DriveItem extractSensitivityLabel returns 403 Forbidden

New Contributor

We are having a problem with a feature available in the beta version of Graph. We are using this endpoint to extract sensitivity labels from drive item:



According to the documentation, we need Files.Read.All, Files.ReadWrite.All, Sites.Read.All or Sites.ReadWrite.All permissions to access this endpoint:


Deserialized token we used for authentication:

  "aud": "",
  "iss": "",
  "iat": 1655160900,
  "nbf": 1655160900,
  "exp": 1655247600,
  "aio": "xxx",
  "app_displayname": "xxx",
  "appid": "xxx",
  "appidacr": "2",
  "idp": "",
  "idtyp": "app",
  "oid": "xxx",
  "rh": "xxx",
  "roles": [
  "sub": "xxx",
  "tenant_region_scope": "EU",
  "tid": "xxx",
  "uti": "xxx",
  "ver": "1.0",
  "wids": [
  "xms_tcdt": "1509395911"

However, we receive a 403 response with the content:

    "error": {
        "code": "accessDenied",
        "message": "Cannot call this API using the current App Id.",
        "innerError": {
            "date": "2022-06-14T08:00:52",
            "request-id": "xxx",
            "client-request-id": "xxx"


We have tested other graph beta endpoints and had no problems with them. What could be causing this problem?

0 Replies