Jul 25, 2020 4 min read

Discovering API's for Sensitivity Labels in Microsoft 365

Down the rabbit hole of Information protection Sensitivity Labels API's for container objects in Microsoft 365.

Discovering API's for Sensitivity Labels in Microsoft 365

Remember when I tried to create a completely SharePoint Search based dashboard that would show sensitivity labels for "containers" (SharePoint sites/Microsoft 365 Groups/Microsoft Teams teams)? In the end I was only able to fetch the Label id from the search index, not the Label text.
So I spent some time researching options to still fetch (programmatically) the Label for a given id, or potentially all possible id/text pairs.

Get details for (a|all) Label(s)

There are some specifics around Sensitivity Labels that make fetching information about a or all Labels a complicated problem. A specific Label can have "security" applied to it, making it only available to a subset of people. Such a user can than apply this Label on a container object and this gets indexed. A second user, without access to that Label, can retrieve the Label Id but there is no API that let's them fetch the Label text because they aren't supposed to have access to it.
This is something to take into account when working with Sensitivity Labels and their API's.

Microsoft Graph

At the moment, these API's are only available on the /beta endpoint of Microsoft Graph. The Microsoft Graph documentation around Information Protection has all the information.

It is possible to fetch all labels available to the sign-id user or a specified user, with Microsoft Graph. After consenting to the permission scope, you can fetch all the information with

GET /me/informationProtection/policy/labels HTTP/1.1


GET /users/{id|user-principal-name}/informationProtection/policy/labels HTTP/1.1

Luckily, there is also an endpoint that allows getting all labels available in the organization:

GET /informationProtection/policy/labels HTTP/1.1

The documentation doesn't call this out explicitly, but I think it only works when using Application Permissions. Trying this call with delegated permissions, through Graph Explorer and as a Global Admin, still results in a 403 - Forbidden.

You can also just Get the information for a specific Label, with a syntax similar to the List syntax by adding the Label id at the end

GET /me/informationProtection/policy/labels/{id} HTTP/1.1

The List and Get commands return the label information, respectively as an array of Labels or just a specific Label. Format is similar to

HTTP/1.1 200 OK
Content-type: application/json
User-agent: ContosoLOBApp/1.0

    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users('1e36d926-d716-4197-ba86-a6e18eb910b9')/informationProtection/policy/labels/$entity",
    "id": "4662f9a3-dd50-4a20-b984-a7be82e0e79c",
    "name": "LabelWithFooterAndHeaderActions_Tests",
    "description": "",
    "color": "",
    "sensitivity": 12,
    "tooltip": "LabelWithFooterAndHeaderActions_Tests",
    "isActive": true

All necessary info is returned and can be used to satisfy requirements.


You can also get this information with PowerShell, but there is only the Organization level approach (so you can't query the Labels available to a specific user). The Get-Label cmdlet is part of the Security & Compliance Center PowerShell cmdlets, and require correct permissions set in the Security and Compliance Admin Center.

In essence, you connect to the PowerShell cmdlets and then you can use the Get-Label cmdlet to fetch all Labels (or a specific Label) in the organization:

Get-Label -Identity "Engineering Group"

The result is something similar to the following:

In good PowerShell tradition, not all properties are returned by default but you can get everything that is available with the Get-Member cmdlet:

Get-Label | Get-Member

SharePoint REST API

Given my original problem, above solutions would be inconvenient. It would be easier if the information would be available "on the page", so I could just use it. I couldn't find anything in the page context objects, but I did notice the labels loaded in two places: site header and site information panel.

The Labels load asynchronously in there, much later than page load so I searched for the API call that fetched the information:

GET /_api/GroupSiteManager/GetGroupCreationContext HTTP/1.1

There is also some caching involved here, as the call is not always executed. Using the DevTools, it is clear that this information gets stored in SessionStorage. Two properties are of interest here, classificationDescriptionsNew and dataClassificationOptionsNew:

TO BE CLEAR: this API call is not documented so probably not supported, and using the data from Session Storage is probably even less supported. Usage is at your own risk!

Get the Label applied to a container

Above API calls give you all Labels in the organization, sometimes limited to a subset available to the calling user. I decided to also look into ways to fetch the label that is applied on a "container" object.

Microsoft Graph for M365 Groups and Microsoft Teams

Microsoft Graph is, of course, the first stop. The availability of this information is rather limited, it's only there for Microsoft 365 Groups. Of course, this means the same call works for Microsoft Teams teams too, since they are Groups under the hood.

The Sensitivity Label is available on a Group in the property assignedLabels. This is a multi-valued property, which is interesting because the UI only allows assigning one Label (for now?). It also has to be explicitly selected, it isn't returned by default.

GET /groups/{id}?$select=assignedLabels

This returns the Label id and Label text:

    "@odata.context": "https://graph.microsoft.com/beta/$metadata#groups(assignedLabels)/$entity",
    "assignedLabels": [
            "labelId": "204163e2-e928-4118-9a8d-94682434f3f0",
            "displayName": "Amber"

SharePoint Search for SharePoint sites

My previous post on this topic already showed you a way to fetch this information from the SharePoint Search index. Of course this only returns the Label id.

SharePoint REST API for SharePoint sites

Similar to above, I went looking for the SharePoint REST API call that fetches the Label information for the current site.
I settled for the following API endpoint, unsure if it is supported for public consumption:

GET /_api/site/SensitivityLabelInfo HTTP/1.1

It returns the Label id and Label text for the label applied to the calling SharePoint site.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Yannick Reekmans.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.