I want to extend an existing migration tool to set sensitivity labels on files before they get imported into Sharepoint Online. I have found the Microsoft Information Protection SDK, which seems to provide the necessary API.
To get familiar with the API, I downloaded and ran the ServicePrincipalAuth example application (see https://learn.microsoft.com/en-us/samples/azure-samples/mipsdk-dotnet-file-serviceprincipalauth/mipsdk-dotnet-file-serviceprincipalauth/). But although I have followed the steps exactly, I always get an AccessDeniedException with message "The service didn't accept the auth token" in the CreateFileEngine method at the line
var engine = Task.Run(async () => await profile.AddEngineAsync(engineSettings)).Result;
I have tried both authentication variants (certificate and secret key) so far. Same result for both.
My App.config file looks like this:
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
</startup>
<appSettings>
<add key="ida:ClientId" value="[client ID from Azure AD app]"/>
<add key="ida:RedirectUri" value="mipsdk-auth-sample://authorize2"/>
<add key="ida:CertThumbprint" value="[thumbprint of my self-signed certificate]"/>
<add key="ida:ClientSecret" value="[client secret from Azure AD app]"/>
<add key="ida:DoCertAuth" value="true"/>
<add key="ida:Tenant" value="[my tenant name].onmicrosoft.com"/>
<add key="app:Name" value="mipsdk-auth-sample2"/>
<add key="app:Version" value="1.0.0"/>
</appSettings>
</configuration>
UPDATE:
Our administrator needed to consent to the API permissions requested by the Azure AD app. After this was done, the authentication worked as expected!
Unfortunately, I ran into a new error:
RMS service is disabled for publishing for this user., CorrelationId=e2e..., CorrelationId.Description=FileHandler, HttpRequest.Id=00d..., ServiceDisabledError.Extent=User
This time in the SetLabel method at the line:
var result = Task.Run(async () => await handler.CommitAsync(options.OutputName)).Result;
The error message suggests to enable the RMS service for the user. How can I (or our administrator) do this for the Azure AD app?
Any hint is greatly appreciated!
The error you're seeing is because onboarding control policies are enabled in the RMS service.
You'd need to follow up with you administrator to ask them how they've configured the policy. If they've set a group, you'll need to add the service principal to an AAD group that is enabled as part of the onboarding controls.