There's an open issue over at GitHub for the exact same scenario: https://github.com/microsoftgraph/microsoft-graph-docs/issues/17397
It's likely that the current (beta) version of the endpoint does not have support for app permissions.
DriveItem extractSensitivityLabel returns 403 Forbidden
We are having a problem with a feature available in the beta version of Graph. We are using this endpoint to extract sensitivity labels from drive item:
POST https://graph.microsoft.com/beta/drives/{drive-id}/items/{item-id}/extractSensitivityLabels
According to the documentation, we need Files.Read.All, Files.ReadWrite.All, Sites.Read.All or Sites.ReadWrite.All permissions to access this endpoint:
https://learn.microsoft.com/en-us/graph/api/driveitem-extractsensitivitylabels?view=graph-rest-beta&tabs=http#permissions
Deserialized token we used for authentication:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/xxx/",
"iat": 1655160900,
"nbf": 1655160900,
"exp": 1655247600,
"aio": "xxx",
"app_displayname": "xxx",
"appid": "xxx",
"appidacr": "2",
"idp": "https://sts.windows.net/xxx/",
"idtyp": "app",
"oid": "xxx",
"rh": "xxx",
"roles": [
"Sites.Manage.All",
"Sites.ReadWrite.All",
"Files.ReadWrite.All"
],
"sub": "xxx",
"tenant_region_scope": "EU",
"tid": "xxx",
"uti": "xxx",
"ver": "1.0",
"wids": [
"xxx"
],
"xms_tcdt": "1509395911"
}
However, we receive a 403 response with the content:
{
"error": {
"code": "accessDenied",
"message": "Cannot call this API using the current App Id.",
"innerError": {
"date": "2022-06-14T08:00:52",
"request-id": "xxx",
"client-request-id": "xxx"
}
}
}
We have tested other graph beta endpoints and had no problems with them. What could be causing this problem?
1 answer
Sort by: Most helpful
-
Vasil Michev 95,666 Reputation points MVP
2022-06-28T13:27:51.587+00:00