RetentionLabels - (500) Exception = DataInsights command(GET) FAILED - Forbidden

Justin Marsh 20 Reputation points
2024-12-19T20:04:08.1366667+00:00

The API for listing retention labels only supports a delegate API role. This implies that if I have access to view retention labels in Purview, I can list them via Graph. That isn't the case. Unless I have the Global Administrator role assigned to my user, I receive an Internal Server Error (500) with the below details. Is this role really required when working with this endpoint, even just for viewing purposes?
Request: GET https://graph.microsoft.com/v1.0/security/labels/retentionLabels

{
    "error": {
        "code": "UnknownError",
        "message": "{\"ErrorCode\":\"UnknownError\",\"Message\":\"Failed to contact DataInsights in EOP - Tenant = <<<REDACTED>>>. Exception = DataInsights command(GET) FAILED - Forbidden. TargetServer = SJ0PR03MB5757.namprd03.prod.outlook.com\"}",
        "innerError": {
            "date": "2024-12-19T19:52:57",
            "request-id": "2852d6b8-4579-4b1d-bce2-019e2efff7dc",
            "client-request-id": "189b403d-3ac0-3268-bcaa-4d835930f8bd"
        }
    }
}
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,871 questions
0 comments No comments
{count} votes

Accepted answer
  1. Yakun Huang-MSFT 9,470 Reputation points Microsoft Vendor
    2024-12-20T02:41:15.14+00:00

    Hello Justin Marsh,

    Thank you for reaching out to Microsoft Support!

    After testing, it turns out to be true, as you stated, that when using this endpoint, if you do not have the global administrator role, a 500 error will be reported and you need to grant RecordsManagement.Read.All permission and have global administrator role to successfully access the endpoint.

    Therefore, the issue may be internal to that endpoint and you are advised to submit a user voice for this or open a support ticket. In the meantime, if you don't mind, grant the global administrator role to continue to access the endpoint until the issue is fixed.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.