[BUG] Get-PnPAvailableSensitivityLabel: Access denied. Check for the required permissions

[YuriySamorodov]

Reporting an Issue or Missing Feature

Reporting a bug

Expected behavior

According to the documentation Get-PnPAvailableSensitivityLabel should give Microsoft Purview sensitivity labels in the currently connected tenant

Actual behavior

I am getting an error Access denied. Check for the required permissions whenever I try to run Get-PnPAvailableSensitivityLabel

Steps to reproduce behavior

Connect-PnPOnline
Get-PnPAvailableSensitivityLabel

What is the version of the Cmdlet module you are running?

Name    : PnP.PowerShell
Version : 1.11.35

Which operating system/environment are you running PnP PowerShell on?

• [x] Windows
• [ ] Linux
• [ ] MacOS
• [ ] Azure Cloud Shell
• [ ] Azure Functions
• [ ] Other : please specify

[milanholemans]

Hi @YuriySamorodov

According to me, delegated Graph permissions of type InformationProtectionPolicy.Read are needed to make this command work. Currently this permission set is not included yet in the PnP app registration. A PnP Team member should add it.

I also noticed this command uses deprecated Graph endpoints. I made a PR to replace them with the new ones, but you'll still need the permissions listed above to make this work.

[gautamdsheth]

Thanks @milanholemans for the comment, we will add this permission. This cmdlet will work as long as your Azure AD app , not the PnP one , has InformationProtectionPolicy.Read delegated permission or InformationProtectionPolicy.Read.All application permission. Will close the issue now

[oharveyCloudwell]

Thanks @milanholemans for the comment, we will add this permission. This cmdlet will work as long as your Azure AD app , not the PnP one , has InformationProtectionPolicy.Read delegated permission or InformationProtectionPolicy.Read.All application permission. Will close the issue now

Can you elaborate a little on which app needs to have the permissions? I'm not quite sure what Azure AD app is referring to here. I'm running into the same issue.

[milanholemans]

Hi @oharveyCloudwell

In the back, all PnP apps (PnP PowerShell, M365 CLI, ...) use the same Azure AD app to authenticate to your tenant. Without this app, you don't have permission to query your tenant. You can find this app in Azure AD --> enterprise applications, there search for PnP Office 365 Management Shell. This app lacks the InformationProtectionPolicy.Read permission, PnP maintainers should add this to the app registration (friendly reminder @gautamdsheth, this hasn't happened yet 😊).

You can create your own app registration with your own permissions to work with PnP powershell. In this app registration you can grant the delegated InformationProtectionPolicy.Read permissions yourself. More info on how to create such app can be found here: https://pnp.github.io/powershell/articles/authentication.html

[oharveyCloudwell]

@milanholemans , thanks for the response. I think I just got around to sorting that out when you responded. I appreciate the information. I agree that it would be easier if this were simply added to the app registration, though.

[milanholemans]

@milanholemans , thanks for the response. I think I just got around to sorting that out when you responded. I appreciate the information. I agree that it would be easier if this were simply added to the app registration, though.

Ok nice to hear it works for you now. I'm confident that this permission will be added to the PnP app registration. @waldekmastykarz could you add the InformationProtectionPolicy.Read permission to the app registration please?

Much appreciated! 😊