Share via

Microsoft Graph Word-to-PDF conversion returning 406 for one user when file has Sensitivity Label

Kuldeep Raj Tiwari 51 Reputation points
2025-08-14T07:06:45.15+00:00

We are using the Microsoft Graph API to convert Word documents to PDF using the /drive/items/{item-id}/content?format=pdf endpoint.

Scenario:

  • Tenant X has two users: User A and User B. and both are owners in the concerned group.
  • The same Word document is stored in OneDrive/SharePoint.
  • The document has a Microsoft Purview Sensitivity Label applied with no encryption enabled.
  • User A can successfully convert the document to PDF via Microsoft Graph.
  • User B, from the same tenant, gets the following error: Response Headers: 
      {
  "x-correlationid":"f4f8baa1-2086-0000-79d4-7374f3d73803.fea7d1d2-fd1a-4ff4-ac83-396420a0e6bf",
  "x-errorcode":"OfficeConversion_DocumentProtected",
  "x-errortype":"Expected"
  }

      {"error":{   "code": "notSupported",   "message": "Error from Office Service. Url=

Questions:

Does the 406 indicate that the applied sensitivity label is blocking the PDF export for certain users?

Could it be related to the label’s encryption settings or export permissions?

Is there a way to allow conversion via Graph for all authorized viewers without removing or downgrading the label?

  1. Is there any diagnostic method to verify exactly which sensitivity label setting or policy is causing the block?

Expected Behavior:
If the user has access to view the file, and the sensitivity label policy permits it, the conversion to PDF should succeed for both users.

Microsoft Security | Microsoft Purview
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 22,886 Reputation points Volunteer Moderator
    2025-08-14T11:52:21.91+00:00

    Hello Kuldeep Raj Tiwari,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that your Microsoft Graph Word-to-PDF conversion returning 406 for one user when file has Sensitivity Label.

    This error is not just a generic failure, it specifically indicates that the document is protected by a Microsoft Purview sensitivity label, and the Office conversion service cannot process it for export. Even if encryption is not explicitly enabled in the label, certain configurations such as export restrictions or scoped label policies can still block automated conversions. This is a known limitation of the Graph API's /content?format=pdf endpoint.

    Therefore, the reason User A can convert the document while User B cannot is likely due to label policy replication delays or mismatches. Sensitivity labels may not have fully propagated to User B’s client or Graph API context. Additionally, User B might lack the necessary decryption certificate or token, even if they can view the document in Office apps. This discrepancy is common when label policies are scoped to specific groups or users and not uniformly distributed.

    To diagnose this issue, start by using Graph Explorer to run GET /me/security/informationProtection/sensitivityLabels for both users. This will confirm whether the label is available and applicable to each user. Next, use PowerShell to check label policy distribution with Get-LabelPolicy -Identity "YourPolicyName" and ensure the DistributionStatus is Success. If User B’s client is out of sync, use the Unified Labeling Support Tool to reset the label cache and verify certificate availability:

    Install-Module UnifiedLabelingSupportTool
UnifiedLabelingSupportTool -Reset Default

    Also, verify certificate presence with:

    $request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc")
$request.GetResponse().ServicePoint.Certificate.Issuer

    If conversion is essential and encryption is blocking it, consider creating a duplicate sensitivity label without encryption and applying it programmatically using Graph API or Power Automate. - https://community.powerplatform.com/forums/thread/details/?threadid=cdcf8c21-b1e3-ef11-a731-6045bddc79f7

    Alternatively, if the label must remain encrypted, use Word Online to manually download the document as PDF via File > Save As > Download as PDF. This method retains sensitivity metadata and bypasses the Graph API limitation.

    Finally, Microsoft Graph API cannot completely convert encrypted documents to PDF due to service limitations. Even if a user can view the document, Graph API requires decryption rights, which may not be granted by the label policy. Sensitivity labels are also stripped during conversion, which is another limitation to consider. For automation, use non-encrypted labels or browser-based export methods to ensure consistent results across users.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments
  2. Pratyush Vashistha 1,055 Reputation points Microsoft External Staff Moderator
    2025-08-14T13:22:07.1433333+00:00

    Hello Kuldeep Raj Tiwari,

    Thanks for Posting your query over Microsoft QnA!

    Thank you Sina Salam to promptly responding to the question, In addition to the Sina Salam's response, which is a spot on, Microsoft Purview Sensitivity Labels can impose export-and-copy restrictions even when “encryption” is turned off. The Microsoft Graph service respects these restrictions. In this specific case, the Sensitivity Label’s rights management (RMS) sub-policy does not grant content export (PDF conversion) permissions to User B. Meanwhile,

    User A either:

    • Belongs to a security group or Entra ID role that the label policy explicitly allows to export content, or
    • Is an “excepted” principal under the label policy, while User B is not.

    This is why the Graph API returns the OfficeConversion_DocumentProtected error for User B.

    Kuldeep Raj Tiwari, you can also consider the following steps as well which may help you to overcome this issue.

    Review and adjust the Sensitivity Label’s export permissions to include User B or the group they belong to, without removing or downgrading the label:

    1. Purview Compliance Center: a. Sign in to the Microsoft Purview compliance portal: https://compliance.microsoft.com/labelpolicies b. Under “Solutions,” select Information protectionLabels. c. Locate and edit the label applied to your document. d. Expand Protect (Rights management) settings. e. Under Assign permissions, ensure that the security group or Azure AD role containing User B has the “Export content / Copy content” permission.
      • If you don’t see an explicit “Export content” checkbox, it’s usually controlled by the Rights Management template used—such as “Do Not Forward” or “View Only” which block export. Switch to or customize a template that permits export. f. Save the changes to the label, then Publish or update the label policy so that changes propagate across the tenant.

    Following these steps should help User B gain permission to export the document as PDF via Microsoft Graph, while maintaining the protective capabilities of the Sensitivity Label.

    Do let us know in case of related queries or other inputs.

    Please "Accept as Answer by clicking YES" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

    Thanks

    Pratyush

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.