Forum Discussion

SeanMcAvinue's avatar
Oct 22, 2020

Assigning Sensitivity Label via Unattended Script

I've come across an interesting problem recently. I have a requirement to set a group sensitivity label as part of an unattended automation script which I'm using application permissions and Graph calls with.

 

Things I've tried:

Setting the label via application permissions using Graph- this fails as the sensitivity label attribute is not available using app-only permissions

 

Setting via delegated permissions using Graph - this fails as it turns out setting a label is not supported, only viewing

 

Setting via Exchange Online PoSh V2 with Certificate auth - this fails as you need to be logged in as a user with a mailbox

 

Setting via Exchange Online PoSh V2 with delegated permission - not possible I believe

 

I might be missing something, any ideas?

 

BTW I'm really trying to avoid allowing basic auth and storing credentials

  • Um, any particular error? The cmdlet you need for that is Set-UnifiedGroup, there's no REST-based one yet. The only difference the V2 module introduces is the way we authenticate, so you might as well use the "old" PS module just to check if it works there.

     

    Also dont forget that you need to update the Group settings first. Tony lists all the steps here: https://petri.com/moving-classifications-sensitivity-labels

  • Um, any particular error? The cmdlet you need for that is Set-UnifiedGroup, there's no REST-based one yet. The only difference the V2 module introduces is the way we authenticate, so you might as well use the "old" PS module just to check if it works there.

     

    Also dont forget that you need to update the Group settings first. Tony lists all the steps here: https://petri.com/moving-classifications-sensitivity-labels

    • SeanMcAvinue's avatar
      SeanMcAvinue
      MVP

      VasilMichev Thanks Vasil, I did get it working eventually, the error(s) I was was:

      • Using app permissions & Cert auth it was unable to locate user mailbox (Sorry I closed the window after I got it working so don't remember the exact error)
      • Using regular sign in and MFA it would work but this wasn't feasible for the unattended automation job.
      • Using application permissions via Graph "this is not available using app-only permissions"

      I ended up requesting a user token manually and then using a function to renew using the refresh token each time the script ran.

       

      To set the label I used the below PATCH request (I originally missed the capital 'L' in 'assignedLabels' and it took me a while to find). The key to it was that it needs to be run in a user context and the user needs to have the label published to them. It can't be done this was via application permissions.

       

      $body = @'
      {
          "assignedLabels": [
              {
                  "labelId": <LablelGUID>
              }
          ]
      }
      '@
      • Justin-GOV's avatar
        Justin-GOV
        Brass Contributor
        Do you have more details of your solution? I am curious about your proposed authentication method: "I ended up requesting a user token manually and then using a function to renew using the refresh token each time the script ran."

        I am having the same problem you describe in your bullets. I am trying to find another solution.

Resources