Forum Widgets
Latest Discussions
Using Microsoft Graph Security API for Custom Security Automations
Hi Security Experts, I’ve recently started exploring the Microsoft Graph Security API to centralize and automate security operations across different Microsoft 365 services. The idea is to build a single automation layer that can: Collect alerts from Defender for Endpoint, Defender for Cloud, and Identity Protection; Enrich them with context (user, device, and location data); And automatically push them to an external system like Jira, n8n, or a custom SOAR workflow. I was able to authenticate and list alerts using the endpoint: “GET https://graph.microsoft.com/v1.0/security/alerts” However, I’m still trying to understand the best practices for handling rate limits, pagination, and permissions — especially when integrating continuous polling or real-time ingestion into external tools. Has anyone here implemented Graph Security API automations in production? I’d love to hear about your experiences — specifically around performance, alert filtering, and authentication (App Registration vs Managed Identity). Thanks in advance, Luca
Authenticating using ConfidentialClient
Hello, Some of our customers are unable to send out automated emails because support for basic authentication with SMTP is being removed. I am looking at finding a solution and it seems the Graph API is the recommended approach. I have manage to create a working example using `PublicClientApplicationBuilder` however, this class displays a pop-up requiring the user to sign in, since we have automated services with no user interaction, this is not a good solution. I have seen some examples using `ConfidentialClientApplicationBuilder` and this seems idea. However, I have reached multiple dead-ends and everytime receive the error: > Confidential Client flows are not available on mobile platforms or on Mac.See https://aka.ms/msal-net-confidential-availability for details. Please would someone be able to help me. Why do I recieve this error? Whatever I do, whatever project I use, WinForm, Console app and Service I always get this error. I am storing my Client, Tenant and Secret in a database table and here is my code: ``` vb Private Async Function GetAppAuthentication() As Task(Of AuthenticationResult) Dim folderAccess = BLL.L2S.SystemApplicationGateway.GetFolderAccess(mBLL_SY.ReadonlyDbContext) If folderAccess Is Nothing Then Return Nothing End If Dim app = ConfidentialClientApplicationBuilder.Create(folderAccess.Client) _ .WithClientSecret(folderAccess.Secret) _ .WithTenantId(folderAccess.Tenant) _ .Build() Dim scopes As String() = {"https://outlook.office365.com/.default"} Dim result As AuthenticationResult = Await app.AcquireTokenForClient(scopes).ExecuteAsync() Return result End Function ``` I am using .Net Framework 4.7.2, we have Windows Services and WinForms apps and both need to send out emails. The error message is very confusing to me because of course it is not a mobile app, and I have even created a UnitTest that seemingly works fine which again is very confusing to me. This is urgent as this is already causing issues for our customers. Thanks in advanc
Fetching user/riskyusers/risk_detections info in incremental approach
Hi All, Using @odata.deltaLink I am able to track changes in Microsoft Graph data for users. DeltaLink we can’t get changes related to SIGNINACTIVITY, AUTHENTICATION_METHODS_USER_REGISTRATION_DETAILS , USER_APP_ROLE_ASSIGNMENT. At present risky_users and risky_detections are not supported by delta queries. Any other approach where we can track changes apart from DeltaLink. Note: Apart from storing in DB and comparing.How to retrieve productName for incidents using Microsoft Graph API?
When using Microsoft Graph Security API, is it possible to get the productName field directly in the incident response (e.g., from /security/incidents endpoint)? Or is it only available at the alert level via /security/incidents/{id}/alerts?
Major Delay with /alerts endpoint
Hey folks, I've been seeing some significant delays with the /alerts API endpoint. Ball park range of 2-5 hours. For example, there is an alert in Azure Sentinel that fires at ~13:00 UTC (based on TimeGenerated field). Our internal process that polls for new events from /alerts every ~2-3minutes doesn't pick up this new alert until ~17:00 UTC. I know there is the /alerts_v2 endpoint, and we're working on upgrading our processes to use that - but for the time being, I'm trying to find a solution / answer to this particular endpoint. Anyone experience this or have any insights?
