Sensitivity label cannot be assigned since sensitivity label owner email cannot be computed for this file

Sebastian Duschinger 20 Reputation points
2023-09-06T08:05:39.4366667+00:00

Hi all,

when trying to assign a sensitivity label by the Graph API endpoint

`/drives/${listDdriveId}/items/${itemId}/assignSensitivityLabel`

I get an error, when the last operation on this item/document was performed by an app (Editor 'SharePoint App'):

 "error": {
    "code": "notSupported",
    "message": "Sensitivity label cannot be assigned since sensitivity label owner email cannot be computed for this file. Please retry after you have touched the file.",
    "innerError": {
        "date": "2023-09-06T08:03:45",
        "request-id": "2d02b344-fafc-48ae-8983-d9f197c21850",
        "client-request-id": "..."
    }
}

After I update the metadata of the item within a normal user context I can set the sensitivity label successfully with the Graph API endpoint (called by an app).

Unfortunately this is not possible in my scenario.

Is there a way to circumvent this error?

Thanks and best regards.

Sebastian

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,228 questions
0 comments No comments
{count} votes

Accepted answer
  1. Aurélien OSINI 80 Reputation points
    2023-11-15T13:09:20.2433333+00:00

    Hello,

    Just to share if anyone has the same issue.

    We just got an answer from MS support about this. Here is the answer we got:

    Apps can apply label of a file when the file was last modified by or authored by a user with a valid email or if the site owner has a valid email address. If a file is allowed to be labelled in such a situation, the file can get into a state where only the tenant admin can change the label of file for certain label configurations. To avoid such situations, the operation is blocked.

    In our case, the file last modified by was an old account (no email) and the site Owner was the SharePoint administrator group. (the site owner here is the one you got with the command "Get-SPOSite -Identity https://siteurl | select Owner" so the site collection primary admin or the Group owner)

    As a workaround, we assign a valid user as the site primary admin before calling this graph API endpoint.

    Hope this help.

    Aurélien

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.