Forum Discussion
API - Vulnerabilities.read.all and Score.Read.All
Trying to leverage defender metrics for management reporting (things like ExposureScore, SecureScore, etc. I'm interested in absolutely everything to get the right PowerBI dashboard)
When assigning (for example) Vulnerabilities.read.all and Score.Read.All and granting admin consent, these aren't actually getting pulled through to the jwt token.
And then using Postman combined with jwt.ms to view the token
So what gives? Where did those permissions go? I thought it might be propogation so I have now given it 5 days in total. Is it that these APIs just aren't accessible despite the Microsoft documentation like: https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities
I am fully licensed (albeit trials). It seems that Graph API (e.g.) https://graph.microsoft.com/v1.0/security/secureScores is very friendly to my needs where as https://api.security.microsoft.com/api/exposureScore does not allow my app registration access even when permissions are there...
1 Reply
Hi, I was also struggling for hours figuring out what is happening. Apparently, the documentation from Microsoft , as of 13.08.2025, is either wrong or obsolete. In my case, I was trying to get the Exposure Score from WindowsDefenderATP . In the app registration, API permission for Score.ReadAll is granted.
As per the API documentation page, to get the exposure score, I have to use the request as
GET https://api.security.microsoft.com/api/exposureScore .
But after hours of toil I found that the api end point to use is
GET https://api.securitycenter.microsoft.com/api/exposureScore.Same with scope , instead of "https://api.security.microsoft.com/.default" , we should use "https://api.securitycenter.microsoft.com/.default"
