Which API permission is required to access Email & Collaboration Alerts from Microsoft Defender for Office 365?

Question

Which API permission is required to access Email & Collaboration Alerts from Microsoft Defender for Office 365?

Hai VUONG 25

Hello,

I am currently trying to collect Email & Collaboration Alerts via API, those seen in Microsoft Defender Portal → Email & Collaboration → Alerts view or in Microsoft Purview Portal → Compliance Alerts.

I have already registered an app in Azure AD and granted the following API permissions:

Microsoft Graph

SecurityAlert.Read.All (Application permission)

WindowsDefenderATP

Alert.Read.All (Application permission)

Admin consent has been granted successfully.

However, when I call: GET https://api.security.microsoft.com/api/alerts

I receive this error:

{ "error": { "code": "Forbidden", "message": "Missing application roles. API required roles: Alert.Read.All,Alert.ReadWrite.All, application roles: ." } }

Even though I already see Alert.Read.All assigned and consented.

Questions:

Are Email & Collaboration Alerts exposed through /api/alerts in the Microsoft 365 Defender API?

If not, is there a separate API or specific permission required to access alerts from:

Microsoft Defender for Office 365?

Microsoft Purview Compliance Portal?

What is the correct combination of:

API resource (e.g., Microsoft Graph, Security, or Purview)?

Permission (Delegated or Application)?

When I tried GET https://graph.microsoft.com/v1.0/security/alerts_v2 I only got alerts from Microsoft Defender for Endpoint, but not from Microsoft Defender For Office36, like in MS Defender or MS Purview portal.

Thank you in advance for your help.

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Vasil Michev 126K MVP Volunteer Moderator

The alerts_v2 in particular, as you've noted above, will return the Defender for Office 365 alerts. Make sure you have consented to the SecurityAlert.Read.All scope, and are using the correct authentication method (application permissions only work when you authenticate via client secret or certificate, you cannot use them when the app acts on behalf of a user, for example Graph explorer).

For example this query should return the top Defender for O365 alerts:

GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftDefenderForOffice365'&$select=id,title,createdDateTime

Hai VUONG 25 Reputation points

2025-04-23T09:22:14.6066667+00:00

Hello, Thank you for your answer. It's exactly what I did. I tested it with Postman and also ran the query from WSL Ubuntu. But as I mentioned, I can only see alerts from Microsoft Defender for Endpoint, and not from Microsoft Defender for Office365, like the ones visible in Microsoft Defender Email & Collaboration Alerts.

Do you have any suggestion on which missing permissions might be required to access alerts from the alert source Office 365 Security & Compliance?
Lucas Abel 0 Reputation points

2025-09-24T17:20:15.7233333+00:00

Hi,

I'm also interested to know how we can retrieve these incidents via API.
It seems that when we have Microsoft Defender for Office 365 Plan 1, alerts are not available via this API route /security/alerts_v2/
Is there another API available ?

Regards,
Lucas a.
Cole Brooks 0 Reputation points

2026-03-11T13:40:01.4566667+00:00

Hello,

We are also observing an inability to query alerts for Defender for Office365 with the alerts_v2 API, the legacy alerts API contains these alerts however is soon to be deprecated...

Share via

Which API permission is required to access Email & Collaboration Alerts from Microsoft Defender for Office 365?

0 additional answers

Your answer