This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have reviewed just about every Microsoft document and tried to use Co-Pilot to resolve. I am able to get a token, using the scope=https://api.security.microsoft.com/.default. Just can't get passed this error ""Missing application roles. API required roles: Alert.Read.All,Alert.ReadWrite.All, application roles: Incident.Read.All,AdvancedHunting.Read.All."
I have set the permissions
| DefenderAPIApp (1) | |||||
|---|---|---|---|---|---|
| DefenderAPIApp (1) | |||||
| Read.files | Delegated | Read user Files | Yes | Granted for Cyber Risks Services | |
| Microsoft Graph (3) | |||||
| Application.Read.All | Delegated | Read applications | Yes | Granted for Cyber Risks Services | |
| Application.ReadUpdate.All | Delegated | Read and update all apps | Yes | Granted for Cyber Risks Services | |
| Application.ReadWrite.All | Delegated | Read and write all applications | Yes | Granted for Cyber Risks Services | |
| Microsoft Threat Protection (2) | |||||
| AdvancedHunting.Read.All | Application | Run advanced hunting queries | Yes | Granted for Cyber Risks Services | |
| Incident.Read.All | Application | Read all incidents | Yes | Granted for Cyber Risks Services | |
Protection against phishing, malware, and other threats targeting email and collaboration tools in Microsoft 365
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 30%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Your scope is not correct, you are using https://api.security.microsoft.com/.default but you should use https://api.securitycenter.microsoft.com/.default instead. Note that this is not the same as the API endpoint URL which can be one of the regional servers as listed here.
Which endpoint/method are you querying, can you share a sample request? Sometimes the documentation can be incorrect, and not only with regards to permissions. For this specific scenario, you'd likely need to consent to the permissions returned in the error message. If you share the request/endpoint, we can confirm whether this is indeed needed/test on our end as well.
Also, can you clarify the context you are running with? The info above shows a mix of delegate and application permissions, so it's not clear which ones are relevant to the task at hand. Keep in mind that for delegate permissions you might need to also assign an admin role to the principal used.
I appreciate your support -- as this has been driving me crazy.
https://us.api.security.microsoft.com/api/alerts?`$top=10
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "Authorization: Bearer " & $AccessToken & "
I have admin and global rights -- but I also can remove the delegate roles, as I was just reaching.
I also noticed in the Microsoft Defender portal that the device is be Managed by Intune and not MDE. Is this correct?
Right, so for the endpoint in question you'd need either the Alert.ReadWrite.All application permission (if running without a signed in user) or the Alert.ReadWrite delegate one, if running in the context of a user. Those are permissions for the WindowsDefenderATP resource.
Neither permission seems to be granted to the app, according to what you've shared in the initial post. Make sure to add the appropriate role/scope, consent to it, request a new token and rerun the request. When adding the permission, go to APIs my organization uses > search for WindowsDefenderATP, then select the corresponding type and the permission itself.
To be clear, you don't need to add both the delegate and application permissions, just the one type corresponding to the context you are using.
When assigning permission from WindowsDefenderATP, should I use the applications permissions or delegated?
| DefenderAPIApp (1) | |||||
|---|---|---|---|---|---|
| DefenderAPIApp (1) | |||||
| Read.files | Delegated | Read user Files | Yes | Granted for Cyber Risks Services | |
| Microsoft Graph (3) | |||||
| Application.Read.All | Application | Read all applications | Yes | Granted for Cyber Risks Services | |
| Application.ReadUpdate.All | Application | Read and update all apps | Yes | Granted for Cyber Risks Services | |
| Application.ReadWrite.All | Application | Read and write all applications | Yes | Granted for Cyber Risks Services | |
| Microsoft Threat Protection (2) | |||||
| AdvancedHunting.Read.All | Application | Run advanced hunting queries | Yes | Granted for Cyber Risks Services | |
| Incident.Read.All | Application | Read all incidents | Yes | Granted for Cyber Risks Services | |
| WindowsDefenderATP (2) | |||||
| Alert.Read | Delegated | Read alerts | Yes | Granted for Cyber Risks Services | |
| Alert.ReadWrite | Delegated | Read and write alerts | Yes | Granted for Cyber Risks Services |
still getting -- {
"error" :
{
"code" : "Forbidden",
"message" : "Missing application roles. API required roles: Alert.Read.All,Alert.ReadWrite.All, application roles: Incident.Read.All,AdvancedHunting.Read.All.",
"target" : "|edb5e38b-4275b0460c4a3280.1."
}
}
Delegate and application permissions cannot be used interchangeably, you need to use the ones corresponding to the selected authentication flow. It looks like you are using the client credentials flow (authenticating via certificate or client secret), in which case you need to add (and consent to) application permissions, not delegate ones.
I replaced them with application permissions. It did not change the outcome. Should app roles be defined with the api app --
No, app roles do not matter here. Did you make sure that consent is granted to the newly added permissions and get a fresh new token? Please also check whether the decoded token reflects the permissions, you can use tools such as jwt.ms to get it in readable format.
