DriveItem extractSensitivityLabel returns 403 Forbidden

New Contributor

We are having a problem with a feature available in the beta version of Graph. We are using this endpoint to extract sensitivity labels from drive item:

POST https://graph.microsoft.com/beta/drives/{drive-id}/items/{item-id}/extractSensitivityLabels

 

According to the documentation, we need Files.Read.All, Files.ReadWrite.All, Sites.Read.All or Sites.ReadWrite.All permissions to access this endpoint:

https://docs.microsoft.com/en-us/graph/api/driveitem-extractsensitivitylabels?view=graph-rest-beta&t...

 

Deserialized token we used for authentication:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/xxx/",
  "iat": 1655160900,
  "nbf": 1655160900,
  "exp": 1655247600,
  "aio": "xxx",
  "app_displayname": "xxx",
  "appid": "xxx",
  "appidacr": "2",
  "idp": "https://sts.windows.net/xxx/",
  "idtyp": "app",
  "oid": "xxx",
  "rh": "xxx",
  "roles": [
    "Sites.Manage.All",
    "Sites.ReadWrite.All",
    "Files.ReadWrite.All"
  ],
  "sub": "xxx",
  "tenant_region_scope": "EU",
  "tid": "xxx",
  "uti": "xxx",
  "ver": "1.0",
  "wids": [
    "xxx"
  ],
  "xms_tcdt": "1509395911"
}


However, we receive a 403 response with the content:

{
    "error": {
        "code": "accessDenied",
        "message": "Cannot call this API using the current App Id.",
        "innerError": {
            "date": "2022-06-14T08:00:52",
            "request-id": "xxx",
            "client-request-id": "xxx"
        }
    }
}

 

We have tested other graph beta endpoints and had no problems with them. What could be causing this problem?

0 Replies