question

WesleyLoo-2057 avatar image
0 Votes"
WesleyLoo-2057 asked CarlZhao-MSFT edited

403 Forbidden Microsoft-Azure-Application-Gateway/v2 - getting sensitivity labels

When calling this endpoint: https://graph.microsoft.com/beta/informationProtection/policy/labels

The call succeeds as expected when invoked in Postman, returns a response:

 {
     "@odata.context": "https://graph.microsoft.com/beta/$metadata#informationProtection/policy/labels",
     "value": [
         {
             ...
         }
     ]
 }

However, using the exact same headers and access token when making a request in python yields as part of the response:

 "message":"<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>Microsoft-Azure-Application-Gateway/v2</center>\r\n</body>\r\n</html>\r\n"

The permission "https://graph.microsoft.com/InformationProtectionPolicy.Read.All" has been granted. Is there some other setting within the application that needs to be changed to allow the request to go through?

Also, when I try using the Graph Explorer to make the same call (under beta), the response contains: "code": "UnknownError"

microsoft-graph-sdkazure-application-gatewaymicrosoft-graph-explorer
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Use https://jwt.ms/ to parse your access token and provide screenshots.

0 Votes 0 ·

Here are some screenshots from the output of jwt.ms, of permissions and authentication type:

132093-image.png
131988-image.png



0 Votes 0 ·
image.png (32.5 KiB)
image.png (13.0 KiB)

There is nothing wrong with the token.

0 Votes 0 ·

Please also provide a complete python script.

0 Votes 0 ·
 import requests
    
 # access token was acquired via msal python package, looks something like:
 """
 from msal import ConfidentialClientApplication
    
 cert_container = {
     "private_key": priv_key,
     "thumbprint": thumbprint,
     "public_certificate": cert
 }
 app = ConfidentialClientApplication(
     client_id=client_id,
     authority=f"https://login.microsoftonline.com/{tenant_id}",
     client_credential=cert_container
 )
 result = app.acquire_token_for_client(["https://graph.microsoft.com/.default"])
 return result["access_token"]
 """
    
    
 header = {
     "Authorization": "Bearer {access_token}",
     "Accept": "application/json"
 }
    
 res = requests.get("https://graph.microsoft.com/beta/informationProtection/policy/labels", headers=header)
 print(res.json())
0 Votes 0 ·

If the token you parse is obtained through your python script, then I think it should definitely work. I can't see any problems with it.

0 Votes 0 ·
Show more comments

0 Answers