Share via

Regarding graph api

Brijesh Kumar CS 20 Reputation points
2023-12-28T11:52:40.91+00:00

Hi Team, I am trying to integrate microsoft defender with thethive tool. For the same I am using microsoft graph api. I have registered thehive as app in azure, then created secret key and set permission to ready all the security alerts and security incidents. Also created the access token using postman. Then when i tried to use the link "https://graph.microsoft.com/v1.0/security/incidents" to get incidents , its showing below error. Please help me to sort it out.


    "error": {
        "code": "Unauthorized",
        "message": "Unauthorized request - Account is not provisioned.",

What I am trying to do is all new defender alerts should be come to thehive alert page.

Microsoft Security Microsoft Graph

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 1,930 Reputation points Microsoft Employee
    2024-02-14T13:38:45.72+00:00

    "Unauthorized request - Account is not provisioned" typically occurs when the user or SP does not have the necessary permissions to access the resource, or the account is not properly set up.

    Please try below:

    1. Check the permissions of your app registration in the Azure portal. Make sure you have granted the appropriate Graph API permissions (SecurityEvents.ReadWrite.All for example). Remember to grant admin consent for these permissions if needed.
    2. Make sure you have assigned a role to the service principal (application) in Defender for Cloud (previously Azure Security Center).
    3. Ensure the user or service principal is assigned to a security group with the necessary permissions to access the Microsoft Defender incidents and alerts.
    4. Verify your token in https://jwt.ms/ to make sure it has necessary roles/permissions.
    5. Ensure the account you are using is provisioned for Microsoft Defender and has the necessary roles to read security incidents.

    It's also worth noting that Microsoft Graph's security API (including the /security/incidents endpoint) is currently in beta, and its behavior may change in the future.

    0 comments
  2. Alex Mandersloot 0 Reputation points
    2024-10-21T08:12:10.34+00:00

    I've encountered this issue as well, and will share my experience here.

    We've had to connect to multiple client's Azure tenants through the Graph API. Our goal was to read their incidents and alerts. Specifically, we needed to query the "alerts_v2" and "incidents" endpoints. This is where we got this cryptic error.

    It was certainly not permission-related. We checked all required permissions and ensured they were provided to the Microsoft App we were using. They were. Additionally, we were able to query "alerts" endpoint (deprecated as of now), but not "alerts_v2" and "incidents".

    We got into contact with Microsoft about this problem, or at least their Indian delegated tech support "Convergys". I've had to set up numerous calls, screenshares, etc., only for them to tell me ultimately:

    "After going through the details, we could see that you hold the License for Microsoft Defender for O365. And we are from Microsoft Defender for Endpoint Team. To get you issue resolved, I will be routing case to the dedicated team and they will reach out to you accordingly."

    Not only did they waste my time, but additionally their conclusion that this is Defender for O365 (or any defender, for that matter) related is completely wrong. The alerts/incidents endpoints are specifically for getting all alerts/incidents, i.e. Defender for Endpoint, Defender for Office, Identity Protection, and so on.

    At this point we escalated within Microsoft to get decent support. They put another team on the issue. After much deliberation, they came back with "You will need a Microsoft Defender Endpoint license to use the graph query." Again, completely false, which I pointed out as per above. Microsoft reviewed the issue, and after a month came back with the same answer.

    Overall a terrible support experience. If you ever thought you didn't know Microsoft, fear not, Microsoft themselves don't know Microsoft either.

    In the end, however, we did get the Graph API working. I have no idea how. Over time, one after another, the connectors just magically seemed to fix themselves. We have not changed anything related to the application and its permissions. I can not give a better answer to this question other than to wait. Funny how in the end the connector is working, still without a Defender for Endpoint license.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.