Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph.security
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Describes the information protection label that details how to properly apply a sensitivity label to information. The informationProtectionLabel resource describes the configuration of sensitivity labels that apply to a user or tenant.
Methods
| Method | Return type | Description |
|---|---|---|
| List | microsoft.graph.security.sensitivityLabel collection | Get a list of the microsoft.graph.security.sensitivityLabel objects and their properties. |
| Get | microsoft.graph.security.sensitivityLabel | Read the properties and relationships of a microsoft.graph.security.sensitivityLabel object. |
| Compute inheritance | microsoft.graph.security.sensitivityLabel | Compute the inheritance for the sensitivity label and input content. |
| Compute rights and inheritance | computeRightsAndInheritanceResult | Compute the rights and inheritance for the sensitivity label. |
| Evaluate application | microsoft.graph.security.informationProtectionAction collection | Given an input of contentInfo and labelingOptions, compute the set of actions required to apply the label. |
| Evaluate classification result | microsoft.graph.security.informationProtectionAction collection | Given an input of contentInfo and classification results, compute the set of actions required to apply the label. |
| Evaluate removal | microsoft.graph.security.informationProtectionAction collection | Given an input of contentInfo and downgradeJustification, compute the actions that should be taken to remove the label. |
| Extract content label | microsoft.graph.security.contentLabel | Given an input of contentInfo, return details on the informationProtectionLabel that the metadata represents. |
| List data security and compliance sensitivity labels | microsoft.graph.security.sensitivityLabel collection | Get a list of the sensitivityLabel objects and their properties using the data security and governance API. |
| Get a data security and compliance sensitivity label | microsoft.graph.security.sensitivityLabel collection | Get a sensitivityLabel objects and it's properties using the data security and governance API. |
| List rights | usageRightsIncluded collection | Get the usage rights granted to the calling user. |
Properties
| Property | Type | Description |
|---|---|---|
| actionSource | microsoft.graph.security.labelActionSource | Indicates the source of the action that resulted in the label being applied. Possible values are: manual, automatic, recommended, none. |
| autoLabeling | autoLabeling | The auto-labeling configuration for the label. |
| applicableTo | microsoft.graph.security.sensitivityLabelTarget | Specifies the workloads where the label can be applied. Possible values: email, site, unifiedGroup, teamwork, file, schematizedData. |
| applicationMode | microsoft.graph.security.applicationMode | Specifies how the label should be applied or recommended. Possible values are: manual, automatic, recommended. |
| assignedPolicies | labelPolicy collection | The collection of label policies that are assigned to the label. |
| autoTooltip | String | The tooltip displayed to users for recommended or automatically applied labels. |
| color | String | The color that the UI should display for the label, if configured. |
| contentFormats | String collection | Returns the supported content formats for the label. |
| description | String | The admin-defined description for the label. |
| displayName | String | The display name of the sensitivity label. |
| hasProtection | Boolean | Indicates whether the label has protection actions configured. |
| id | String | The label ID is a globally unique identifier (GUID). |
| isActive | Boolean | Indicates whether the label is active or not. Active labels should be hidden or disabled in the UI. |
| isAppliable | Boolean | Indicates whether the label can be applied to content. False if the label is a parent with child labels. |
| isDefault | Boolean | true if the label is the default label for the policy; false otherwise. |
| isEnabled | Boolean | true if the label is currently enabled; false otherwise. |
| isEndpointProtectionEnabled | Boolean | true if the label provides protection settings enforced by endpoint Data Loss Prevention; false otherwise. |
| isScopedToUser | Boolean | Indicates if the label is scoped to specific users or groups (true) or available to the entire tenant (false). |
| labelActions | labelActionBase collection | The actions that are associated with the label. |
| locale | String | The locale associated with the label's localized properties (for example, 'en-US'). Used in context of listing labels scoped to user/locale. |
| name | String | The plaintext name of the label. |
| priority | Int32 | The priority of the label. Lower numbers indicate higher priority. |
| sensitivity | Int32 | The sensitivity value of the label, where lower is less sensitive. |
| tooltip | String | The tooltip that should be displayed for the label in a UI. |
Sensitivity Label API Filtering Rules
This section outlines the filtering rules and constraints for various Sensitivity Label APIs.
