We are calling MS Graph API endpoints that require metered API to be enabled (e.g. assignSensitivityLabel). Microsoft.GraphServices/accounts resource for our app has been created according to documentation. Call is working fine when we use client credentials flow, but it returns 402 Payment Required error in case we use on-behalf-of flow.

In both flows we pass our app id as client_id and set scope to https://graph.microsoft.com/.default.

App token has following claims:

{
  "aud": "https://graph.microsoft.com/.default",
  "iss": "https://sts.windows.net/{tenantId}/",
  "idp": "https://sts.windows.net/{tenantId}/",
  "appid": "{applicationId}",
  "idtyp": "app",
  "roles": [
    "Sites.Selected",
    "Sites.ReadWrite.All",
    "Mail.Send"
  ],
  "tid": "{tenandId}"
}

User token:

{
  "aud": "https://graph.microsoft.com/.default",
  "iss": "https://sts.windows.net/{tenantId}/",
  "idp": "https://sts.windows.net/{tenantId}/",
  "appid": "{applicationId}",
  "idtyp": "user",
  "scp": "Group.Read.All Sites.ReadWrite.All Sites.Selected User.Read User.Read.All profile openid email",
  "tid": "{tenandId}"
}

Error returned by assignSensitivityLabel endpoint when invoked with user JWT is:

{
  "error": {
    "code": "paymentRequired",
    "message": "Payment Required. Ensure that your application is able to call this premium API.For details see https://aka.ms/graph-metered-overview"
  }
}

Interesting that we are able to invoke https://{tenantId}.sharepoint.com/_api/v2.1/drives/{driveId}/items/{itemId}/setSensitivityLabel with user JWT that we specifically obtain for SharePoint API via on-behalf-of flow. That call doesn’t return any errors.

Any ideas how to get it working with on-behalf-of flow?