403 error when accessing azure defender 365 using azure ad application

Question

I am trying to access microsoft defender end point using application. I am following the guide here

my jwt token response is as follow

    {
  "aud": "https://api.securitycenter.microsoft.com",
  "iss": "https://sts.windows.net/aa551af3-e811-4451-b20c-c5b84fb2845b/",
  "iat": 1677834504,
  "nbf": 1677834504,
  "exp": 1677838404,
  "aio": "E2ZgYGg1iK74E3KLOZTt6LdK24aHAA==",
  "app_displayname": "test",
  "appid": "3c98fbaf-4528-4469-9228-1da89796674b",
  "appidacr": "1",
  "idp": "https://sts.windows.net/aa551af3-e811-4451-b20c-c5b84fb2845b/",
  "oid": "7e34779b-d23b-43c0-9fd1-6e1433ac7390",
  "rh": "0.AXEA8xpVqhHoUUSyDMW4T7KEW2UEePwXINRAoMUwcCJHG5JxAAA.",
  "roles": [
    "Machine.Isolate",
    "SecurityConfiguration.ReadWrite.All",
    "IntegrationConfiguration.ReadWrite",
    "Url.Read.All",
    "Ip.Read.All",
    "Ti.ReadWrite",
    "Ti.Read.All",
    "User.Read.All",
    "Ti.ReadWrite.All",
    "SecurityRecommendation.Read.All",
    "Alert.Read.All",
    "Software.Read.All",
    "SecurityConfiguration.Read.All",
    "File.Read.All",
    "Machine.CollectForensics",
    "SecurityBaselinesAssessment.Read.All",
    "Vulnerability.Read.All",
    "Library.Manage",
    "Machine.Read.All",
    "Score.Read.All",
    "RemediationTasks.Read.All",
    "AdvancedQuery.Read.All"
  ],
  "sub": "7e34779b-d23b-43c0-9fd1-6e1433ac7390",
  "tenant_region_scope": "AS",
  "tid": "aa551af3-e811-4451-b20c-c5b84fb2845b",
  "uti": "AaYxgeKwO0KqfhJrlhFqAA",
  "ver": "1.0"
}

when I tried to access end point I am getting below 403 error

I am using azure personal account. can anyone help me in this regard my end point is here

Thanks

Answer 1

I tried to reproduce the same in my environment and got below results:

I registered one Azure AD application and added API permissions as below:

Now I generated one access token via Postman with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type: client_credentials
client_id: <appID>
client_secret: <secret>
scope: https://api.securitycenter.microsoft.com/.default

Response:

Now, I decoded the above access token in jwt.ms and got roles claim with same permissions as you like below:

When I used the above access token to call below endpoint, I got same error as you like below:

GET https://api.securitycenter.microsoft.com/api/alerts

Response:

Alternatively, you can make use of below MS Graph API query to get list of alerts:

GET https://graph.microsoft.com/v1.0/security/alerts_v2

To run that query, you need to add SecurityAlert.Read.All in your application like this:

Make sure to grant admin consent to the added permission as below:

Now, I generated access token by changing scope to Microsoft Graph like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type: client_credentials
client_id: <appID>
client_secret: <secret>
scope: https://graph.microsoft.com/.default

Response:

I decoded the above access token in jwt.ms and got roles claim with added permission like below:

When I ran below query by including above access token, I got the response successfully like below:

GET https://graph.microsoft.com/v1.0/security/alerts_v2

Response:

I got blank in my response as I don't have any alerts. To confirm that, you can check alerts in Microsoft 365 Defender portal like this:

Reference: List alerts_v2 - Microsoft Graph v1.0