This answer was generated in part by AI using Microsoft Copilot, in compliance with the AI Usage policy for Microsoft Q&A.
It seems you’re encountering an issue with the Microsoft Graph API while trying to ingest threat indicators into Microsoft Defender using a Logic App. Let’s work through this step-by-step to resolve it:
Verify Permissions:
- System Assigned Managed Identity:
- Ensure that the System assigned managed identity of your Logic App has the
ThreatIndicators.ReadWrite.OwnedBy
permission correctly assigned.- Double-check in the Microsoft Enterprise ID portal that the permissions are indeed granted and reflect properly.
- Ensure that the System assigned managed identity of your Logic App has the
Token Validation:
- Access Token:
- Confirm that the Logic App is fetching the correct access token for the managed identity.
- Test this by using an HTTP action in the Logic App to call the Microsoft Graph API endpoint. Use the Managed Identity as the authentication method.
- Confirm that the Logic App is fetching the correct access token for the managed identity.
API Endpoint and Scope:
- Endpoint and Permissions:
- Verify that the API endpoint you are calling is correct.
- Check if the scope of the token includes the necessary permissions.
- Verify that the API endpoint you are calling is correct.
Retry with Full Permissions:
- Testing Permissions:
- As a test, try assigning more comprehensive permissions to the managed identity, such as
SecurityEvents.ReadWrite.All
, to see if that resolves the issue.- If this works, you can narrow down the permissions again to what is strictly necessary.
- As a test, try assigning more comprehensive permissions to the managed identity, such as
Check for Account Provisioning:
- Account Configuration:
- The error message mentions “Account is not provisioned.” This could indicate an issue with the Microsoft Defender ATP provisioning for the account being used.
- Verify that the account and the Logic App are properly configured and provisioned in Microsoft Defender ATP.
- The error message mentions “Account is not provisioned.” This could indicate an issue with the Microsoft Defender ATP provisioning for the account being used.
Run the Azure CLI Script Again:
- Permission Granting:
- Re-run the Azure CLI script to grant permissions and ensure it completes without errors:
shellCopy code az ad app permission add --id <ManagedIdentityClientId> --api 00000003-0000-0000-c000-000000000000 --api-permissions 77e65f8e-aeba-4f27-9fd7-3eb34d5b4c8e=Role
az ad app permission grant --id <ManagedIdentityClientId> --api 00000003-0000-0000-c000-000000000000
Additional Resources:
- [Microsoft Graph API Permissions](https://docs.microsoft.com/en-us/graph/permissions-reference)
- [Using Managed Identities for Azure Resources](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
If you’ve checked all the above and the issue persists, consider opening a support ticket with Microsoft. There might be an underlying issue specific to your account setup.