1

Trying to build a client-side app using the Microsoft Graph Security API.

We've made the grants in the Azure Portal, granted Admin Consent, and the JWT is showing the scopes are present (snippet below):

"scp": "Calendars.Read MailboxSettings.Read offline_access People.Read profile SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read User.Read.All",

Here's how we're requesting the token:

// acquire token for ms graph. the service we're acquiring a token for 
// should be the same service we call in the ajax request below
authContext.acquireToken('https://graph.microsoft.com', (error, token) => {
    // Handle ADAL Error
    if (error || !token) {
        printErrorMessage('ADAL Error Occurred: ' + error);
        return;
    }

    this.token = token; //update our data with the token
});

But when we hit the endpoint with a web call, we're still getting a 403 with no data returned:

$.ajax({
    type: "GET",
    url: "https://graph.microsoft.com/v1.0/security/alerts",
    headers: {
        'Authorization': 'Bearer ' + this.token,
    }
}).done(async (data) => {
    console.log(data);
}).fail(() => {
    console.log('Error getting top 10 people!');
});

And here's the underlying error (via Postman):

{
  "error": {
    "code": "UnknownError",
    "message": "Auth token does not contain valid permissions or user does not have valid roles.",
    "innerError": {
      "request-id": "6411dbc9-eebb-4522-b789-62ab5f754d0c",
      "date": "2019-04-23T15:17:12"
    }
  }
}

Edit: The user accessing the app has the "Security reader" Directory role attached.

directory_role

Any assistance would be GREATLY appreciated. :)

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Ray Terrill
  • 66
  • 5

2 Answers2

1

It looks like your app has the correct scopes, but the user that is requesting alerts from the Microsoft Graph Security API does not have a Security reader role in Azure AD.

To add roles to users, sign in to Azure portal as the tenant admin then select the Azure Active Directory blade > Users > select the name of the user > Directory Role > and then select Add role.

Once the user has access to read security information, they should be able to receive alerts through the Microsoft Graph Security API.

Source: https://learn.microsoft.com/graph/security-authorization#assign-azure-ad-roles-to-users

Ekoval
  • 80
  • 5
  • Sorry mate I should've included that - The user logged into the app does indeed have the Security Reader Directory role in AzureAD. (Edited the post to include that info + a screenshot). – Ray Terrill Apr 23 '19 at 19:26
  • @RayTerrill I looked over your logs with one of our devs and we noticed that at one point your access token contained the correct `Security Reader` role, but then the security role was removed. Please follow up with your tenant admin to make sure the security reader role wasn't only temporarily enabled for the user. For details on how to check for assigned roles go to : https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-manage-roles-portal#view-assignments-for-a-role – Ekoval Apr 26 '19 at 19:55
  • I'm one of the Tenant Admins (with a different admin acccount). I'm trying to access this application with my "normal" user account, and yes, I did remove the role temporarily (I've tried a whole bunch of things at this point), but that account has had that role for several days now and still not working correctly. – Ray Terrill Apr 26 '19 at 22:03
  • I've added a bunch of additional Graph API calls to my test app, and they all work correctly. It's almost as if ADALJS is not compatible with the Graph Security endpoint. – Ray Terrill Apr 29 '19 at 13:42
  • The user may have the role assigned, but it currently is not **enabled**. To do so go to Azure PIM, details here: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-manage-roles-portal#view-assignments-for-a-role and set the role to be permanently enabled. The Microsoft Graph Security API endpoint uses the same authentication as Graph API, it just requires security credentials from users. – Ekoval Apr 29 '19 at 17:07
  • We don't currently use PIM in our tenant, mate. – Ray Terrill Apr 29 '19 at 18:27
0

I’ve been working behind-the-scenes with some MS DEV resources, and we believe we’ve tracked down why this doesn’t work.

Taken from an email:

The implicit grant in through AAD uses response_mode=fragment by default. Once the response mode is changed to response_mode=form_post the id token ,and access token if requested, are sent as a POST request and contain the wids claim which allows the Graph API security endpoints to be used.

The workaround proposed there was to basically build a server-side app that would catch the POST request that would have the roles, then use that to call the Graph Security API.

This works, but basically means implicit flow client side apps are essentially incompatible with the Graph Secuirty API. Super frustrating and extremely difficult to track down from the documentation.

Hopefully there is some other mechanism MS can come up with.

Ray Terrill
  • 66
  • 5