Permissions issue for advanced Hunting in logic app

Jérôme 90 Reputation points
2024-04-24T08:46:32.6833333+00:00

Hello,

I'm trying to run Advanced Hunting module for Microsoft defender in logic app. But i'm getting the following error message.

{
  "error": {
    "code": "Forbidden",
    "message": "Missing application roles. API required roles: AdvancedQuery.Read.All, application roles: .",
    "target": "|d589824e-45e6bfa012f6d86a."
  }
}
  • I have tried to use user managed identity and give him permissions with built-in role or Enterprise applications permission assignment.
  • the same thing with system assigned identity.

What I'm missing ?

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,855 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 5,060 Reputation points
    2024-04-24T09:12:52.9933333+00:00

    Hi Jerome ,

    I think you need to add required permission for your Azure AD application registration associated with your Logic App.

    To ensure that your Logic App has been granted the necessary application permissions to access the Advanced Hunting API, particularly the "Application.Read.All" permission, you'll typically need to follow these steps:

    Azure AD Application Registration:

    • Navigate to the Azure Active Directory portal.
    • Find and select the Azure AD application registration associated with your Logic App.
    • API Permissions:
    • Within the Azure AD application registration, locate the "API permissions" or "Permissions" section.
    • Add a new permission and select "Microsoft Graph" as the API.
      • In the "Select permissions" pane, search for and select the "Application.Read.All" permission.
      • Save the changes.

    Grant Admin Consent:

    • After adding the permission, you might need to grant admin consent to apply the permissions globally. This ensures that all users and applications associated with the Azure AD tenant can access the Advanced Hunting API with the specified permission.
    • Access Token Acquisition in Logic App:
      • Ensure that your Logic App is acquiring an access token with the necessary scopes, including "Application.Read.All", to access the Advanced Hunting API. This typically involves configuring an Azure AD connector or an HTTP connector to acquire an access token with the required permissions.
      Testing:
      • Test your Logic App to ensure that it can successfully access the Advanced Hunting API and perform the desired actions without encountering permission errors.

    Image and doc for ref

    User's image

    https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps

    Kindly check and accept if it helps, Thanks

  2. Jérôme 90 Reputation points
    2024-04-29T16:55:11.3266667+00:00

    In fact, I'm just an idiot! The only thing that I needed was to create a SPN with appropriate permissions and to connect the module in logic app with Service principal.

    0 comments