Getting 403 for token generated by Managed Identity

Question

Getting 403 for token generated by Managed Identity

Rushi Satani 0

I am trying to call Defender API : https://learn.microsoft.com/en-us/defender-endpoint/api/import-ti-indicators by using managed identity from an azure function.

I am successfully able to generate the token. However the token that is generated keeps giving 403 error.
User's image

I have also turned on system assigned managed identity from the function app

Rushi Satani 0 Reputation points

2026-02-19T08:54:12.0966667+00:00

I am not able to add permissions. Reference below screenshot

Tried the above using Global Administrator role
VEMULA SRISAI 9,255 Reputation points Microsoft External Staff Moderator

2026-02-22T11:13:22.31+00:00
Rushi Satani You’re running into this because Managed Identities do not use the “API permissions” blade in the same way as App Registrations, which is why the Add permissions option is missing in your screenshot. This is expected behavior, even for Global Administrators.

For Microsoft Defender for Endpoint APIs, two things are required when using Managed Identity:

Assign Defender Application Role to the Managed Identity (Correct Way)

For Managed Identity, application roles must be assigned from the API’s Enterprise Application, not from the Function App UI.

Steps

Go to Microsoft Entra ID → Enterprise applications

Search for Microsoft Defender for Endpoint

Open it → Users and groups

Click Add user/group

Select:

Principal: Your Azure Function’s Managed Identity

Role:
- `Ti.ReadWrite` or - `Ti.ReadWrite.All`

Save

This is the only supported way to grant Defender API application permissions to a Managed Identity

Defender RBAC Is ALSO Required (Commonly Missed)

Even with the Entra application role assigned, Defender APIs will still return 403 unless the identity also has Defender RBAC permissions.

Assign Defender Role

Go to Microsoft Defender portal

Navigate to Settings → Endpoints → Roles

Assign one of the following roles to the Managed Identity:

Security Operator (recommended)

Security Administrator

Without this, the API authorization fails even though the token is valid.
Rushi Satani 0 Reputation points

2026-02-23T10:05:42.69+00:00

Not able to see microsoft defender for endpoint as seen in the below screenshot

1 answer

Your answer

Rushi Satani 0 Reputation points

2026-02-19T08:54:12.0966667+00:00

I am not able to add permissions. Reference below screenshot

Tried the above using Global Administrator role
VEMULA SRISAI 9,255 Reputation points Microsoft External Staff Moderator

2026-02-22T11:13:22.31+00:00

Rushi Satani You’re running into this because Managed Identities do not use the “API permissions” blade in the same way as App Registrations, which is why the Add permissions option is missing in your screenshot. This is expected behavior, even for Global Administrators.

For Microsoft Defender for Endpoint APIs, two things are required when using Managed Identity:

Assign Defender Application Role to the Managed Identity (Correct Way)

For Managed Identity, application roles must be assigned from the API’s Enterprise Application, not from the Function App UI.

Steps

Go to Microsoft Entra ID → Enterprise applications

Search for Microsoft Defender for Endpoint

Open it → Users and groups

Click Add user/group

Select:

Principal: Your Azure Function’s Managed Identity

Role:
- `Ti.ReadWrite` or - `Ti.ReadWrite.All`

Save

This is the only supported way to grant Defender API application permissions to a Managed Identity

Defender RBAC Is ALSO Required (Commonly Missed)

Even with the Entra application role assigned, Defender APIs will still return 403 unless the identity also has Defender RBAC permissions.

Assign Defender Role

Go to Microsoft Defender portal

Navigate to Settings → Endpoints → Roles

Assign one of the following roles to the Managed Identity:

Security Operator (recommended)

Security Administrator

Without this, the API authorization fails even though the token is valid.
Rushi Satani 0 Reputation points

2026-02-23T10:05:42.69+00:00

Not able to see microsoft defender for endpoint as seen in the below screenshot

Answer 1

Rushi Satani The 403 error is occurring because the access token generated by the Managed Identity does not contain the required application role for the Defender API.

The error message clearly states:

Missing application roles. API required roles: Ti.ReadWrite.All, Ti.ReadWrite

This means authentication is successful, but authorization is failing.

When using Managed Identity, the Defender API requires Application permissions (not delegated permissions). If the required role is not assigned to the service principal, the API returns 403 even though the token is valid.

Assign Required Application Permission

Go to Microsoft Entra ID
Navigate to Enterprise Applications
Search for your Azure Function’s Managed Identity
Go to Permissions
Click Add permission
Select Microsoft Defender for Endpoint
Choose Application permissions
Add one of the following:
- Ti.ReadWrite
- or Ti.ReadWrite.All

After adding the permission, click:

Grant admin consent

This step is mandatory. Without admin consent, the role will not be included in the issued token.

Use Correct Scope When Requesting Token

Ensure the token is requested with:

https://api.security.microsoft.com/.default

Example:

new TokenRequestContext(new[] { "https://api.security.microsoft.com/.default" })

Verify the Token

Decode the newly generated token (for example using jwt.ms) and confirm:

aud = https://api.security.microsoft.com

roles claim contains:

"Ti.ReadWrite"

or

"Ti.ReadWrite.All"

If the roles claim is missing, the permission was not properly assigned or consented.

Share via

Getting 403 for token generated by Managed Identity

Steps

1 answer

Assign Required Application Permission

Grant Admin Consent

Verify the Token

Your answer