Can't ingest threat indicator for Microsoft Defender using Graph API

Max Kulish 0 Reputation points
2024-06-19T11:47:14.5566667+00:00

Hello!

I'm trying to ingest threat indicator into Microsoft Defender from logic app. It used to work in the past, but for some time I'm getting Unauthorized error.

I created a minimal setup containing only the trigger and Create tiIndicator action. Here are the exact steps that I followed:1. I created new logic app

  1. I enabled System assigned managed identity on this app
  2. I executed azure cli script to grant ThreatIndicators.ReadWrite.OwnedBy permission; script returned correct answer
  3. I went to Microsoft Entra ID -> Enterprise applications
  4. I changed Application Type filter to Managed Identities and I found my new logic app.
  5. On the app's page I opened Permissions and I ensured that permission Microsoft Graph / ThreatIndicators.ReadWrite.OwnedBy is granted
  6. I opened logic app's editor and I created Recurrence trigger and then Microsoft Graph Security / Create tiIndicator action
  7. I chose Managed Identity as auth type
  8. I filled the Create tiIndicator action's form with following data:
    1. Action: alert
    2. Description: tiindicator test
    3. Expiration date time: 2024-10-10 12:00:00
    4. Target product: Microsoft Defender ATP
    5. Threat Type: malware
    6. Network IPv4: 10.0.0.1
  9. I saved and executed the logic app
  10. Getting following error:
{
  "error": {
    "code": "",
    "message": "Http request failed with statusCode=Forbidden : {\"error\":{\"code\":\"Unauthorized\",\"message\":\"Unauthorized request - Account is not provisioned.\",\"target\":\"|a7e7bdcf-0b5c-441b-926a-7385ee273153.40585386_\"}}; ",
    "innerError": {
      "date": "2024-06-19T10:53:29",
      "request-id": "a7e7bdcf-0b5c-441b-926a-7385ee273153",
      "client-request-id": "a7e7bdcf-0b5c-441b-926a-7385ee273153"
    }
  }
}

Any help will be appreciated.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,869 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. William Nieto 540 Reputation points
    2024-06-19T12:56:39.3866667+00:00

    This answer was generated in part by AI using Microsoft Copilot, in compliance with the AI Usage policy for Microsoft Q&A.

    It seems you’re encountering an issue with the Microsoft Graph API while trying to ingest threat indicators into Microsoft Defender using a Logic App. Let’s work through this step-by-step to resolve it:

    Verify Permissions:

    1. System Assigned Managed Identity:
      • Ensure that the System assigned managed identity of your Logic App has the ThreatIndicators.ReadWrite.OwnedBy permission correctly assigned.
        • Double-check in the Microsoft Enterprise ID portal that the permissions are indeed granted and reflect properly.

    Token Validation:

    1. Access Token:
      • Confirm that the Logic App is fetching the correct access token for the managed identity.
        • Test this by using an HTTP action in the Logic App to call the Microsoft Graph API endpoint. Use the Managed Identity as the authentication method.

    API Endpoint and Scope:

    1. Endpoint and Permissions:
      • Verify that the API endpoint you are calling is correct.
        • Check if the scope of the token includes the necessary permissions.

    Retry with Full Permissions:

    1. Testing Permissions:
      • As a test, try assigning more comprehensive permissions to the managed identity, such as SecurityEvents.ReadWrite.All, to see if that resolves the issue.
        • If this works, you can narrow down the permissions again to what is strictly necessary.

    Check for Account Provisioning:

    1. Account Configuration:
      • The error message mentions “Account is not provisioned.” This could indicate an issue with the Microsoft Defender ATP provisioning for the account being used.
        • Verify that the account and the Logic App are properly configured and provisioned in Microsoft Defender ATP.

    Run the Azure CLI Script Again:

    1. Permission Granting:
      • Re-run the Azure CLI script to grant permissions and ensure it completes without errors:
         shellCopy code
         az ad app permission add --id <ManagedIdentityClientId> --api 00000003-0000-0000-c000-000000000000 --api-permissions 77e65f8e-aeba-4f27-9fd7-3eb34d5b4c8e=Role
      

    az ad app permission grant --id <ManagedIdentityClientId> --api 00000003-0000-0000-c000-000000000000

       
    Additional Resources:
    
    - [Microsoft Graph API Permissions](https://docs.microsoft.com/en-us/graph/permissions-reference)
    
    - [Using Managed Identities for Azure Resources](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
    
    If you’ve checked all the above and the issue persists, consider opening a support ticket with Microsoft. There might be an underlying issue specific to your account setup.
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.