This is the decoded token. I will request a new certificate after you review:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "rtsFT-b-7LuY7DVYeSNKcIJ7Vnc",
"kid": "rtsFT-b-7LuY7DVYeSNKcIJ7Vnc"
}.{
"aud": "https://api.security.microsoft.com",
"iss": "https://sts.windows.net/3a5a056f-ce3d-45c8-ad5b-dc35844d9247/",
"iat": 1765309502,
"nbf": 1765309502,
"exp": 1765313402,
"aio": "k2JgYNiYOzvStP+9vMX5knMPWjnLAA==",
"app_displayname": "DefenderAPIApp",
"appid": "957a3af2-7233-409b-8a13-f95db1b1c1bd",
"appidacr": "1",
"idp": "https://sts.windows.net/3a5a056f-ce3d-45c8-ad5b-dc35844d9247/",
"idtyp": "app",
"oid": "19c43a20-11a3-48c6-9a02-f43358a432a3",
"rh": "1.AW8AbwVaOj3OyEWtW9w1hE2SR6396I408kNCjzsVwpSEN0DRAABvAA.",
"roles": [ "Incident.Read.All", "AdvancedHunting.Read.All" ],
"sid": "00b88279-8ab5-e194-a6cf-595d9a3b3ff2",
"sub": "19c43a20-11a3-48c6-9a02-f43358a432a3",
"tenant_region_scope": "NA",
"tid": "3a5a056f-ce3d-45c8-ad5b-dc35844d9247",
"uti": "ntjcHkOyB0yTiqGBV_BJAA",
"ver": "1.0", "xms_act_fct": "3 9",
"xms_ftd": "WCIameOeAoDF9OSes-8ggetfF95lW9xSG6zF9YxA1IQBdXNzb3V0aC1kc21z",
"xms_idrel": "7 12",
"xms_rd":"0.42LlYBJizBcS4WAXEii4wJK9f0mB98YdgaLCmz_sA4pyCgmUvmS643LIxq3rTIjEORdVf6Aoh5DA2r8v-kw-OTv1W4semtJi7gAA",
"xms_sub_fct": "3 9"
}.[Signature]
I don't see the required permissions listed under the Roles claim. Make sure that you have granted admin consent after adding them for your application registration, and request a new token.
I granted the permissions again: Check the below --
Some good news -- I limited my query tohttps://us.api.security.microsoft.com/api/incidents
And I got a response -- every other query fails
I found the issue -- although all the Microsoft documentation leans toward Microsoft's Threat Protection API, the one that actually works is Microsoft's Graph.
The Microsoft Graph Security API is a more complete and modern interface compared to the legacy Microsoft Threat Protection (MTP) APIs, offering a unified, extensible, and scalable solution for threat detection, investigation, and response. Microsoft 365 Defender APIs, are also now integrated under Microsoft Graph Security API.
The Graph Security API is effectively the next-generation evolution of Microsoft Threat Protection’s APIs, combining security alerts, incidents, threat intelligence, advanced hunting, and response actions into one unified, extensible platform. For new development, Microsoft recommends using Graph.
- Graph delivers comprehensive capabilities:
- **Alerts + Incidents**
- **Threat intelligence** (indicators, URLs, domains)
- **Advanced hunting** via KQL
- **Security actions** to remediate threats
- **Threat intelligence** APIs (articles, IoCs, host metadata) [[learn.microsoft.com]](https://learn.microsoft.com/en-us/graph/security-concept-overview), [[learn.microsoft.com]](https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0), [[learn.microsoft.com]](https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-beta)
- MTP evolved with separate APIs for incidents and hunting, but lacked combined coverage with unified alerts, threat intelligence, and orchestration actions. [[techcommun...rosoft.com]](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/say-hello-to-the-new-microsoft-threat-protection-apis/1669234)
#### 3. **Ecosystem Integration and Extensibility**
- Graph supports third-party security providers through the **Security API connector model**, allowing partners to contribute alerts and indicators into the Graph Security ecosystem. [[learn.microsoft.com]](https://learn.microsoft.com/en-us/graph/security-concept-overview), [[learn.microsoft.com]](https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-beta)
- MTP APIs were focused on Microsoft solutions only.
### ✅ Summary
The Graph Security API is effectively the **next-generation evolution of Microsoft Threat Protection’s APIs**, combining security alerts, incidents, threat intelligence, advanced hunting, and response actions into **one unified, extensible platform**. For new development, **Microsoft recommends using Graph**.
- Use **Graph Security API** for integrated, cross-solution querying, incident management, threat intelligence, and response orchestration.
``` - The legacy MTP APIs are still available, but primarily for backward compatibility. Graph is the strategic longer-term solution. [[learn.microsoft.com]](https://learn.microsoft.com/en-us/graph/security-concept-overview), [[techcommun...rosoft.com]](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/say-hello-to-the-new-microsoft-threat-protection-apis/1669234)
To resolve the "Missing application roles" error, ensure that your application has the required permissions correctly set in the Azure portal. Based on your description, it seems you need to verify that the following roles are assigned to your application:
Make sure that these permissions are granted at the application level and that you have consented to them. After setting the permissions, you may need to re-authenticate to obtain a new token that includes these permissions.
If you continue to face issues, double-check the scopes you are using when acquiring the token to ensure they match the required permissions for the API you are trying to access.