Secure Score Graph Api

Question

When I am calling Microsoft Graph API "https://graph.microsoft.com/v1.0/security/secureScores?$top=10" getting an error message

{"error":{"code":"UnknownError","message":"Auth token does not contain valid permissions or user does not have valid roles.","innerError":{"date":"2022-06-09T07:28:23","request-id":"2d8e4f26-91db-4341-8a63-961421d99bb8","client-request-id":"2d8e4f26-91db-4341-8a63-961421d99bb8"}}}.

I have verified accessToken it contains scope for secure score api, "scp": "AccessReview.ReadWrite.All AuditLog.Read.All Directory.AccessAsUser.All Directory.ReadWrite.All email Group.ReadWrite.All openid Organization.Read.All profile Reports.Read.All SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read User.ReadWrite.All". I am using Microsoft PartnerCenter user having role Global Administrator to authenticate all customer tenant. the above error message only coming for few customers. Can anyone suggest me what needs to be done.

Answer 1

Hi @pradeep kumar ,

I tried replicating this use case at my end I am able to get the desired secure scope Results .

As this issue seems to be occurring for few customers only I would recommend you to raise a support case with Microsoft Graph, a Support Engineer will be able to assist you better. You can raise support ticket from http://aad.portal.azure.com/ or https://admin.microsoft.com/#/support/requests.

Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 2

Here's the answer I ended up with.

When I followed several different tutorials to get a working model, I ended up configuring my application in alignment with MSAL v1 specifications which wont work with some of the APIs. In this case, the secure score API doesn't work with implicit authentication so moving to MSAL v2 and using the PKCE flow is all you need to do.

I was using react + MSAL.JS and the change was pretty simple.

If you are using "UserAgentApplication", switch to "PublicClientApplication" and make sure the application has disabled the implicit authentication flows. You may also need to update your token acquisition calls.

Sample from my working solution:

import {PublicClientApplication} from '@azure/msal-browser';  
    const msalConfig = {  
        auth: {  
            clientId: "xxxxx-xxxx-x-x-x-xx-xxx"  
            authority: "https://login.microsoftonline.com/common",  
            redirectUri: "http://localhost:3000",  
        },  
        cache: {  
            cacheLocation: "sessionStorage", // This configures where your cache will be stored  
            storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge  
        }  
    };  
    const msalLoginRequest = {  
        scopes: ["User.Read"]  
    };  
    const graphTokenRequest = {  
        // GraphApi  
        scopes: ["Policy.Read.All", "Directory.Read.All", "SecurityEvents.Read.All", "SecurityEvents.ReadWrite.All", "SharePointTenantSettings.Read.All"]  
    }  
const myMsalObj = new PublicClientApplication(msalConfig);  
clientEvents.push("Logging in to Microsoft...")  
        myMsalObj.acquireTokenPopup(msalLoginRequest)  
            .then((loginResponse) => {  
                console.log(loginResponse)  
                idToken.push(loginResponse)  
                clientEvents.push("Login successful, retrieving access token...")  
                myMsalObj.acquireTokenPopup(graphTokenRequest )  
                    .then((response) => {  
                        clientEvents.push("Retrieved access tokens...")  
                        setAccessToken(response.accessToken)  
                    })  
                    .catch((error) => {  
                        clientEvents.push("Error getting access token...")  
                        console.log(error)  
                    })  
            })  
            .catch(function (error) { console.log(error) })