metadata as template based and template Id is visible in ProtectionDescriptor structure

271671-image.png

But it looks like Microsoft Information Protection SDK does not have API to get exactly which users get which permissions to content when a file protected with template.

271593-image.png

I can see only UI description from IProtectionEngine.GetTemplates() in TemplateDescriptor:

How can I list users and their permissions for files with sensitivity labels with encryption created with template?

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
557 questions
{count} votes

Accepted answer
  1. Givary-MSFT 35,371 Reputation points Microsoft Employee
    Dec 22, 2022, 3:17 PM

    @Sergey Ivanou

    I'm glad that you were able to get your query answered from the support team and thank you for posting the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    Answered by @Sergey Ivanou

    273349-image.png

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Sergey Ivanou 21 Reputation points
    Dec 22, 2022, 2:50 PM

    Hello!

    After consultation with MSFT support team final resolution to my question:

    • It is not possible to get access to all users that have a specific label using the MIP SDK or Graph API. That can only be done using the admin portal when configuring a label.
    • The SDK doesn’t have access to this information due to security and privacy policies.

    Thanks!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.