manage_sensitivity_labels
Configure and apply sensitivity labels to protect information through encryption, content marking, and classification policies in Microsoft 365.
Instructions
Manage sensitivity labels for information protection including encryption, content marking, and classification policies.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Action to perform on sensitivity label | |
| labelId | No | Sensitivity label ID for specific operations | |
| displayName | No | Display name for the sensitivity label | |
| description | No | Description of the sensitivity label | |
| tooltip | No | Tooltip text for the label | |
| priority | No | Label priority (higher number = higher priority) | |
| isEnabled | No | Whether the label is enabled | |
| settings | No | Label settings |
Implementation Reference
- Primary handler function executing the core logic for the 'manage_sensitivity_labels' tool. Handles CRUD operations and publishing using Microsoft Graph /security/informationProtection/sensitivityLabels endpoints.export async function handleSensitivityLabels( graphClient: Client, args: SensitivityLabelArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'list': // List all sensitivity labels apiPath = '/security/informationProtection/sensitivityLabels'; result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.labelId) { throw new McpError(ErrorCode.InvalidParams, 'labelId is required for get action'); } apiPath = `/security/informationProtection/sensitivityLabels/${args.labelId}`; result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.displayName) { throw new McpError(ErrorCode.InvalidParams, 'displayName is required for create action'); } const sensitivityLabelPayload: any = { displayName: args.displayName, description: args.description || '', tooltip: args.tooltip || args.description || '', priority: args.priority || 0, isEnabled: args.isEnabled !== undefined ? args.isEnabled : true, labelActions: [], applicableTo: 'EmailMessage,File' }; // Add settings if provided if (args.settings) { if (args.settings.contentMarking) { sensitivityLabelPayload.labelActions.push({ '@odata.type': 'microsoft.graph.contentMarkingLabelAction', ...args.settings.contentMarking }); } if (args.settings.encryption && args.settings.encryption.enabled) { sensitivityLabelPayload.labelActions.push({ '@odata.type': 'microsoft.graph.encryptionLabelAction', ...args.settings.encryption }); } if (args.settings.accessControl) { sensitivityLabelPayload.labelActions.push({ '@odata.type': 'microsoft.graph.accessControlLabelAction', ...args.settings.accessControl }); } if (args.settings.autoLabeling && args.settings.autoLabeling.enabled) { sensitivityLabelPayload.labelActions.push({ '@odata.type': 'microsoft.graph.autoLabelingLabelAction', ...args.settings.autoLabeling }); } } apiPath = '/security/informationProtection/sensitivityLabels'; result = await graphClient.api(apiPath).post(sensitivityLabelPayload); break; case 'update': if (!args.labelId) { throw new McpError(ErrorCode.InvalidParams, 'labelId is required for update action'); } const updatePayload: any = {}; if (args.displayName) updatePayload.displayName = args.displayName; if (args.description) updatePayload.description = args.description; if (args.tooltip) updatePayload.tooltip = args.tooltip; if (args.priority !== undefined) updatePayload.priority = args.priority; if (args.isEnabled !== undefined) updatePayload.isEnabled = args.isEnabled; // Handle settings updates if (args.settings) { updatePayload.labelActions = []; if (args.settings.contentMarking) { updatePayload.labelActions.push({ '@odata.type': 'microsoft.graph.contentMarkingLabelAction', ...args.settings.contentMarking }); } if (args.settings.encryption && args.settings.encryption.enabled) { updatePayload.labelActions.push({ '@odata.type': 'microsoft.graph.encryptionLabelAction', ...args.settings.encryption }); } if (args.settings.accessControl) { updatePayload.labelActions.push({ '@odata.type': 'microsoft.graph.accessControlLabelAction', ...args.settings.accessControl }); } if (args.settings.autoLabeling && args.settings.autoLabeling.enabled) { updatePayload.labelActions.push({ '@odata.type': 'microsoft.graph.autoLabelingLabelAction', ...args.settings.autoLabeling }); } } apiPath = `/security/informationProtection/sensitivityLabels/${args.labelId}`; result = await graphClient.api(apiPath).patch(updatePayload); break; case 'delete': if (!args.labelId) { throw new McpError(ErrorCode.InvalidParams, 'labelId is required for delete action'); } apiPath = `/security/informationProtection/sensitivityLabels/${args.labelId}`; await graphClient.api(apiPath).delete(); result = { message: `Sensitivity label ${args.labelId} deleted successfully` }; break; case 'publish': if (!args.labelId) { throw new McpError(ErrorCode.InvalidParams, 'labelId is required for publish action'); } // Create a label policy to publish the label const publishPayload = { displayName: `${args.displayName || 'Label'} Policy`, description: `Policy for publishing sensitivity label`, labels: [args.labelId], settings: { mandatory: false, requireJustification: false } }; apiPath = '/security/informationProtection/labelPolicies'; result = await graphClient.api(apiPath).post(publishPayload); break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown action: ${args.action}`); } return { content: [{ type: 'text', text: `Sensitivity Label ${args.action} operation completed:\n\n${JSON.stringify(result, null, 2)}` }] }; }
- src/handlers/dlp-handler.ts:147-213 (handler)Alternative handler for sensitivity labels in DLP context using /informationProtection/policy/labels endpoints.// DLP Sensitivity Labels Handler export async function handleDLPSensitivityLabels( graphClient: Client, args: DLPSensitivityLabelArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'list': apiPath = '/informationProtection/policy/labels'; result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.labelId) { throw new McpError(ErrorCode.InvalidParams, 'labelId is required for get action'); } apiPath = `/informationProtection/policy/labels/${args.labelId}`; result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.name) { throw new McpError(ErrorCode.InvalidParams, 'name is required for create action'); } apiPath = '/informationProtection/policy/labels'; const labelPayload = { name: args.name, description: args.description || '', color: args.settings?.color || 'blue', sensitivity: args.settings?.sensitivity || 0, tooltip: args.description || args.name, isActive: true }; result = await graphClient.api(apiPath).post(labelPayload); break; case 'update': if (!args.labelId) { throw new McpError(ErrorCode.InvalidParams, 'labelId is required for update action'); } apiPath = `/informationProtection/policy/labels/${args.labelId}`; const updateLabelPayload = { name: args.name, description: args.description, color: args.settings?.color, sensitivity: args.settings?.sensitivity }; result = await graphClient.api(apiPath).patch(updateLabelPayload); break; case 'delete': if (!args.labelId) { throw new McpError(ErrorCode.InvalidParams, 'labelId is required for delete action'); } apiPath = `/informationProtection/policy/labels/${args.labelId}`; await graphClient.api(apiPath).delete(); result = { message: 'Sensitivity label deleted successfully' }; break; default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/tool-definitions.ts:254-262 (schema)Zod schema defining input parameters and validation for the manage_sensitivity_labels tool.// Sensitivity Label Management export const sensitivityLabelSchema = z.object({ action: z.enum(['list', 'get', 'create', 'update', 'delete', 'apply']).describe('Sensitivity label action'), labelId: z.string().optional().describe('Sensitivity label ID'), name: z.string().optional().describe('Label name'), description: z.string().optional().describe('Label description'), targetId: z.string().optional().describe('Target resource ID for label application'), settings: z.record(z.string(), z.any()).optional().describe('Label settings and policies'), });
- src/server.ts:1076-1096 (registration)MCP server tool registration for 'manage_sensitivity_labels' with schema, metadata annotations, and handler binding.const sensitivityLabelsMeta = getToolMetadata("manage_sensitivity_labels")!; this.server.tool( "manage_sensitivity_labels", sensitivityLabelsMeta.description, sensitivityLabelArgsSchema.shape, sensitivityLabelsMeta.annotations || {}, wrapToolHandler(async (args: SensitivityLabelArgs) => { this.validateCredentials(); try { return await handleSensitivityLabels(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
- src/tool-metadata.ts:120-123 (schema)Tool metadata including description, title, and annotations (readOnlyHint, destructiveHint, etc.) used during registration.manage_sensitivity_labels: { description: "Manage sensitivity labels for information protection including encryption, content marking, and classification policies.", title: "Sensitivity Label Manager", annotations: { title: "Sensitivity Label Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }