0

according to documentation we may use the following endpoints for fetching sensitivity labels:

  • /me/informationProtection/policy/labels (using delegated permissions)

  • /informationProtection/policy/labels (using application permission. App should have InformationProtectionPolicy.Read.All permission to use this end point)

The following C# code uses app permissions and it works on tenant1:

static void Main(string[] args)
{
    string accessToken = getTokenImpl().Result;
    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
        client.DefaultRequestHeaders.Add("Accept", "application/json");
        client.DefaultRequestHeaders.Add("User-Agent", "PostmanRuntime/7.24.1");
        using (var response = client.GetAsync($"https://graph.microsoft.com/beta/informationprotection/policy/labels").Result)
        {
            using (var content = response.Content)
            {
                string result = content.ReadAsStringAsync().Result;
                if (response.IsSuccessStatusCode)
                {
                    Console.WriteLine(result);
                }
            }
        }
    }
}

private static async Task<string> getTokenImpl()
{
    string clientId = "...";
    string clientSecret = "...";
    string tenant = "{...}.onmicrosoft.com";

    string authority = string.Format("https://login.microsoftonline.com/{0}", tenant);
    var authContext = new AuthenticationContext(authority);
    var creds = new ClientCredential(clientId, clientSecret);
    var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", creds);
    return authResult.AccessToken;
}

But it doesn't work on another tenant2 - there it always returns 404 "The resource could not be found" with the following inner exception "User not found to have labels, policy is empty". Here is full response:

    {
        "error": {
            "code": "itemNotFound",
            "message": "The resource could not be found.",
            "innerError": {
                "code": "notFound",
                "message": "User not found to have labels, policy is empty",
                "target": "userId",
                "exception": null,
                "date": "2020-11-18T09:29:20",
                "request-id": "657ad51c-9cab-49f2-a242-50929cdc6950",
                "client-request-id": "657ad51c-9cab-49f2-a242-50929cdc6950"
            }
        }
    }

Interesting that attempt to call endpoint /me/informationProtection/policy/labels with delegated permissions on the same tenant2 gives the same error, but on tenant1 it also works. Did anybody face with this problem or have idea why it may happen? Need to mention that on tenant2 earlier we created and published several sensitivity labels for specific user - this user doesn't have neither O365 license nor Azure subscription. I.e. when you try to login to SPO/Azure and create site/group - sensitivity labels were not shown at all for this user. We tried to remove these sensitivity labels and their policies with audience targeting to this user, but both end points still return error.

PS. AAD app is Ok on tenant2 - it has InformationProtectionPolicy.Read.All permission and admin consent is granted: app permissions

Update 2020-11-25: behavior has been changed on both tenants without any change from our side: now on both tenants we get 502 Bad Gateway. Does MS rolls out this functionality globally now? Here is response which we get now from /beta/me/informationProtection/policy/labels:

{
   "error":{
      "code":"UnknownError",
      "message":"<html>\r\n<head><title>502 Bad Gateway</title></head>\r\n<body>\r\n<center><h1>502 Bad Gateway</h1></center>\r\n<hr><center>Microsoft-Azure-Application-Gateway/v2</center>\r\n</body>\r\n</html>\r\n",
      "innerError":{
         "date":"2020-11-25T12:59:51",
         "request-id":"93557ae1-b0d9-44a9-bbea-871f18e379ea",
         "client-request-id":"93557ae1-b0d9-44a9-bbea-871f18e379ea"
      }
   }
}

Update 2020-12-07: it started to work by its own. I.e. MS has fixed that on backend side somehow for the tenant when this issue was reproduced.

alex
  • 187
  • 1
  • 9
  • why you want to make delegated permission and try to call tenant2, tenant1? If you want to access multiple tenants then use application permission. – Dev Nov 18 '20 at 11:57
  • in example above application permissions are used – alex Nov 18 '20 at 12:19
  • If the data provider returns 2xx or 404, it’s not shown in the warning header because these codes are expected for success or when data is not found respectively. So i believe in your scenario, you're seeing the later one. – Dev Nov 18 '20 at 13:07
  • sensitivity labels are created and published on tenant2. They are shown on standard pages: Create new site in Sharepoint Online and Create new O365 group in Azure portal > Active Directory – alex Nov 18 '20 at 13:39
  • Yes i am aware of the process how to apply them. Being said that, i was just mentioning in which scenario, you will get 404. It may be due to technical glitch/temporary issue as well. If this issue persists, then you may want to consider checking with Microsoft Support - they can validate and may help you. – Dev Nov 18 '20 at 13:42
  • 1
    yes, this is persistent error. Probably need to double check it with MS support like you said – alex Nov 18 '20 at 13:44

0 Answers0