Scenario 1: SensitivityLabel APIs (/ and /id)
Rules
OR Restriction with scopeToUser
- If
scopeToUserfilter parameter is present, thenoris not allowed in the filter parameters
- If
Prefiltering Behavior with OR
- If
oris present in the filter parameters, thenlocaleandcontentFormatsfilter parameters (if present) will not be used for prefiltering
- If
Inner OR Exception
- Inner
oroperations that fall under the parameter tree are permitted
- Inner
Scenario 2: SensitivityLabelAndRights APIs expand=Rights (/ and /id) - Single ID
Rules
OR Restriction with Multiple Parameters
- If any of the following filter parameters are present:
scopeToUser,id, orownerEmail, thenoris not allowed in the filter parameters
- If any of the following filter parameters are present:
ownerEmail Validation
ownerEmailpresent withoutidwill throwArgumentException
Prefiltering Behavior with OR
- If
oris present in the filter parameters, thenlocaleandcontentFormatsfilter parameters (if present) will not be used for prefiltering
- If
Inner OR Exception
- Inner
oroperations that fall under the parameter tree are permitted
- Inner
Scenario 2.5: SensitivityLabel And Rights APIs expand=Rights (/ and /id) - Multiple IDs
Supported Pattern
This API supports the following specific filtering pattern:
$filter=(id in ('guid1', 'guid2')) or ((id eq 'guid3' and rights/ownerEmail eq 'ownerEmail1') or (id eq 'guid4') or (id eq 'guid5' and rights/ownerEmail eq 'ownerEmail2') or (id eq 'guid6'))
Rules
Strict OR Pattern
- Only the pattern shown above is supported for
oroperations - Any other
orusage with this API will result inArgumentException
- Only the pattern shown above is supported for
Inner OR Exception
- Inner
oroperations that fall under the parameter tree are permitted
- Inner
Scenario 3: SensitivityLabel Rights /id/rights
Rules
OR Restriction with ownerEmail
oroperations with filter parameterownerEmailwill result in an exception
Inner OR Exception
- Inner
oroperations that fall under the parameter tree are permitted
- Inner
isScopedToUser Parameter Rules
This section outlines the behavior and constraints for the isScopedToUser parameter in sensitivity label APIs.
Parameter Behavior
isScopedToUser = true
- Result: Shows enabled labels only
- Use Case: Standard filtering for active/enabled labels
- Status: Recommended usage
isScopedToUser = false
- Result: Shows disabled labels only
- Use Case: Limited - ideally not used with this value
- Status: Not recommended for typical operations
isScopedToUser not passed
- Result: Shows all labels (both enabled and disabled)
- Use Case: Comprehensive label retrieval
- Status: Default behavior when parameter is omitted
Restrictions
Tenant Labels Exception
- Behavior: When getting tenant labels, using
isScopedToUserwill throwArgumentException - Reason: Parameter is not applicable for tenant-level label operations
- Solution: Omit the
isScopedToUserparameter when working with tenant labels
Relationships
| Relationship | Type | Description |
|---|---|---|
| rights | usageRightsIncluded | Represents the usage rights (permissions) configured for the label, if any. |
| sublabels | microsoft.graph.security.sensitivityLabel collection | The collection of sublabels associated with the label. |
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.sensitivityLabel",
"id": "String (identifier)",
"name": "String",
"displayName": "String",
"description": "String",
"toolTip": "String",
"isEnabled": "Boolean",
"isEndpointProtectionEnabled": "Boolean",
"isDefault": "Boolean",
"applicationMode": "String",
"labelActions": [
{
"@odata.type": "microsoft.graph.encryptWithUserDefinedRights"
}
],
"assignedPolicies": [
{
"@odata.type": "microsoft.graph.labelPolicy"
}
],
"priority": "Integer",
"autoLabeling": {
"@odata.type": "microsoft.graph.autoLabeling"
},
"applicableTo": "String",
"color": "String",
"autoTooltip": "String",
"locale": "String",
"isScopedToUser": "Boolean",
"actionSource": "String"
}