Forum Discussion
API Permissions (UnifiedPolicy.Tenant.Read)
Hello,
I'm attempting to setup an app registration with one of the API permissions being "UnifiedPolicy.Tenant.Read" and I've been unsuccessful in locating the permission.
Microsoft's documentation states (updated yesterday, 10/23) that its under the MIP Sync Service. However, I'm not seeing that as an available service. I've gone through the services that I feel would make sense to house this permission and I've had no luck.
I'm wondering if anyone would be able to point me in the right direction for this.
Thanks!
Hi thatsecurityguy,
The API permission for the Microsoft Information Protection SDK that you need to read unified labeling policies for the tenant is UnifiedPolicy.Tenant.Read.
This permission is listed in the Microsoft Entra app permissions blade under the MIP Sync Service. However, it is not currently available in the Azure AD admin portal.
Required API permissions - Microsoft Information Protection SDK | Microsoft LearnTo grant this permission to your app registration, you can use the Azure AD Graph API.
You can use this PowerShell Script as a strating point (example):# Set the variables $appId = "<your-app-registration-id>" $tenantId = "<your-tenant-id>" $accessToken = "<your-graph-api-access-token>" # Create the JSON body for the request $body = @{ "id" = "$appId" "addPermissions" = @{ "value" = @{ "apiId" = "27453c88-c861-411c-8041-00f0a2486951" "type" = "Application" "value" = "UnifiedPolicy.Tenant.Read" } } } # Make the request to the Graph API $response = Invoke-WebRequest -Uri "https://graph.windows.net/$tenantId/applications/$appId" -Method Patch -Headers @{Authorization = "Bearer $accessToken"} -Body $body # Check the response status code if ($response.StatusCode -eq 200) { Write-Host "The UnifiedPolicy.Tenant.Read permission was successfully granted to your app registration." } else { Write-Host "An error occurred while granting the UnifiedPolicy.Tenant.Read permission to your app registration." -ForegroundColor Red }Once you have granted the UnifiedPolicy.Tenant.Read permission to your app registration, you will be able to use it to read all of the unified labeling policies in your tenant.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
3 Replies
Hi thatsecurityguy,
The API permission for the Microsoft Information Protection SDK that you need to read unified labeling policies for the tenant is UnifiedPolicy.Tenant.Read.
This permission is listed in the Microsoft Entra app permissions blade under the MIP Sync Service. However, it is not currently available in the Azure AD admin portal.
Required API permissions - Microsoft Information Protection SDK | Microsoft LearnTo grant this permission to your app registration, you can use the Azure AD Graph API.
You can use this PowerShell Script as a strating point (example):# Set the variables $appId = "<your-app-registration-id>" $tenantId = "<your-tenant-id>" $accessToken = "<your-graph-api-access-token>" # Create the JSON body for the request $body = @{ "id" = "$appId" "addPermissions" = @{ "value" = @{ "apiId" = "27453c88-c861-411c-8041-00f0a2486951" "type" = "Application" "value" = "UnifiedPolicy.Tenant.Read" } } } # Make the request to the Graph API $response = Invoke-WebRequest -Uri "https://graph.windows.net/$tenantId/applications/$appId" -Method Patch -Headers @{Authorization = "Bearer $accessToken"} -Body $body # Check the response status code if ($response.StatusCode -eq 200) { Write-Host "The UnifiedPolicy.Tenant.Read permission was successfully granted to your app registration." } else { Write-Host "An error occurred while granting the UnifiedPolicy.Tenant.Read permission to your app registration." -ForegroundColor Red }Once you have granted the UnifiedPolicy.Tenant.Read permission to your app registration, you will be able to use it to read all of the unified labeling policies in your tenant.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)Hello LeonPavesic,
While attempting to configure the above, I was able to find the Service and the permission under it in happenstance.
The Service IS available in the admin portal but it's in a less than ideal location (personal opinion)
When adding a permission and searching under Microsoft APIs you won't be able to find the 'Microsoft Information Protection sync Service' but if you search under the APIs my organization uses' then search for 'Microsoft Information Protection Sync Service', you should be able to find it there with the UnifiedPolicy.Tenant.Read permission.If only there was a search bar at the top where you could search for any/all API permissions regardless of the service that would list the API's and the services they're under when searched...
https://learn.microsoft.com/en-us/information-protection/develop/setup-configure-mip it's mentioned in this doc fwiw.
