Defender 365 REST API (you don't have any of the required app permissions (Incident.ReadWrite.All, Incident.Read.All) to access resource)

Question

I am trying to download list of incidents from Defender 365 (MDATP).

I have a script to get a Bearer Token:

. 'Functions\Credentials.ps1'

Function GET_BEARER_TOKEN_FOR_MDATP_AUTHENTICATION {

    $Body = [Ordered] @{
        resource      = "$ResourceApplicationIdUri"
        client_id     = "$ApplicationId"
        client_secret = "$ApplicationSecret"
        grant_type    = 'client_credentials'
    }

    try {
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthenticationURI -Body $body -ErrorAction Stop
    }
    catch {
        Write-Output("unable to get the bearer token") 
        Exit
    }  
    $BearerToken = $Response.access_token
    
    return $BearerToken
}

$xx = GET_BEARER_TOKEN_FOR_MDATP_AUTHENTICATION
$xx | Out-File '.\Bearer_Token.txt'

That script worked fine. Today, I have been granted permission to display incidents.

When I try to do that, I get the error message:

{
    "error": {
        "code": "Forbidden",
        "message": "The application does not have any of the required application permissions (Incident.ReadWrite.All, Incident.Read.All) to access the resource.",
 }
}

When I check in the token tester website: https://jwt.ms/

I cannot see those incident.Read.All Roles but only:

  "roles": [
    "Alert.ReadWrite.All",
    "AdvancedQuery.Read.All"
  ]

Roles have been given by this instruction manual:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-create-app-web?view=o365-worldwide

Many Thanks, Aster

Answer 1

so I have found the issue:

$ResourceApplicationIdUri = 'https://api.securitycenter.microsoft.com' (Alerts are allowed) $ResourceApplicationIdUri = 'https://api.security.microsoft.com' (Incidents are allowed)

Regards, Aster