Forum Discussion

KeshavKhanna's avatar
KeshavKhanna
Copper Contributor
Oct 03, 2024

Shows 403 when trying to do "get"->api.security.microsoft.com/api/dataexportsettings via code

Hey folks!

I'm trying to automate creation of "data export settings" in Microsoft Defender for Endpoint. Path to find it in UI - {Endpoints > Partners and APIs > API Explorer}.

When I try to "GET" > api.security.microsoft.com/api/dataexportsettings on UI it works and shows me the connections configured BUT when I try to do the same via powershell it shows me 403.

I have followed https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp to use an application to authenticate. I have enabled all the "application" permissions in WindowsDefenderATP (count 31) still looks like I don't have the correct permission assigned.

Any idea what's the permission I'm missing here?

I'd appreciate any help!

3 Replies

Sort By
  • Fr4nsec's avatar
    Fr4nsec
    Copper Contributor
    Oct 05, 2024

    KeshavKhanna 

    Hi,

     

    There are some ways to verify all this.

     

    If you are using an app registration, you want to use the application permissions and not delegated.

     

    If that is checked, maybe the issue is on the token itself. Ensure your token is correctly obtained and correctly used where you need it.

     

    One of the things you can do to verify the token contains what you need it to contain is transforming it into JWT. Print a token and search for the JWT tool from Microsoft. Review that all permissions are correct, the app matches yours, etc

     

    With that it should be enough to make a first check. If not, show how are you using the token.

    • KeshavKhanna's avatar
      KeshavKhanna
      Copper Contributor
      Oct 07, 2024

      Fr4nsec Thanks for replying.

      Below are the roles I have when I try the token on JWT. 

      All of those are "Application" permissions. Here's what I do after getting the token -

      $token = "TOKENHERE"

      $headers = @{
      'Content-Type' = 'application/json'
      Accept = 'application/json'
      Authorization = "Bearer $token"
      }

       

      $url = "https://api.security.microsoft.com/api/dataexportsettings"

      Invoke-WebRequest -Method Get -Uri $url -Headers $headers

       

      What I get -

      Any idea which permission I'm lacking here? Any suggestions are appreciated!

       

      • matthewjensen's avatar
        matthewjensen
        Copper Contributor
        Oct 11, 2024

        KeshavKhanna I think it's something to do with the application not having permission to access the API. When trying to create a new export setting, I get this error: {"error":{"code":"Forbidden","message":"Application context is not allowed to access this API. Expected user context.","target":"|."}}

         

Resources