question

sadomovalex avatar image
sadomovalex asked ·

Get 404 "The resource could not be found" when call /beta/informationprotection/policy/labels

Hello, according to documentation we may use the following endpoints for fetching sensitivity labels:

  1. /me/informationProtection/policy/labels (using delegated permissions)

  2. /informationProtection/policy/labels (using application permission. App should have InformationProtectionPolicy.Read.All permission to use this end point)

The following C# code uses app permissions and it works on tenant1:

 static void Main(string[] args)
 {
  string accessToken = getTokenImpl().Result;
  using (var client = new HttpClient())
  {
  client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
  client.DefaultRequestHeaders.Add("Accept", "application/json");
  client.DefaultRequestHeaders.Add("User-Agent", "PostmanRuntime/7.24.1");
    
  using (var response = client.GetAsync($"https://graph.microsoft.com/beta/informationprotection/policy/labels").Result)
  {
  using (var content = response.Content)
  {
  string result = content.ReadAsStringAsync().Result;
    
  if (response.IsSuccessStatusCode)
  {
  Console.WriteLine(result);
  }
  }
  }
  }
 }
    
 private static async Task<string> getTokenImpl()
 {
  string clientId = "...";
  string clientSecret = "...";
  string tenant = "{...}.onmicrosoft.com";
    
  string authority = string.Format("https://login.microsoftonline.com/{0}", tenant);
    
  var authContext = new AuthenticationContext(authority);
    
  var creds = new ClientCredential(clientId, clientSecret);
    
  var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", creds);
    
  return authResult.AccessToken;
 }

But it doesn't work on another tenant2 - there it always returns 404 "The resource could not be found" with the following inner exception "User not found to have labels, policy is empty". Here is full response:

 {
     "error": {
         "code": "itemNotFound",
         "message": "The resource could not be found.",
         "innerError": {
             "code": "notFound",
             "message": "User not found to have labels, policy is empty",
             "target": "userId",
             "exception": null,
             "date": "2020-11-19T10:58:21",
             "request-id": "b076d7f8-5321-4527-ad79-64a0f310d358",
             "client-request-id": "b076d7f8-5321-4527-ad79-64a0f310d358"
         }
     }
 }

Interesting that attempt to call endpoint /me/informationProtection/policy/labels with delegated permissions on the same tenant2 gives the same error, but on tenant1 it also works. Did anybody face with this problem or have idea why it may happen? Need to mention that on tenant2 earlier we created and published several sensitivity labels for specific user - this user doesn't have neither O365 license nor Azure subscription. I.e. when you try to login to SPO/Azure and create site/group - sensitivity labels were not shown at all for this user. We tried to remove these sensitivity labels and their policies with audience targeting to this user, but both end points still return error.

PS. AAD app is Ok on tenant2 - it has InformationProtectionPolicy.Read.All permission and admin consent is granted:
40715-2020-11-18-14-10-12.png



azure-information-protectionmicrosoft-graph-security
1 comment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

  • Permission looks good to me. But look at the error, its clearly telling that the given user doesnt have labels and policy is empty.

  • Does the issue happens for a specific user only?

  • If yes, try removing the sensitivity labels and reassign to see if it makes any difference. Make sure you configure them correctly before calling the API.

1 Vote 1 · ·
sadomovalex avatar image
sadomovalex answered ·

@Deva-MSFT thank you for reply. Yes exactly - error says that labels not found for some user but why? In C# example above application permissions are used (access token is retrieved based on client id and client secret) and tool calls end point https://graph.microsoft.com/beta/informationProtection/policy/labels which should return all labels in the tenant (not https://graph.microsoft.com/beta/me/informationProtection/policy/labels which returns labels for the current user and works with delegated permissions) - why it should check labels for one specific user in this case? And if it checks that - which exact user it tries to check?

This error may look logical if we call https://graph.microsoft.com/beta/me/informationProtection/policy/labels endpoint e.g. in Graph Explorer with delegated permissions for user which doesn't have any labels, but not with app permissions. And again - all my labels where published to All users:

40828-2020-11-18-19-25-41.png

Also I tried what you suggested: I tried to remove all existing policies and sensitivity labels and disable sensitivity labels on the tenant. After some time again classification labels appear on Site creation/Group creation forms - which is expected. After that I enabled sensitivity labels back, created Public and Private labels again and published them, synced them to Azure AD. Again after that after some time on Site creation/Group creation sensitivity labels appeared instead of classification labels - this is also expected. Unfortunately problem with calling /informationProtection/policy/labels was still there.

After that I checked with Fiddler what APIs are used on standard Create site/Create group forms. On Create group form I found quite interesting call to internal API https://main.iam.ad.ext.azure.com/api/MsGraph/beta/me/informationProtection/sensitivityLabels. This call is made under delegated permissions and it returns available sensitivity labels. So I may fetch labels with this internal undocumented API but not with beta API:

40829-2020-11-18-19-09-04.png

I've also tried to create sensitivity label and publish it only to my single user account. But still call to /me/informationProtection/policy/labels in Graph explorer returns 404 Resource not found. Do you have any other thoughts based on this information? I need to add also that in this tenant2 there are quite many users in AAD (about 1000) - can be there delay in sensitivity labels propagation because of that?



Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Deva-MSFT avatar image
Deva-MSFT answered ·

Thanks for the detailed info. Here's the doc talks about the changes to replicate:
- New label: Wait for one hour.
- Existing label: Wait for 24 hours.

So you may need to wait, test it later and see if it helps.


3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

waited for about 48h from the moment when sensitivity labels had been re-activated on tenant2 (set EnableMIPLabels to false, delete all existing sensitivity labels and their policies, set EnableMIPLabels back to true, create and publish new sensitivity labels) but still get 404 The resource could not be found and "User not found to have labels, policy is empty"

0 Votes 0 · ·
Deva-MSFT avatar image Deva-MSFT sadomovalex ·

Let me understand it correctly.... You waited for 48hrs, deleted all sensitivity labels/policies, then (you waited for some hours or immediately) published new sensitivity labels, then you (immediately or waited for certain hours) made Graph API call HTTP 404?

0 Votes 0 · ·

I deleted all sensitivity labels and their policies first, then disabled sensitivity labels on the tenant (set EnableMIPLabels tenant property to false) waited about 1h until Sensitivity dropdown disappeared from standard Create site/Create team/Create O365 group windows. I.e. waited until disabling propagated on the tenant.

After that I enabled them back (set EnableMIPLabels to true), created new sensitivity labels from scratch, published them for all users (new policies were created on this step), and waited 48h. Still the same error returned from /beta/informationProtection/policy/labels and /beta/me/informationProtection/policy/labels endpoints.

0 Votes 0 · ·