DriveItem extractSensitivityLabel returns 403 Forbidden

Question

We are having a problem with a feature available in the beta version of Graph. We are using this endpoint to extract sensitivity labels from drive item:
POST https://graph.microsoft.com/beta/drives/{drive-id}/items/{item-id}/extractSensitivityLabels

According to the documentation, we need Files.Read.All, Files.ReadWrite.All, Sites.Read.All or Sites.ReadWrite.All permissions to access this endpoint:
https://learn.microsoft.com/en-us/graph/api/driveitem-extractsensitivitylabels?view=graph-rest-beta&tabs=http#permissions

Deserialized token we used for authentication:

{  
  "aud": "https://graph.microsoft.com",  
  "iss": "https://sts.windows.net/xxx/",  
  "iat": 1655160900,  
  "nbf": 1655160900,  
  "exp": 1655247600,  
  "aio": "xxx",  
  "app_displayname": "xxx",  
  "appid": "xxx",  
  "appidacr": "2",  
  "idp": "https://sts.windows.net/xxx/",  
  "idtyp": "app",  
  "oid": "xxx",  
  "rh": "xxx",  
  "roles": [  
    "Sites.Manage.All",  
    "Sites.ReadWrite.All",  
    "Files.ReadWrite.All"  
  ],  
  "sub": "xxx",  
  "tenant_region_scope": "EU",  
  "tid": "xxx",  
  "uti": "xxx",  
  "ver": "1.0",  
  "wids": [  
    "xxx"  
  ],  
  "xms_tcdt": "1509395911"  
}  

However, we receive a 403 response with the content:

{  
    "error": {  
        "code": "accessDenied",  
        "message": "Cannot call this API using the current App Id.",  
        "innerError": {  
            "date": "2022-06-14T08:00:52",  
            "request-id": "xxx",  
            "client-request-id": "xxx"  
        }  
    }  
}  

We have tested other graph beta endpoints and had no problems with them. What could be causing this problem?

Answer 1

There's an open issue over at GitHub for the exact same scenario: https://github.com/microsoftgraph/microsoft-graph-docs/issues/17397
It's likely that the current (beta) version of the endpoint does not have support for app permissions.