Trying to build a client-side app using the Microsoft Graph Security API.
We've made the grants in the Azure Portal, granted Admin Consent, and the JWT is showing the scopes are present (snippet below):
"scp": "Calendars.Read MailboxSettings.Read offline_access People.Read profile SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read User.Read.All",
Here's how we're requesting the token:
// acquire token for ms graph. the service we're acquiring a token for
// should be the same service we call in the ajax request below
authContext.acquireToken('https://graph.microsoft.com', (error, token) => {
// Handle ADAL Error
if (error || !token) {
printErrorMessage('ADAL Error Occurred: ' + error);
return;
}
this.token = token; //update our data with the token
});
But when we hit the endpoint with a web call, we're still getting a 403
with no data returned:
$.ajax({
type: "GET",
url: "https://graph.microsoft.com/v1.0/security/alerts",
headers: {
'Authorization': 'Bearer ' + this.token,
}
}).done(async (data) => {
console.log(data);
}).fail(() => {
console.log('Error getting top 10 people!');
});
And here's the underlying error (via Postman):
{
"error": {
"code": "UnknownError",
"message": "Auth token does not contain valid permissions or user does not have valid roles.",
"innerError": {
"request-id": "6411dbc9-eebb-4522-b789-62ab5f754d0c",
"date": "2019-04-23T15:17:12"
}
}
}
Edit: The user accessing the app has the "Security reader" Directory role attached.
Any assistance would be GREATLY appreciated. :)
It looks like your app has the correct scopes, but the user that is requesting alerts from the Microsoft Graph Security API does not have a
Security reader
role in Azure AD.To add roles to users, sign in to Azure portal as the tenant admin then select the
Azure Active Directory
blade >Users
> select the name of the user >Directory Role
> and then selectAdd role
.Once the user has access to read security information, they should be able to receive alerts through the Microsoft Graph Security API.
Source: https://learn.microsoft.com/graph/security-authorization#assign-azure-ad-roles-to-users