Forum Discussion

youknowme's avatar
youknowme
Copper Contributor
Dec 13, 2024

Microsoft Defender Vulnerability Management Trial API access error

I enrolled in the Microsoft Defender Vulnerability Management Trial standalone. Registered an app in my tenant. Granted all the permissions under WindowsDefenderATP for the app. Then I tried getting a token using the following:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=<CLIENT_ID>" -d "client_secret=<CLIENT_SECRET>" -d "scope=https://api.securitycenter.microsoft.com/.default" -d "grant_type=client_credentials" "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token"


JWT token

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "zxeg2WONpTkwN5GmeYcuTdtC6J0",
  "kid": "zxeg2WONpTkwN5GmeYcuTdtC6J0"
}.{
  "aud": "https://api.securitycenter.microsoft.com",
  "iss": "https://sts.windows.net/bfd56b27-9b4a-4137-9327-688be945eb6d/",
  "iat": 1734046366,
  "nbf": 1734046366,
  "exp": 1734050266,
  "aio": "k2BgYBBuZZgz0Z/xBc9yZoNOo6ctAA==",
  "app_displayname": "VulnMgmt-Single",
  "appid": "d0657b55-c822-46e9-bf1b-04af2f998df0",
  "appidacr": "1",
  "idp": "https://sts.windows.net/bfd56b27-9b4a-4137-9327-688be945eb6d/",
  "idtyp": "app",
  "oid": "2bb8ece7-d8fa-4bc7-a9ee-c8ff7af9c621",
  "rh": "1.AWEBJ2vVv0qbN0GTJ2iL6UXrbWUEePwXINRAoMUwcCJHG5JiAQBhAQ.",
  "roles": [
    "Machine.Isolate",
    "Event.Write",
    "SecurityConfiguration.ReadWrite.All",
    "IntegrationConfiguration.ReadWrite",
    "Machine.Scan",
    "Ip.Read.All",
    "User.Read.All",
    "Machine.ReadWrite.All",
    "Machine.LiveResponse",
    "SecurityRecommendation.Read.All",
    "Machine.RestrictExecution",
    "Machine.StopAndQuarantine",
    "Alert.Read.All",
    "Software.Read.All",
    "SecurityConfiguration.Read.All",
    "File.Read.All",
    "Machine.CollectForensics",
    "Machine.Offboard",
    "SecurityBaselinesAssessment.Read.All",
    "Vulnerability.Read.All",
    "Library.Manage",
    "Machine.Read.All",
    "Score.Read.All",
    "RemediationTasks.Read.All",
    "Alert.ReadWrite.All",
    "AdvancedQuery.Read.All"
  ],
  "sub": "2bb8ece7-d8fa-4bc7-a9ee-c8ff7af9c621",
  "tenant_region_scope": "NA",
  "tid": "bfd56b27-9b4a-4137-9327-688be945eb6d",
  "uti": "FDXfroIpB0eXj3A4PrY7AA",
  "ver": "1.0",
  "xms_idrel": "14 7"
}.[Signature]

 

I tried the token to get the machines and vulnerabilities. For all APIs,

{
  "error": {
    "code": "Unauthorized",
    "message": "Unauthorized request - reason of failure: Account mode is inactive",
    "target": "|be73530f-4500fd647a8fd1b9."
  }
}

I get the same error:

"Unauthorized request - reason of failure: Account mode is inactive."

I tried the health check API: 

https://api.securitycenter.microsoft.com/api/health

It's working (200).

 

I can see the vulnerabilities and the devices I onboarded in the Vulnerability Management portal. I can also access the API explorer and hit some APIs successfully (like vulnerabilities and software, though I get the same error while getting the machine list and alerts, etc). But the apis always gives this error.

I have verified that Microsoft Defender Vulnerability Management Trial is Active in Microsoft 365 portal.

I also tried switching the token URL to api.security instead of the security center. Not working.

Any help is greatly appreciated.

Resources