Programmatically apply sensitivity labels to file - Can fetch labels but not apply them

Question

I am trying to apply Office sensitivity labels to a file in a .NET web application. I based myself mainly on this demo project: https://github.com/Azure-Samples/MipSDK-File-Razor-Sample

My application registration has the correct permissions as specified in that project. I can fetch the active labels, but when I try to apply the label to a filestream, I get the following error:

Microsoft.InformationProtection.Exceptions.ServiceDisabledException: 'Calling principal is forbidden to perform the operation, CorrelationId=616b22f2-cbf0-4636-b959-a90adc68456f, CorrelationId.Description=FileHandler, HttpRequest.Id=d8d6666c-4b94-4ee1-8b4b-d7b1645acadf, ServiceDisabledError.Extent=User'

I can't figure out what the root cause of this error is, if it's something I can change in my code or if there are still permissions missing from my app registration.

This is the relevant function:

public MemoryStream ApplyMipLabel(Stream inputStream, string labelId)
{
    IFileEngine engine = GetEngine(_defaultEngineId);

    // Create a handler with a hardcoded file name, using the input stream.
    IFileHandler handler = engine.CreateFileHandlerAsync(inputStream, "HrData.xlsx", false).GetAwaiter().GetResult();

    LabelingOptions options = new()
    {
        AssignmentMethod = AssignmentMethod.Standard
    };

    // Set the label on the handler.
    var label = engine.GetLabelById(labelId);
    handler.SetLabel(label, options, new ProtectionSettings());

    MemoryStream outputStream = new MemoryStream();

    // Commit the change and write to the outputStream.
    handler.CommitAsync(outputStream).GetAwaiter().GetResult(); // ERROR HAPPENS HERE
    return outputStream;
}

Answer 1

I was running into this exact error, when I was attempting to apply a protected label. Other labels (i.e unprotected ones) were working fine without any error. Fortunately, I found this article : https://learn.microsoft.com/en-us/information-protection/develop/concept-api-permissions, and tried the Application Permissions listed in there.

Your code sample above does not show if you are using a Public Client or a Confidential Client. My guess is you are using the Confidential Client workflow, like me. So in the Microsoft Entra Admin center, you will need to ask for the "Content.Writer" permissions for Azure Rights Management Service as shown in the picture. Once this particular permission was applied for my application, that fixed the Microsoft.InformationProtection.Exceptions.ServiceDisabledException: 'Calling principal is forbidden to perform the operation...' service disabled error. I did not need the other permissions for my application. Application Permissions in Microsoft Entra