This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 28.000000000000004%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
I have a Microsoft Defender ATP application that has "Microsoft threat protection.
AdvancedHunting.Read.All" however, when I'm trying to reach the following endpoint: https://api.security.microsoft.com/api/advancedhunting I'm encountering an error that claims I don't have the permission mentioned above.
Also, Putting my bearer token on JWT yields the same result - the permission is missing..
Any idea why I can't see this permission as part of my token's permissions?
Hi @itay4
Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!
Carl
AdvancedHunting.Read.All is an application permission, meaning you need to obtain a token via the client credentials flow. If you are using the any of the flows corresponding to delegate permission flows, you will not see it reflected in the token.
Similarly, make sure you are using the correct endpoint when obtaining the token, i.e. if your app is leveraging multiple APIs/resources, you will have to request a token for each of them separately.
I'm working with client creds flow so I'm expecting to get app permissions.
The thing is, I'm trying to execute queries (for example: "AlertInfo | limit 1") Via https://api.securitycenter.microsoft.com/api/advancedqueries but i'm failing with the following error: "Failed to resolve table or column expression named 'AlertInfo'. Fix semantic errors in your query."
Doing some research online I found that either my issue is with missing permissions or there's a known issue with not all tables being supported Via the URL mentioned above and that I should try this URL instead: https://api.security.microsoft.com/api/advancedhunting.
I believe the second option is my issue since I'm able to hunt other tables.
So..
Hi @itay4
You may not have granted AdvancedHunting.Read.All permission to the application. Note that you need to grant this permission under the Microsoft Threat Protection resource, not the Microsoft Graph resource.
On your application page, select API Permissions > Add permission > APIs my organization uses >, type Microsoft Threat Protection, and select Microsoft Threat Protection.
See: How to access Microsoft 365 Defender in application-only context.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
I do have this permission under MS threat protection already, the issue is that I can't see it on my token and I'm getting errors for this one being missed
Already tested on JWT, can't see the permission mentioned above even though I can see it in the Azure portal UI: Screenshot 2023-10-04 at 12.43.03.png
Hi @itay4
This is because you did not obtain an access token for the Microsoft 365 Defender API. In other words, the current token's audience is not https://api.security.microsoft.com and the easiest way is to check the token aud claim.
To solve this problem, when obtaining the access token, change value of the scope to: https://api.security.microsoft.com/.default to obtain the access token for the Microsoft 365 Defender API.
BTW, don't try to get the same token for multiple different API resources. Each token can only be specific to one API resource.
Not sure I understand exactly where and how to do so.
Sorry, duplicated message.
What I mean is, when calling the /token endpoint to obtain the access token for the Microsoft 365 Defender API, have you set the value of the scope/resource field in the request body to: https://api.security.microsoft.com/.default?
Permission granted:
Request token endpoint:
Decode the token:
It worked, Thx!
Hi @itay4
Good to know it works! If my answer helped you, don't forget to click the "Accept Answer" button, it may help members of the community with similar questions find the answer easily. Thank you very much!
Carl
Hi @itay4
Please don't forget to Accept as answer if the reply is helpful.