403 Forbidden Microsoft-Azure-Application-Gateway/v2 - getting sensitivity labels

Dancing Strawberry 101

When calling this endpoint: https://graph.microsoft.com/beta/informationProtection/policy/labels

The call succeeds as expected when invoked in Postman, returns a response:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#informationProtection/policy/labels",
    "value": [
        {
            ...
        }
    ]
}

However, using the exact same headers and access token when making a request in python yields as part of the response:

"message":"<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>Microsoft-Azure-Application-Gateway/v2</center>\r\n</body>\r\n</html>\r\n"

The permission "https://graph.microsoft.com/InformationProtectionPolicy.Read.All" has been granted. Is there some other setting within the application that needs to be changed to allow the request to go through?

Also, when I try using the Graph Explorer to make the same call (under beta), the response contains: "code": "UnknownError"

CarlZhao-MSFT 37,216 Reputation points

2021-09-14T01:29:41.433+00:00

Use https://jwt.ms/ to parse your access token and provide screenshots.
CarlZhao-MSFT 37,216 Reputation points

2021-09-14T02:22:14.563+00:00

Please also provide a complete python script.
Dancing Strawberry 101 Reputation points

2021-09-14T16:55:58.767+00:00

Here are some screenshots from the output of jwt.ms, of permissions and authentication type:

Dancing Strawberry 101

import requests

# access token was acquired via msal python package, looks something like:
"""
from msal import ConfidentialClientApplication

cert_container = {
    "private_key": priv_key,
    "thumbprint": thumbprint,
    "public_certificate": cert
}
app = ConfidentialClientApplication(
    client_id=client_id,
    authority=f"https://login.microsoftonline.com/{tenant_id}",
    client_credential=cert_container
)
result = app.acquire_token_for_client(["https://graph.microsoft.com/.default"])
return result["access_token"]
"""


header = {
    "Authorization": "Bearer {access_token}",
    "Accept": "application/json"
}

res = requests.get("https://graph.microsoft.com/beta/informationProtection/policy/labels", headers=header)
print(res.json())

CarlZhao-MSFT 37,216 Reputation points

2021-09-15T02:03:09.477+00:00

If the token you parse is obtained through your python script, then I think it should definitely work. I can't see any problems with it.
CarlZhao-MSFT 37,216 Reputation points

2021-09-15T02:04:55.893+00:00

There is nothing wrong with the token.
Dancing Strawberry 101 Reputation points

2021-09-16T01:21:31.793+00:00

The request works with other http clients as well; I make a number of other graph api calls using the same access token in python, and this endpoint is the only issue.

Some more searching of "Microsoft-Azure-Application-Gateway/v2" and "403 Forbidden" seems to indicate something to do with azure web application firewalls and creating exceptions in custom rules, would it be possible to get some guidance on that to fix this issue?
CarlZhao-MSFT 37,216 Reputation points

2021-09-21T10:06:22.95+00:00

Hi, I am not familiar with azure web application firewall, but I found a document that will help you: https://blog.kloud.com.au/2018/09/05/azure-application-gateway-waf-tuning/

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Accepted answer

CarlZhao-MSFT 37,216 Reputation points

2021-09-30T08:18:50.117+00:00

Hi, @Dancing Strawberry .

Post a comment as an answer to end the thread.

You can fix the azure web application firewall issue based on this document. https://blog.kloud.com.au/2018/09/05/azure-application-gateway-waf-tuning (Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.)

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

David Fletcher 1 Reputation point

2022-06-20T15:43:29.907+00:00

azure-application-gateway-waf-tuning
Please sign in to rate this answer.

0 comments No comments
Sign in to comment