How to get Retention Labels using Graph Api - https://graph.microsoft.com/beta/security/labels/retentionLabels/12e43d75-6cbe-4330-8864-0baaf2614c25

Ajay Kadavath 20 Reputation points
2023-09-27T17:08:51.3966667+00:00

Tenant:image

Graph beta version for Retention Label not working in oclabs tenant. Error is 401 Unauthorized

Tried in Graph Explorer and PowerShell script

  1. https://graph.microsoft.com/beta/security/labels/retentionLabels/12e43d75-6cbe-4330-8864-0baaf2614c25
  2. Import-Module Microsoft.Graph.Beta.Security

#List retentionLabels
Get-MgBetaSecurityLabelRetentionLabel

#Get retentionLabels
$retentionLabelId='12e43d75-6cbe-4330-8864-0baaf2614c25'
Get-MgBetaSecurityLabelRetentionLabel -RetentionLabelId $retentionLabelId

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,995 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,970 questions
{count} votes

Accepted answer
  1. BenjaminM-MSFT 75 Reputation points Microsoft Vendor
    2023-10-02T12:30:59.47+00:00

    Hi @Ajay Kadavath

    Error 401 occurs when you do not have permissions to the resource you are trying to access. To access the /beta/security/labels/retentionLabels/{id} you need the following permissions:

    • RecordsManagement.Read.All

    On graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) before running the query, click on "Modify Permissions" and consent to that permission.

    Here is the documentation for more details: https://learn.microsoft.com/en-us/graph/api/security-retentionlabel-get?view=graph-rest-beta&tabs=http

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".


1 additional answer

Sort by: Most helpful
  1. Ajay Kadavath 20 Reputation points
    2023-10-05T13:50:08.81+00:00

    Tried using PnP PowerShell and Beta version of Graph Security approach

    PnP PowerShell Approach

    Import-Module PnP.PowerShell
    
    Register-PnPAzureADApp -ApplicationName "RL Graph API" -Tenant "oclabs.onmicrosoft.com -Store CurrentUser -ValidYears 2 -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force) -Interactive
    
    $connect = Connect-PnPOnline -ClientId $ClientId -Thumbprint $CertificateThumbprint -Tenant $Tenant -Url "https://oclabs.sharepoint.com -ReturnConnection
    
    Get-PnPSite -Connection $connect
    
    #working
    $token = Get-PnPGraphAccessToken -Connection $connect
    
    # Create header with the access token
    
    $header = @{ Authorization = "Bearer $($token)" }
    
    #v1.0/Beta
    
    $uri = 'https://graph.microsoft.com/Beta/groups' + `
    
           '?$filter=resourceProvisioningOptions/Any(x:x eq ''Team'')' +
    
           '&select=id,displayName'
    
    # Make a simple rest call
    
    $response = Invoke-RestMethod -Uri $uri -Headers $header -Method Get -ContentType "application/json" -CertificateThumbprint $CertificateThumbprint
    
    #$response = Invoke-PnPGraphMethod -Url $uri -Connection $connect -Method Get -ContentType "application/json" -All
    
    # Lets see the result
    
    $response.Value
    
    
    #Not working#used delegated permission RecordsManagement.Read.All and RecordsManagement.ReadWrite.All #Security & Compliance PowerShell
    
    $token = Get-PnPGraphAccessToken -Connection $connect #-Decoded
    
    #$token = Get-PnPAppAuthAccessToken -Connection $connect
    
    #GET https://graph.microsoft.com/v1.0/me/drive/root/search(q='retentionLabel:"12e43d75-6cbe-4330-8864-0baaf2614c25"')?$select=name,id,parentReference
    
    $uri = 'https://graph.microsoft.com/beta/security/labels/retentionLabels'
    
    $me = Invoke-RestMethod -Uri $uri -Headers @{"Authorization"="Bearer $($token)"} -Method Get -ContentType "application/json" -CertificateThumbprint $CertificateThumbprint$me.value
    
    $me = Invoke-PnPGraphMethod -Url $uri -Connection $connect -Method Get -ContentType "application/json" -All #-Content @{"Authorization"="Bearer $($token)"} #-AdditionalHeaders @{"Authorization"="Bearer $($token)"}
    
    $me.value
    

    Graph PowerShell Approach

    Get-Variable Max*Count
    $MaximumFunctionCount = 8192
    $MaximumVariableCount = 8192
    #$MaximumAliasCount
    #$MaximumErrorCount
    #$MaximumHistoryCount
    #$MaximumDriveCount
    
    if ($PSVersionTable.PSEdition -eq 'Desktop') {
        $Script:MaximumFunctionCount = 18000
        $Script:MaximumVariableCount = 18000
    }
    
    #loading time max 5 min
    Import-Module Microsoft.Graph
    Import-Module Microsoft.Graph.Beta.Security
    
    $RequiredScopes = ("Application.ReadWrite.All", "Organization.ReadWrite.All”, "Directory.Read.All", "User.Read.All", "Group.ReadWrite.All", "RecordsManagement.Read.All", "RecordsManagement.ReadWrite.All")
    
    Connect-MgGraph -ClientId $ClientId -TenantId $TenantId -Scopes $RequiredScopes -NoWelcome
    
    (Get-MgContext).Scopes
    
    # Get context for access to tenant ID
    $context = Get-MgContext
    
    #List retentionLabels
    Get-MgBetaSecurityLabelRetentionLabel
    
    #Get retentionLabel
    #Not working
    $retentionLabelId='037098c7-57a3-4042-9287-67f84ab4e820'
    Get-MgBetaSecurityLabelRetentionLabel -RetentionLabelId $retentionLabelId
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.