Search code examples
c#microsoft-information-protectionmip-sdk

Sensitivity label removal works for one label but fails for another

I’m working with Microsoft Information Protection (MIP) SDK to remove sensitivity labels from files:

I’ve successfully created two labels within the same tenant, using the same token.

Now I’m trying to remove the labels created in the same tenant using the same token:

  • Label A can be removed successfully.
  • Label B cannot be removed and throws an error upon removal.

This is the error I receive when trying to remove Label B:

System.AggregateException: One or more errors occurred. (The service didn't accept the 
auth token. Challenge:['Bearer resource="https://aadrm.com", realm="", 
authorization="https://login.windows.net/common/oauth2/authorize"']
HttpRequest.Id=545b6654-31a7-4016-8d49-875e6678aab8,
CorrelationId=b373b0c3-1495-4461-84f8-5f34404299f0,
CorrelationId.Description=ProtectionEngine,
CorrelationId=7d063033-43c3-4971-900c-2ac3eefe29be,
CorrelationId.Description=FileEngine)

Here is my code. The error occurs when setting fileHandler as shown below with Label B:

fileEngine = MIPHelper.GetFileEngine();
fileHandler = fileEngine.CreateFileHandlerAsync(fileFullPath, fileFullPath, true).Result;

public static IFileEngine GetFileEngine()
{
    MIP.Initialize(MipComponent.File);

    ApplicationInfo appInfo = new ApplicationInfo()
    {
        ApplicationId = "AppId",
        ApplicationName = "MIPTest",
        ApplicationVersion = "1.0.0"
    };

    AuthDelegateImplementation authDelegate = new AuthDelegateImplementation(appInfo);

    MipConfiguration mipConfiguration = new MipConfiguration(
        appInfo, "mip_data", Microsoft.InformationProtection.LogLevel.Trace, false
    );
    mipConfiguration.LoggerConfigurationOverride = new LoggerConfiguration(10, 40, false);
    var mipContext = MIP.CreateMipContext(mipConfiguration);

    var profileSettings = new FileProfileSettings(
        mipContext, CacheStorageType.OnDiskEncrypted, new ConsentDelegateImplementation()
    );

    profile = Task.Run(async () => await MIP.LoadFileProfileAsync(profileSettings)).Result;

    var engineSettings = new FileEngineSettings(userName, authDelegate, "", "ko-kr");
    engineSettings.Identity = new Identity(userName);

    engine = Task.Run(async () => await profile.AddEngineAsync(engineSettings)).Result;

    return engine;
}
Solution

  • I have identified the issue and resolved it. Initially, I configured the process by setting up an AuthDelegateImplementation to obtain an authentication token and storing it in a database through a scheduler that runs every hour. The token was then retrieved and reused. (For reference, I based this logic on the example here: AuthDelegateImplementation.cs. In this example, the AcquireToken parameters authority and resource were hardcoded to obtain the token.)

    Using this approach, I successfully removed sensitivity labels from files without access control restrictions. However, for labels with access control settings, the error described earlier occurred.

    To resolve this, I switched to a different approach where a new authentication token is obtained each time the functionality is used. This resolved the issue, and I verified that sensitivity labels, including those with access control settings, were successfully removed from the files.