Microsoft Defender for Endpoint - Security Graph API

Question

Microsoft Defender for Endpoint - Security Graph API

Mohammed Ally 40

trying to make API calls to the Security Graph API to retrieve security alerts. ERROR: The remote server returned an error: (403) Forbidden.. I granted Admin Consent to the scopes requested. when I make API calls to get my profile info etc. it works, only security data shows the permission error.

CarlZhao-MSFT 46,366 Reputation points

2023-04-24T02:16:34.35+00:00

Hi @Mohammed Ally

Use jwt.ms to decode your access token and share screenshots.
Mohammed Ally 40 Reputation points

2023-04-24T03:19:45.3833333+00:00

Hi, Here is a screenshot

Accepted answer

0 additional answers

Your answer

CarlZhao-MSFT 46,366 Reputation points

2023-04-24T02:16:34.35+00:00

Hi @Mohammed Ally

Use jwt.ms to decode your access token and share screenshots.
Mohammed Ally 40 Reputation points

2023-04-24T03:19:45.3833333+00:00

Hi, Here is a screenshot

Answer 1

CarlZhao-MSFT 46,366

Hi @Mohammed Ally

The audience of your access token is not the graph API, which causes the graph permission you grant to your application in Azure AD to not be mapped to the token.

Go to Azure AD>App registrations > find your app >API permissions.

Then change the scope to https://graph.microsoft.com/.default when getting the access token.

Decode token:

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Mohammed Ally 40 Reputation points

2023-04-24T12:28:51.3+00:00
Hi, I was able to correct my request by including the scope, as shown in the screenshot below, and get back a token with audience https://graph.microsoft.com

Decoded token:

When I use the token, I'm receiving an unauthorized message.

{ "error": { "code": "Unauthorized", "message": "Invalid Authorization payload.", "target": "|905d5b7f-4ac58d91c74f027f." } }

App has all the required permissions.
CarlZhao-MSFT 46,366 Reputation points

2023-04-25T03:35:43.0733333+00:00

Hi @Mohammed Ally

You are currently granting delegated permissions, so you should use a delegated authentication flow to obtain an access token, such as auth code flow or ROPC flow.

If you use the daemon-based client credentials flow to obtain an access token, then you should grant the application permissions, as I said in the answer.
Mohammed Ally 40 Reputation points

2023-04-26T02:46:28.93+00:00
Hi @CarlZhao-MSFT,

application permissions granted.

got a new access token:

still receiving the Unauthorized response.

{ "error": { "code": "Unauthorized", "message": "Invalid Authorization payload.", "target": "|3d60213a-4ce5cc29780114ee." } }
CarlZhao-MSFT 46,366 Reputation points

2023-04-26T03:06:11.7566667+00:00

Hi @Mohammed Ally

Which API endpoint are you calling? Is it https://graph.microsoft.com/v1.0/security/alerts_v2? See: https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http.
Mohammed Ally 40 Reputation points

2023-04-26T03:08:33.16+00:00

Hi @CarlZhao-MSFT,

that fixed it! Thank you!!!
CarlZhao-MSFT 46,366 Reputation points

2023-04-26T06:37:26.8433333+00:00

Hi @Mohammed Ally

Good to know it's working now. If my answer is helpful to you, you can click "Accept Answer", this may help members with similar questions, thank you very much!

Share via

Microsoft Defender for Endpoint - Security Graph API

0 additional answers

Your answer