HELP: how to deploy sensitivity labels with [SCSensitivityLabel] - specifically how to get "update" access?

[GeldHades27355]

Hey folks,

We're trying to deploy sensitivity labels. It seems the export was successful. Here is one of them:

        SCSensitivityLabel "SCSensitivityLabel-General"
        {
            AdvancedSettings                               = @(
                MSFT_SCLabelSetting
                {
                    Key   = 'color'
                    Value = '#13A10E'
                }
                MSFT_SCLabelSetting
                {
                    Key   = 'isparent'
                    Value = 'False'
                }
            );
            Comment                                        = "";
            ContentType                                    = @("File, Email","Site, UnifiedGroup","SchematizedData");
            Credential                                     = $Credscredential;
            DisplayName                                    = "General";
            EncryptionEnabled                              = $True;
            EncryptionProtectionType                       = "removeprotection";
            Ensure                                         = "Present";
            LocaleSettings                                 = @(
                MSFT_SCLabelLocaleSettings
                {
                    LocaleKey = 'displayName'
                    LabelSettings  = @(
                        MSFT_SCLabelSetting
                        {
                            Key   = 'default'
                            Value = 'General'
                        }
                    )
                }
                MSFT_SCLabelLocaleSettings
                {
                    LocaleKey = 'tooltip'
                    LabelSettings  = @(
                        MSFT_SCLabelSetting
                        {
                            Key   = 'default'
                            Value = 'Data which has no specific sensitivity and need no particular protection. There are no sharing restrictions.'
                        }
                    )
                }
            );
            Name                                           = "General";
            Priority                                       = 0;
            SiteAndGroupExternalSharingControlType         = "ExternalUserAndGuestSharing";
            SiteAndGroupProtectionAllowAccessToGuestUsers  = $False;
            SiteAndGroupProtectionAllowEmailFromGuestUsers = $True;
            SiteAndGroupProtectionAllowFullAccess          = $True;
            SiteAndGroupProtectionAllowLimitedAccess       = $False;
            SiteAndGroupProtectionBlockAccess              = $False;
            SiteAndGroupProtectionEnabled                  = $True;
            SiteAndGroupProtectionPrivacy                  = "public";
            Tooltip                                        = "Data which has no specific sensitivity and need no particular protection. There are no sharing restrictions.";
        }

However, we're completely in the dark as to how to get the right permissions to UPDATE/WRITE these to a tenant:

1. The documentation at https://microsoft365dsc.com/resources/security-compliance/SCSensitivityLabel/ says "none" for all actions vs. Graph.
2. And powershell says: PS > Get-M365DSCCompiledPermissionList -ResourceNameList 'scsensitvitylabel' -PermissionType Application -AccessType Update File settings.json was not found for resource {scsensitvitylabel}

Name Value

---

API Graph
PermissionName Organization.Read.All

How did y'all get UPDATE permissions for SCSensitivityLabel?