This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello, according to documentation we may use the following endpoints for fetching sensitivity labels:
The following C# code uses app permissions and it works on tenant1:
static void Main(string[] args)
{
string accessToken = getTokenImpl().Result;
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
client.DefaultRequestHeaders.Add("Accept", "application/json");
client.DefaultRequestHeaders.Add("User-Agent", "PostmanRuntime/7.24.1");
using (var response = client.GetAsync($"https://graph.microsoft.com/beta/informationprotection/policy/labels").Result)
{
using (var content = response.Content)
{
string result = content.ReadAsStringAsync().Result;
if (response.IsSuccessStatusCode)
{
Console.WriteLine(result);
}
}
}
}
}
private static async Task<string> getTokenImpl()
{
string clientId = "...";
string clientSecret = "...";
string tenant = "{...}.onmicrosoft.com";
string authority = string.Format("https://login.microsoftonline.com/{0}", tenant);
var authContext = new AuthenticationContext(authority);
var creds = new ClientCredential(clientId, clientSecret);
var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", creds);
return authResult.AccessToken;
}
But it doesn't work on another tenant2 - there it always returns 404 "The resource could not be found" with the following inner exception "User not found to have labels, policy is empty". Here is full response:
{
"error": {
"code": "itemNotFound",
"message": "The resource could not be found.",
"innerError": {
"code": "notFound",
"message": "User not found to have labels, policy is empty",
"target": "userId",
"exception": null,
"date": "2020-11-19T10:58:21",
"request-id": "b076d7f8-5321-4527-ad79-64a0f310d358",
"client-request-id": "b076d7f8-5321-4527-ad79-64a0f310d358"
}
}
}
Interesting that attempt to call endpoint /me/informationProtection/policy/labels with delegated permissions on the same tenant2 gives the same error, but on tenant1 it also works. Did anybody face with this problem or have idea why it may happen? Need to mention that on tenant2 earlier we created and published several sensitivity labels for specific user - this user doesn't have neither O365 license nor Azure subscription. I.e. when you try to login to SPO/Azure and create site/group - sensitivity labels were not shown at all for this user. We tried to remove these sensitivity labels and their policies with audience targeting to this user, but both end points still return error.
PS. AAD app is Ok on tenant2 - it has InformationProtectionPolicy.Read.All permission and admin consent is granted:
it started to work by its own. I.e. MS has fixed that on backend side somehow for the tenant when this issue was reproduced. Problem is closed now.
Thanks for the detailed info. Here's the doc talks about the changes to replicate:
So you may need to wait, test it later and see if it helps.
waited for about 48h from the moment when sensitivity labels had been re-activated on tenant2 (set EnableMIPLabels to false, delete all existing sensitivity labels and their policies, set EnableMIPLabels back to true, create and publish new sensitivity labels) but still get 404 The resource could not be found and "User not found to have labels, policy is empty"
Let me understand it correctly.... You waited for 48hrs, deleted all sensitivity labels/policies, then (you waited for some hours or immediately) published new sensitivity labels, then you (immediately or waited for certain hours) made Graph API call HTTP 404?
I deleted all sensitivity labels and their policies first, then disabled sensitivity labels on the tenant (set EnableMIPLabels tenant property to false) waited about 1h until Sensitivity dropdown disappeared from standard Create site/Create team/Create O365 group windows. I.e. waited until disabling propagated on the tenant.
After that I enabled them back (set EnableMIPLabels to true), created new sensitivity labels from scratch, published them for all users (new policies were created on this step), and waited 48h. Still the same error returned from /beta/informationProtection/policy/labels and /beta/me/informationProtection/policy/labels endpoints.
@Deva-MSFT thank you for reply. Yes exactly - error says that labels not found for some user but why? In C# example above application permissions are used (access token is retrieved based on client id and client secret) and tool calls end point https://graph.microsoft.com/beta/informationProtection/policy/labels which should return all labels in the tenant (not https://graph.microsoft.com/beta/**me**/informationProtection/policy/labels which returns labels for the current user and works with delegated permissions) - why it should check labels for one specific user in this case? And if it checks that - which exact user it tries to check?
This error may look logical if we call https://graph.microsoft.com/beta/me/informationProtection/policy/labels endpoint e.g. in Graph Explorer with delegated permissions for user which doesn't have any labels, but not with app permissions. And again - all my labels where published to All users:
Also I tried what you suggested: I tried to remove all existing policies and sensitivity labels and disable sensitivity labels on the tenant. After some time again classification labels appear on Site creation/Group creation forms - which is expected. After that I enabled sensitivity labels back, created Public and Private labels again and published them, synced them to Azure AD. Again after that after some time on Site creation/Group creation sensitivity labels appeared instead of classification labels - this is also expected. Unfortunately problem with calling /informationProtection/policy/labels was still there.
After that I checked with Fiddler what APIs are used on standard Create site/Create group forms. On Create group form I found quite interesting call to internal API https://main.iam.ad.ext.azure.com/api/MsGraph/beta/me/informationProtection/sensitivityLabels. This call is made under delegated permissions and it returns available sensitivity labels. So I may fetch labels with this internal undocumented API but not with beta API:
I've also tried to create sensitivity label and publish it only to my single user account. But still call to /me/informationProtection/policy/labels in Graph explorer returns 404 Resource not found. Do you have any other thoughts based on this information? I need to add also that in this tenant2 there are quite many users in AAD (about 1000) - can be there delay in sensitivity labels propagation because of that?
behavior has been changed on both tenants without any change from our side: now on both tenants we get 502 Bad Gateway. Does MS rolls out this functionality globally now? Here is response which we get now from /beta/me/informationProtection/policy/labels:
{
"error":{
"code":"UnknownError",
"message":"<html>\r\n<head><title>502 Bad Gateway</title></head>\r\n<body>\r\n<center><h1>502 Bad Gateway</h1></center>\r\n<hr><center>Microsoft-Azure-Application-Gateway/v2</center>\r\n</body>\r\n</html>\r\n",
"innerError":{
"date":"2020-11-25T12:59:51",
"request-id":"93557ae1-b0d9-44a9-bbea-871f18e379ea",
"client-request-id":"93557ae1-b0d9-44a9-bbea-871f18e379ea"
}
}
}