.netauthenticationmicrosoft-information-protectionmip-sdk

Microsoft.InformationProtection.Exceptions.AccessDeniedException: The service didn't accept the auth token


I want to extend an existing migration tool to set sensitivity labels on files before they get imported into Sharepoint Online. I have found the Microsoft Information Protection SDK, which seems to provide the necessary API.

To get familiar with the API, I downloaded and ran the ServicePrincipalAuth example application (see https://learn.microsoft.com/en-us/samples/azure-samples/mipsdk-dotnet-file-serviceprincipalauth/mipsdk-dotnet-file-serviceprincipalauth/). But although I have followed the steps exactly, I always get an AccessDeniedException with message "The service didn't accept the auth token" in the CreateFileEngine method at the line

var engine = Task.Run(async () => await profile.AddEngineAsync(engineSettings)).Result;

I have tried both authentication variants (certificate and secret key) so far. Same result for both.

My App.config file looks like this:

<configuration>
  <startup> 
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
  </startup>
  <appSettings>
    <add key="ida:ClientId" value="[client ID from Azure AD app]"/>    
    <add key="ida:RedirectUri" value="mipsdk-auth-sample://authorize2"/>
    <add key="ida:CertThumbprint" value="[thumbprint of my self-signed certificate]"/>
    <add key="ida:ClientSecret" value="[client secret from Azure AD app]"/>
    <add key="ida:DoCertAuth" value="true"/>        
    <add key="ida:Tenant" value="[my tenant name].onmicrosoft.com"/>        
    <add key="app:Name" value="mipsdk-auth-sample2"/>
    <add key="app:Version" value="1.0.0"/>    
  </appSettings> 
</configuration>

UPDATE:

Our administrator needed to consent to the API permissions requested by the Azure AD app. After this was done, the authentication worked as expected!

Unfortunately, I ran into a new error:

RMS service is disabled for publishing for this user., CorrelationId=e2e..., CorrelationId.Description=FileHandler, HttpRequest.Id=00d..., ServiceDisabledError.Extent=User

This time in the SetLabel method at the line:

var result = Task.Run(async () => await handler.CommitAsync(options.OutputName)).Result;

The error message suggests to enable the RMS service for the user. How can I (or our administrator) do this for the Azure AD app?

Any hint is greatly appreciated!


Solution

  • The error you're seeing is because onboarding control policies are enabled in the RMS service.

    https://learn.microsoft.com/en-us/powershell/module/aadrm/set-aadrmonboardingcontrolpolicy?view=azureipps

    You'd need to follow up with you administrator to ask them how they've configured the policy. If they've set a group, you'll need to add the service principal to an AAD group that is enabled as part of the onboarding controls.