Hi, Hoping someone knows the answer.
I have a dataset/report in the service that has a sensitiviy label set, they person who created the dataset has since left and now when trying to open it you recieve the following message:
I have read https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-sensitivity-label-troubleshoo...
this says in my circumstance you can remove the sensitivity label using the admin API.
I currenlty have the Faric Administrator role so i am able is use said API, however it returns the following (i've hashed the ids out):
{
"reports": [
{
"id": "###############",
"status": "InsufficientUsageRights"
}
],
"datasets": [
{
"id": "###############",
"status": "InsufficientUsageRights"
}
]
}
My question is what rights do i need to have to be able to remove the labels and where do you grant this? I'm assuming is some sort of office 365 role?
Any help would be greatly appreciated.
Hi @StevenVF ,
According to the error message, it seems that you didn't have the sufficient privilege to remove the sensitive label. As the following official documentation referred, the following permissions are necessary when you call REST API Admin - InformationProtection RemoveLabelsAsAdmin. Please check and confirm you have these permissions...
Can't set or remove sensitivity labels using Power BI REST admin APIs
- Users must have administrator rights (such as Microsoft 365 global administrator or Fabric administrator) to call these APIs.
- The admin user (and the delegated user, if provided) must have sufficient usage rights to set or remove labels.
In addition, if no user has even these usage rights, nobody will be able to change or remove the label from the item, and access to the item is potentially endangered. To avoid this situation, the Power BI admin can enable the Allow workspace admins to override automatically applied sensitivity labels (preview) tenant setting. This makes it possible for workspace admins to override automatically applied sensitivity labels without regard to label change enforcement rules. To enable this setting, go to: Admin portal > Tenant settings > Information protection.
Relaxations to accommodate automatic labeling scenarios
Best Regards
Thanks for the reply
Yes, that is correct, i do not have the sufficient privilege to remove the sensitive label. My question is what specific right do i need to have to be able to do this. I had looked at the usage rights page you linked but was unsure what i need to ask my office 365 global admin to apply to my user.
I see this one has the right to remove protection, so i assume it's what i would need to have?
| Common name: Full Control Encoding in policy: OWNER | Grants all rights to the document and all available actions can be performed. Includes the ability to remove protection and reprotect a document. Note that this usage right is not the same as the Rights Management owner. | Office custom rights: As the Full Control custom option. Name in the Azure classic portal: Full Control Name in the Microsoft Purview compliance portal and Azure portal: Full Control (OWNER) Name in AD RMS templates: Full Control API constant or value: MSIPC: IPC_GENERIC_ALL L"OWNER" MIP SDK: OWNER |
Also, my tenant settings seem to be slightly different to what you posted, i did look at this and tried it prior to this post but it did not allow be to change anything. Mine states automatically applied labels by Fabric, your just says protection labels:
Not sure why they are different.
Helpful resources
Fabric Community Update - July 2025
Find out what's new and trending in the Fabric community.
Power BI Monthly Update - July 2025
Check out the July 2025 Power BI update to learn about new features.
