Graph Security endpoint throwing an HTTP 403 with ADALJS

Question

Trying to build a client-side app using the Microsoft Graph Security API.

We've made the grants in the Azure Portal, granted Admin Consent, and the JWT is showing the scopes are present (snippet below):

"scp": "Calendars.Read MailboxSettings.Read offline_access People.Read profile SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read User.Read.All",

Here's how we're requesting the token:

// acquire token for ms graph. the service we're acquiring a token for 
// should be the same service we call in the ajax request below
authContext.acquireToken('https://graph.microsoft.com', (error, token) => {
    // Handle ADAL Error
    if (error || !token) {
        printErrorMessage('ADAL Error Occurred: ' + error);
        return;
    }

    this.token = token; //update our data with the token
});

But when we hit the endpoint with a web call, we're still getting a 403 with no data returned:

$.ajax({
    type: "GET",
    url: "https://graph.microsoft.com/v1.0/security/alerts",
    headers: {
        'Authorization': 'Bearer ' + this.token,
    }
}).done(async (data) => {
    console.log(data);
}).fail(() => {
    console.log('Error getting top 10 people!');
});

And here's the underlying error (via Postman):

{
  "error": {
    "code": "UnknownError",
    "message": "Auth token does not contain valid permissions or user does not have valid roles.",
    "innerError": {
      "request-id": "6411dbc9-eebb-4522-b789-62ab5f754d0c",
      "date": "2019-04-23T15:17:12"
    }
  }
}

Edit: The user accessing the app has the "Security reader" Directory role attached.

Any assistance would be GREATLY appreciated. :)

Answer 1

It looks like your app has the correct scopes, but the user that is requesting alerts from the Microsoft Graph Security API does not have a Security reader role in Azure AD.

To add roles to users, sign in to Azure portal as the tenant admin then select the Azure Active Directory blade > Users > select the name of the user > Directory Role > and then select Add role.

Once the user has access to read security information, they should be able to receive alerts through the Microsoft Graph Security API.

Source: https://learn.microsoft.com/graph/security-authorization#assign-azure-ad-roles-to-users

Answer 2

I’ve been working behind-the-scenes with some MS DEV resources, and we believe we’ve tracked down why this doesn’t work.

Taken from an email:

The implicit grant in through AAD uses response_mode=fragment by default. Once the response mode is changed to response_mode=form_post the id token ,and access token if requested, are sent as a POST request and contain the wids claim which allows the Graph API security endpoints to be used.

The workaround proposed there was to basically build a server-side app that would catch the POST request that would have the roles, then use that to call the Graph Security API.

This works, but basically means implicit flow client side apps are essentially incompatible with the Graph Secuirty API. Super frustrating and extremely difficult to track down from the documentation.

Hopefully there is some other mechanism MS can come up with.