MS Graph Authorization issue (Status code 401) - Power Automate Flow for Copilot Studio
Hi Folks, I am trying to develop a MS Power Automate Flow that can post QMS documents information to Copilot Studio bot based on users' question. I am using 'Create text with GPT using Prompt" to extract users' intention about documents from their natural language. Then use HTTP connector to post the results to Copilot Studio bot. I have done all the steps: 1. Registered App in Azure Portal 2. Granted Sites.Selected (Read) permission to my app so that it can read the information from QMS document library in SharePoint. We only want the app permission related to subsite not the whole site. The issue I am facing is that the HTTP action is still showing unauthorized Status code 401. Could you guide me if there is something incomplete or insufficient? Many thanks. After running please see below error: Best regards, perlite77
Connect Swimlane to pull Defender for Cloud Alerts
using Swimlane to ingest our alerts from Defender for cloud, I have setup our Access with the following items: URL: https://graph.microsoft.com/v1.0/security/alerts Token URL: https://login.microsoftonline.com/tenant-ID/oauth2/v2.0/token Client ID: pulled from Registered App Client Secret: Created a New Ceretificates & secrets and added that Value Scope: https://graph.microsoft.com/.default When I run my Action to capture the "List of Alerts", I receive the following error: "reason": "Bad Request", "json_body": { "error": "invalid_request", "error_description": "AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request...." What parameters and how are those added and to which section? I'm new to API calls and not sure of the process. Appreciate your help, SergeAuditing / Configuring Defender Alerts/Rules/Emails/Notifications
Hey there! I am trying to find a way to audit (and hopefully configure!) the Defender notification emails to make sure they are configured to send to our helpdesk, so it can start our ticketing process. Short of creating a custom application, and trying to subscribe or poll manually across every tenant, the best I have found so far is manually opening these for every separate customer to try and setup the settings So starting from https://security.microsoft.com/ for each customer, going to Settings, and following the mentioned path, or navigating to the URL on the right in turn with each customer tenantID filled in Incident Notifs M365 Defender > Email Notifs > Incidents https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=incidents&tid=<EachCustomerTenantID> Actions M365 Defender > Email Notifs > Actions https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=actions&tid=<EachCustomerTenantID> Threat Analytics M365 Defender > Email Notifs > Threat Analytics https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=threat_analytics&tid=<EachCustomerTenantID> Alert Tuning/Suppression M365 Defender > Alert Tuning https://security.microsoft.com/securitysettings/defender/alert_suppression?tid=<EachCustomerTenantID> Endpoint Alerts Endpoints > Email Notifications > Alerts https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=alerts&tid=<EachCustomerTenantID> Endpoint Vulnerabilities Endpoints > Email Notifications > Vulnerabilities https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=vulnerabilities&tid=<EachCustomerTenantID> Identity Health Notifs Microsoft Defender for Identity > Health Issues https://security.microsoft.com/settings/identities?tabid=healthIssuesNotifications&tid=<EachCustomerTenantID> Identity Alerts Microsoft Defender for Identity > Alert https://security.microsoft.com/settings/identities?tabid=securityAlertsNotifications&tid=<EachCustomerTenantID> I can easily get Incidents or Alerts for a specific tenant, even across tenants through DAP/GDAP/CSP rights. However - rather than querying hundreds of tenants, or trying to set up WebHook subscriptions or similar for them - I was going to just start with Auditing (and possibly manually configuring) the Notification Emails and Alerts to send an email to our ticketing system that we could follow up on. However, I can't find any PowerShell commands or API where I can access these notification settings (access the actual ALERTS themselves, no problem, but not audit the actual Notification Configuration on more than an individual Alert/Incident level) The backend of security.microsoft.com uses private API endpoints like https://security.microsoft.com/apiproxy/mtp/k8s/settings/ThreatAnalyticNotificationsSettings or https://security.microsoft.com/apiproxy/mtp/k8s/cloud/public/internal/IncidentNotificationSettingsV2 as an example for Incident Notifications. The list above is the URLs that you access as the Administrator to configure these by hand, but I am hoping to find a way to get API/Programmatic/Scripted access to these values - but I cannot find any (public) API that seems to access them other than manually. Does anyone have an idea?
