Share via

Defender for Endpont - Device Isolation via API

kimak 0 Reputation points
2024-03-20T14:15:45.4366667+00:00

Hello All,

I am trying to craft an script to isolate device via powershell.

I have created Enterprise app, i have assigned to that app permission (as delegated - i do not want to use it as application) Machine.Isolate and granted consent.

Script currently looks like this:

function Isolate-Device ($device) {
    $tenantId = "xxx"
    $clientId = "xxx"
    
    $MsalParams = @{
        ClientId = $clientId
        TenantId = $tenantId
        Scopes   = 'https://userrequestsgraphapiep-prd.trafficmanager.net//Machine.Isolate'
    }

    $MsalResponse = Get-MsalToken @MsalParams
    $token = $MsalResponse.AccessToken
    #$token

    $headers = @{
        Authorization = "Bearer $token"
    }
   
    $body = @{
        "Comment" = "Isolated"
        "IsolationType" = "Full"
    }
   
    $response = Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$device/isolate" -Method POST -Body ($body | ConvertTo-Json) -Headers $headers -Verbose
}

Token looks like is generated correctly:

"scp": "AdvancedQuery.Read Machine.Isolate"

But when I try to run function i get error below:

2024-03-20_15-12-16

Any idea on where i am making mistake? Thanks in advance!

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Intune | Security
Microsoft Security | Intune | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2024-03-21T01:37:58.65+00:00

    @kimak, Thanks for posting in Q&A. From your description, it seems the issue is with API of Defender for Endpoint which we are not familiar with. You can contact Defender for Endpoint support in the following link to see if you can get more help on this.

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/contact-support?view=o365-worldwide

    Thanks for your understanding.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Gil Burns 0 Reputation points
    2024-05-21T21:41:45.37+00:00

    Try using this URI for both the token request and for the rest method:

    https://api-us.securitycenter.microsoft.com

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.