In some scenario, it can be useful to assign sensitivity labels to a SharePoint file automatically. For instance, it can be interesting to automatically assign a sensitivity label based on a specific metadata.
This blog post explains how to doing using a Power Automate flow and the Microsoft Graph API.
Content
Prerequisites
- Sensitivity labels for Office files in SharePoint and OneDrive enabled
To be able to assign labels to a file in SharePoint, you need to enable this feature first. The are several ways to do it that are described in this article: Enable sensitivity labels for files in SharePoint and OneDrive
- Azure subscription
As we will see in the next chapter, we will use metered APIs in Microsoft Graph that require an Azure subscription (for billing purposes).
Enable metered APIs in Microsoft Graph
Metered APIs and services in Microsoft Graph unlike standard Microsoft Graph API incur costs based on usage.
As the assignSensitivityLabel API is considered to be an advanced API it is metered and is billed per API call made (more details here: Metered APIs and services in Microsoft Graph).
Create a new app registration
The first step is to create a new app registration. Go to https://entra.microsoft.com/ and create a new app registration.
The application will be used to make call to the Graph API so you need to add the following permission: Files.ReadWrite.All
You can also create a new client secret for the app registration as this is what we will use to authenticate from our Power Automate flow.
Create a resource group
Create a new resource group associated to your Azure subscription that you want to use for billing.
Enable metered APIs usage for the application
To enable your application to use metered APIs, execute the following command (in Azure Cloud Shell for example):
az graph-services account create --resource-group myRG --resource-name myGraphAppBilling --subscription mySubscriptionGUID --location global --app-id AppRegGUID| Parameter | Description |
|---|---|
| myRG | The name of an existing Azure resource group to add the newly created resource to. |
| myGraphAppBilling | The name you want to give to this resource instance. |
| myAppGUID | The Application ID of the application you want to enable to use metered APIs |
| mySubscriptionGUID | The ID of the Azure subscription that will be used for billing |
Set up the Power Automate flow
Once you have enabled the metered APIs, we can start build the Power Automate flow.
Trigger
In this example we will use a manual trigger but it can also be an automatic trigger such as When an file is created.
Action
You can use the HTTP action to call the assignSensitivityLabel API:
| Parameter | Description |
|---|---|
| URI | URI of the API request. It uses the SharePoint site id where the file is located and the file id. |
| Method | Method of the API request |
| Headers | Headers of the API request |
| Body | sensitivityLabelId (required): ID of the sensitivity label to be assigned, or empty string to remove the sensitivity label. It can be found on the Microsoft Purview portal. assignmentMethod (optional): The assignment method of the label on the document. justificationText (optional): Justification text for audit purposes, and is required when downgrading/removing a label. |
Authentication
The HTTP action contains an Authentication parameter that allow you to manage the authentication part within the same action.
Use Client ID and Client Secret of the app registration you created earlier.
Conclusion
Now that everything is set up, running your flow should assign specified sensitivity label to your file.
