Having an issue enabling Access Control for Sensitity Labels in Purview

Charley Dunn 0 Reputation points
2026-06-22T19:07:11.5166667+00:00

I have tried assigning access control to sensitivity labels in Purview that I created but I keep getting an error message:

User's image

Diagnostic information:

Diagnostic information:**{Version:1.0.2941.0,Environment:EUSPROD,DeploymentId:aks-scc-prod-eastus,InstanceId:akswpool0004x8,TrafficSlot:green,SID:4a1d6f9a-a6c5-42bd-a2db-6c41e7fa54be,CID:07f1329f-ca49-471e-81a4-b9e4fe11e55f}

Time:2026-06-22T15:33:08.544Z

This looks like a role or permissions issue, but I haven't been able to figure which role/permission I'm supposed to have. I performed the same steps in a different tenant and had no issues. Any ideas?

Microsoft Security | Microsoft Purview

2 answers

Sort by: Most helpful
  1. Manu 0 Reputation points Microsoft Employee
    2026-06-25T18:33:39.5666667+00:00

    @Charley Dunn yes, this looks like an access issue. But I doubt this would be a role missing. What is the license you are using for the service and is it still active?

    Also, try to check the Encryption side of things.
    So, first confirm licensing being active and plan as well on the user you are using.
    Install and use the powershell module AipService (Install-Module Aipservice)
    Connect-AipService # To connect
    Get-AipService # To see its status
    Get-AipServiceConfiguration # To see its configurations

    NOTE: Bear in mind that I am not suggesting for you to place the outputs here, only to confirm if the license is assigned, plan is active and service is enabled.

    Than, see if there are any restrictions with:
    Get-AipServiceOnboardingPolicy # You can have encryption settings restricted to groups or users

    Finally, If all of this is in fact enabled, try to install exchange Online module and connect to it.
    Install-Module ExchangeOnlineManagement; Connect-ExchangeOnline

    Run
    Get-IrmConfiguration
    Here, the values InternalLicensingEnabled & AzureRmsLicensingEnabled should be true
    The LicensingIntranetDistributionPointUrl from the AipConfiguration should match the LicensingLocation url on the IrmConfig

    Now, like I mentioned, these are just to check configuration but if the license is missing, disabled or deprovisioned, this can likely be the main cause, which is what I am suspecting the most due to the error.

    But try the above, one by one (including license and plan checks) and let us know the outcome

    Was this answer helpful?


  2. Manoj Kumar Boyini 17,950 Reputation points Microsoft External Staff Moderator
    2026-06-24T13:45:22.1366667+00:00

    Hi @Charley Dunn

    Based on the information provided, this does appear more consistent with a permissions or tenant configuration issue than with the sensitivity label itself, especially since the same steps work successfully in another tenant.

    A few areas worth validating:

    1. Verify the required Microsoft Purview role assignments

    Users who create and manage sensitivity labels must be assigned the appropriate Microsoft Purview role group. Depending on the task being performed, roles such as Information Protection, Information Protection Admins, or Compliance Administrator may be required. If role groups are being managed, additional role management permissions may also be necessary.

    2. Confirm the label scope and protection settings

    If you are configuring access control (encryption/permissions) on a sensitivity label, verify that the label scope includes Files & other data assets and that the protection settings are configured correctly. Access control settings rely on Microsoft Rights Management capabilities being available in the tenant.

    3. Compare tenant configuration

    Since the same configuration works in another tenant, it would be useful to compare:

    • Assigned Purview roles
    • Sensitivity label configuration
    • Label publishing policies
    • Rights Management activation and configuration
    • Licensing and compliance settings

    4. Review the exact error details

    The screenshot only shows a generic error with diagnostic information. If you can provide the full error text (or any additional details shown when expanding the error), it may help determine whether the failure is related to authorization, policy configuration, or a backend service dependency.

    To help narrow this down further, could you confirm:

    • Which role(s) are assigned to the account performing the configuration?
    • Does the issue occur for all sensitivity labels or only specific labels?
    • Is the label configured with protection/access control settings?
    • Can you provide the exact error message in addition to the diagnostic information?

    References:

    Please let us know the requested details and we'll be happy to investigate further.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.