Sensitivity Labels & Search

Enumerate the tenant's sensitivity-label catalogue, look up the label assigned to a specific item, and run Microsoft Search KQL queries that span files, list items, lists, and sites. Search hits are filtered through the same SharePoint rules as direct reads — items the token cannot see are silently dropped.

GET/api/access/sharepoint/sensitivity-labelsBearer Token

List the Tenant's Label Catalogue

Returns every sensitivity label active in the tenant.

Required Operation

Requires read_sensitivity_labels. The catalogue is tenant-wide; it ignores Sites.Selected site scoping.

Cache per session

The catalogue rarely changes and the endpoint is cheap, but every call still consumes a tenant-wide quota. Cache the result client-side for the duration of a session.

Response 200 OK

{ 
  "labels": [ 
    { 
      "id": "8c1f1d1e-1111-2222-3333-444444444444", 
      "displayName": "Public", 
      "description": "No restrictions", 
      "color": "Green", 
      "sensitivity": 0, 
      "toolTip": "Public — share freely", 
      "isActive": true, 
      "isAppliable": true 
    }, 
    { 
      "id": "9d2f2e2f-aaaa-bbbb-cccc-dddddddddddd", 
      "displayName": "Highly Confidential", 
      "description": "Encrypted, do not share externally", 
      "color": "Red", 
      "sensitivity": 4, 
      "toolTip": "Highly Confidential", 
      "isActive": true, 
      "isAppliable": true 
    } 
  ], 
  "accessInfo": null 
}

Label Fields

Field	Type	Description
id	string	Bare GUID — no sharepoint: prefix
displayName	string?	Human label
color	string?	Green, Yellow, Orange, Red, …
sensitivity	number	Priority/severity, higher = more sensitive
isActive	bool	Whether the label is currently published
isAppliable	bool	Whether tokens can apply this label to items

GET/api/access/sharepoint/files/{fileId}/sensitivity-labelBearer Token

Get the Label Assigned to an Item

Returns the sensitivity label currently applied to a SharePoint file.

Query Parameters

Parameter	Type	Default	Description
refresh	bool	false	When true, forces Graph to re-extract the label from file content. Slow and consumes a quota call — only use when the cached value is stale.

Required Operation

Requires read_sensitivity_labels.

Response 200 OK

{ 
  "success": true, 
  "labelId": "9d2f2e2f-aaaa-bbbb-cccc-dddddddddddd", 
  "labelDisplayName": "Highly Confidential", 
  "assignmentMethod": "standard", 
  "assignedDateTime": "2026-03-02T14:11:00Z", 
  "errorMessage": null 
}

Response 404 Not Found

{ 
  "success": false, 
  "labelId": null, 
  "errorMessage": "File is not labelled or is missing." 
}

assignmentMethod values

Value	Meaning
standard	Manually applied by a user
privileged	Applied by an admin override
auto	Auto-classification rule

GET/api/access/sharepoint/searchBearer Token

Cross-entity Search (KQL)

Microsoft Search KQL query across driveItem, listItem, list, site.

Query Parameters

Parameter	Type	Default	Description
q	string	(required)	Microsoft Search KQL query. Full KQL supported (CreatedBy:, FileType:, Path:, ContentType:, fields/<col>, …).
entityTypes	comma-separated	driveItem	Subset of driveItem, listItem, list, site.
limit	int	25	Page size. Clamped to 1–25 (Microsoft Search ceiling per page).
from	int	0	Result offset, for paging beyond the first 25 hits.

Required Operation

Requires search_content. A blank or whitespace q returns 400 INVALID_QUERY.

KQL — not Lucene, not SQL

Quote-wrap queries containing spaces ("quarterly review") and use field selectors for precision: Title:"Q1", FileType:docx, ContentType:Task, fields/Status:"In Progress".

Response 200 OK

{ 
  "hits": [ 
    { 
      "entityType": "driveItem", 
      "id": "sharepoint:drive:b!…:item:01ABC…", 
      "title": "Q1 Plan.docx", 
      "summary": "Marketing plan for the first quarter…", 
      "webUrl": "https://contoso.sharepoint.com/sites/marketing/…/Q1%20Plan.docx", 
      "lastModifiedDateTime": "2026-04-21T14:21:00Z" 
    }, 
    { 
      "entityType": "listItem", 
      "id": "sharepoint:site:…:list:…:item:42", 
      "title": "Update marketing site", 
      "summary": null, 
      "webUrl": "https://contoso.sharepoint.com/sites/marketing/Lists/Tasks/DispForm.aspx?ID=42", 
      "lastModifiedDateTime": "2026-04-22T16:30:00Z" 
    } 
  ], 
  "from": 0, 
  "total": 142, 
  "moreResultsAvailable": true, 
  "accessInfo": null 
}

total is unfiltered

total reflects the unfiltered Graph hit count — items the token cannot read are dropped from hits before the response is built. Paging through from + limit chunks may yield fewer than total items. Use moreResultsAvailable as the authoritative "is there a next page" signal.