microsoft/Microsoft365DSC

HELP: how to deploy sensitivity labels with [SCSensitivityLabel] - specifically how to get "update" access?

GeldHades27355 opened this issue · 2 comments

GeldHades27355 commented

Hey folks,

We're trying to deploy sensitivity labels. It seems the export was successful. Here is one of them:
SCSensitivityLabel "SCSensitivityLabel-General"
{
AdvancedSettings = @(
MSFT_SCLabelSetting
{
Key = 'color'
Value = '#13A10E'
}
MSFT_SCLabelSetting
{
Key = 'isparent'
Value = 'False'
}
);
Comment = "";
ContentType = @("File, Email","Site, UnifiedGroup","SchematizedData");
Credential = $Credscredential;
DisplayName = "General";
EncryptionEnabled = $True;
EncryptionProtectionType = "removeprotection";
Ensure = "Present";
LocaleSettings = @(
MSFT_SCLabelLocaleSettings
{
LocaleKey = 'displayName'
LabelSettings = @(
MSFT_SCLabelSetting
{
Key = 'default'
Value = 'General'
}
)
}
MSFT_SCLabelLocaleSettings
{
LocaleKey = 'tooltip'
LabelSettings = @(
MSFT_SCLabelSetting
{
Key = 'default'
Value = 'Data which has no specific sensitivity and need no particular protection. There are no sharing restrictions.'
}
)
}
);
Name = "General";
Priority = 0;
SiteAndGroupExternalSharingControlType = "ExternalUserAndGuestSharing";
SiteAndGroupProtectionAllowAccessToGuestUsers = $False;
SiteAndGroupProtectionAllowEmailFromGuestUsers = $True;
SiteAndGroupProtectionAllowFullAccess = $True;
SiteAndGroupProtectionAllowLimitedAccess = $False;
SiteAndGroupProtectionBlockAccess = $False;
SiteAndGroupProtectionEnabled = $True;
SiteAndGroupProtectionPrivacy = "public";
Tooltip = "Data which has no specific sensitivity and need no particular protection. There are no sharing restrictions.";
}

However, we're completely in the dark as to how to get the right permissions to UPDATE/WRITE these to a tenant:

  1. The documentation at https://microsoft365dsc.com/resources/security-compliance/SCSensitivityLabel/ says "none" for all actions vs. Graph.
  2. And powershell says:
    PS > Get-M365DSCCompiledPermissionList -ResourceNameList 'scsensitvitylabel' -PermissionType Application -AccessType Update
    File settings.json was not found for resource {scsensitvitylabel}

Name Value

API Graph
PermissionName Organization.Read.All

How did y'all get UPDATE permissions for SCSensitivityLabel?

GeldHades27355 commented

Anyone?