0

I am trying to investigate file uploads to see if they are matched by File Scan policies in Microsoft Defender for Cloud Apps (aka MCAS). I can see them fine at the portal but I need to automate the process via API.

As per documentation, I did create Azure AD application and provided the permissions. This is needed to get access token which is needed to make api calls. Azure AD App Permissions

I am getting Insufficient role based permissions error when I call https://aspnet4you2.us3.portal.cloudappsecurity.com/api/v1/files/. I get same error if I use https://portal.cloudappsecurity.com/cas/api/v1/files/

Any idea how to solve this Insufficient permission issue?

Calling cloudappsecurity API

Prodip
  • 436
  • 8
  • 21

1 Answers1

2

I tried to reproduce the same in my environment and got below results

I registered one Azure AD application and granted API permissions as below:

enter image description here

Now I generated access token via Postman with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

client_id:appID
grant_type:client_credentials
client_secret:secret
scope:05a65629-4c1b-48c1-a78b-804c4abdd4af/.default

Response:

enter image description here

When I used the above token to get files with both URLs, I got same error as below:

GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Bearer <token>

enter image description here

GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Bearer <token>

enter image description here

With the same token, I'm able to call all other APIs like alerts, activities etc. like below:

GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/alerts/
Authorization: Bearer <token>

enter image description here

Note that, calling file APIs is not available in application context.

Alternatively, you can make use of Legacy Method by generating one API token like below:

Go to Defender for Cloud Apps portal -> Settings -> Security extensions -> API tokens -> Add a token

enter image description here

Now, enter Token name and select Generate as below:

enter image description here

API token will be generated successfully and copy the token to use in Postman:

enter image description here

When I used the above API token to call files API with both URLs, I got response successfully as below:

GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Token <token>

enter image description here

GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Token <token>

enter image description here

You can try the same in your environment by generating API token instead of Bearer token to call Files API.

Reference:

Defender for Cloud Apps file API “Insufficient role based permissions” by Sangho Cho

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • 1
    @Sridevi- Thank you very much for the answer. Appreciate you for going extra miles to replicate the issue and then providing a tested workaround. I followed your instructions to use api key and it worked for me as well. Way to go! – Prodip Nov 15 '22 at 05:37