Update sensitivity label to M365 Group with Graph API and PowerShell throws 401 error

0
votes

UGH!

I'm struggling with 401 error when trying to update M365 groups sensitivity label information with Graph API and PowerShell. With Graph Explorer the beast works just fine, but with PowerShell I receive an error Invoke-RestMethod : The remote server returned an error: (401) Unauthorized. -message. Updating groups description and displayname programatically works without exceptions. Azure app registration is consented with application level grants: Group.ReadWrite.All and Directory.ReadWrite.All as mentioned in the MS documentation. Any ideas?

Code sample:

Connect-PnPOnline -Url $tenantBaseUrl -ClientId $clientId -Tenant $tenantId -Thumbprint $thumbPrint
$body=@"
{
    "assignedLabels": [
      {
        "labelId": "$labelId"  
      }
    ]
  }
"@
$AccessToken = (Get-PnPGraphAccessToken)
$headers = @{ Authorization=("Bearer " + $AccessToken)}
$uri = "https://graph.microsoft.com/beta/groups/$groupId"
$webRequest = Invoke-RestMethod –Uri $uri -Body $body –Method Patch -Headers $headers -ContentType "application/json"

Reference to MS-documentation: https://docs.microsoft.com/en-us/graph/api/group-update?view=graph-rest-beta&tabs=http#example-2-apply-sensitivity-label-to-a-microsoft-365-group

2
powershellmicrosoft-graph-apioffice365
Check the access token in jwt.ms if you have the required permissions or not? - Shiva Keshav Varma
Is your issue resolved? - Shiva Keshav Varma
Noup, I checked the token and it seems to be alright. - ulamatik
Hi, not working with PowerShell. The only difference between PowerShell and Graph Explorer is that the Graph Explorer uses additional delegated Directory.AccessAsUser.All -permission. @ShivaKeshavVarma - ulamatik
Do you have Directory.ReadWrite.All permission? - Shiva Keshav Varma

2 Answers

0
votes

Token is valid. If I run the same command with same token, but only changing the body to update description and displayname it works.

$body2 = @"
{
    "description": "M365 Group new desc",
    "displayName": "M365 Group new displayname"
}
"@

$webRequest2 = Invoke-RestMethod –Uri $uri -Body $body2 –Method Patch -Headers $headers -ContentType "application/json"
0
votes

It seems that app-only permission is not supported.

Setting of sensitivity labels is not available with app credentials