How to list/download file blocked by DLP?

Question

Hello. I am developing an application that uses Graph API SDK. The application uses the oauth application access.

I am trying to download through Microsoft Graph SDK an evidence file which was blocked by Microsoft DLP.

So my need is to download files that were blocked.

As i see it is possible to list and download these files if i am logged by user who uploaded this file.

But how to do it if I am logged as application?

Currently if i list files in drive i see files that are not blocked. I would like to see them all (with blocked).

In Microsoft Admin Entra Center my application have

Role: Cloud Application Administrator
Permissions:

Mail.ReadWrite

SecurityEvents.Read.All

SecurityAlert.Read.All

Sites.Read.All

Directory.Read.All

SecurityIncident.Read.All

GroupMember.Read.All

Files.Read.All

Mail.Read

InformationProtectionPolicy.Read.All

Thanks.

Answer 1

Hi Zbig,

Thanks for reaching out on Microsoft Q&A!

I’m afraid that, as an application, you may not list nor download the file, as this is the nature of DLP. Data can and must not be leaked, that is why it is protected and thus can’t be downloaded by an application (as that would state a leak).

With that said, as you do need it in your case the only way would be to move away from application permissions and switch to delegated permissions, allowing you to impersonate the DLP user thus enabling you to download the file through the API.

Please click ‘Accept answer’ if you think my answer is helpful. Feel free to drop additional queries in the comments below!

Kind regards,

Sonny