Sensitivity labels in Microsoft 365 are a crucial feature for organizations to protect and manage their data. These labels allow organizations to classify and safeguard sensitive information based on its level of confidentiality. By applying sensitivity labels, organizations can control access, encrypt data, apply policies, and track and monitor on sensitive information. Users can apply sensitivity labels to classify and protect their data. However, applications unfortunately cannot currently assign sensitivity labels.
As described in the Microsoft Graph API Beta documentation, for example at Update group, "Application permissions are not supported when updating assignedLabels." This means that while individual users can apply and manage sensitivity labels, applications do not have the capability to update these labels. This restriction means that third-party applications cannot assign confidential data.
Users can assign sensitivity labels when they create a new team or SharePoint site, or assign them later.
Assign a sensitivity label in a Team
In Microsoft Teams, sensitivity labels can be assigned in the TeamĀ“s Settings.
Assign a sensitivity label in a SharePoint site
For a SharePoint site, site admins can set sensitivity labels in the Site information, as here.
Microsoft Graph with app permissions
For organizations who are developing a custom or third-party app, there are currently methods to use sensitivity labels in the Microsoft Graph Beta, for example List sensitivityLabels, and more. Sensitivity labels can be read and partially managed, but unfortunately cannot be assigned to a team or SharePoint site. The documentation at Update group says clearly:
"Application permissions are not supported when updating assignedLabels."
We have built a small PowerShell script using an application authorization in the $header to test this functionality to verify this.
# Testing assign a sensitivity label to a team
# $header contains a Graph app token with permissions for Group.ReadWrite.All and InformationProtectionPolicy.Read.All
$labelid = "<some-label-id>"
$groupid = "<some-group-id>"
$body = @{
assignedLabels = @(
@{
labelId = $labelid
}
)
} | ConvertTo-Json
$url = "https://graph.microsoft.com/beta/groups/$groupid"
result = Invoke-RestMethod `
-Method Patch `
-Uri $url `
-Body $body `
-ContentType 'application/json' `
-Headers $header `
-ErrorAction Stop
$result.value | ft
With app permissions, we get an "InternalServerError", saying "Unauthorized", and "App-only token is not supported" (as expected)
{
"error": { "code": "InternalServerError",
"message": "{...Unauthorized:...App-only token is not supported...}",
"innerError": { ... }
}
}
The only workaround for doing this programmatically currently is to set the labels with a user authenticated flow, script, or app, with delegated permissions and not with app permissions.
Update Sept 13th: See a possible workaround here.
Microsoft Graph with user permissions
As a workaround, we can authenticate with a user (who needs to have admin rights and must be able to get all labels), as described at Apply sensitivity label to a Microsoft 365 group: "Note: Use of this API to apply sensitivity labels to Microsoft 365 groups is only supported for delegated permission scenarios."
So, we can do this for example with an Azure Logic App and the "Office 365 Groups" action. This method includes an action "Send an HTTP request V2" and creates an API connection with a user account that authenticates against Microsoft Graph.
We need to add the parameters to update a specific group with a sensitive label, as described at Apply sensitivity label to a Microsoft 365 group.
PATCH
https://graph.microsoft.com/v1.0/groups/<groupid>
{
"assignedLabels": [
{ "labelId": "<labelid>" }
]
}
As we see, the API connection is done with a user account. The result looks as here and the operation should return a HTTP 204 status code.
Note: When you try to assign multiple labels, you get that error message: "A group cannot be associated with more than one label."
An eventually existing sensitivity label is overwritten by that action. The operation only returns a header, but no body.
The update usually works instantly and the new sensitivity label is shown in Teams.
Summary
Setting a sensitivity label for a group or team with Microsoft Graph and user authentication works. However, we do not understand why Microsoft does not allow applications to set sensitivity labels. Even if there are security concerns, this functionality would be incredibly helpful for ISVs to enhance security support. We hope Microsoft will add these app permissions sooner or later.