Forum Discussion
Solved
403 Forbidden response when requesting Microsoft Security Graph API
Hello, i am developing an app, nodejs, and running into http 403 when calling the https://graph.microsoft.com/v1.0/security/alerts endpoint.
I have assigned myself and my app the `security reader` and `security admin` roles. I have delegated api permission to the azure ad app `SecurityEvents.Read.All`.
I can call https://graph.microsoft.com/v1.0/security/alerts using the graph explorer no problem, but in my own app, i simply get 403.
I have consented to the popup when it was displayed the first time i signed in and called the graph..
For testing, i cal successfully call other endpoints, like
What am i missing.
I too am getting 403 using PowerShell while taking the same steps. The same code works for other applications, such as fetching email from exchange mailbox folders
$Headers = @{"Authorization" = "Bearer $Token"}$RestSplat = @{Headers = $HeadersMethod = 'Get'ContentType = 'application/json'}Invoke-RestMethod @RestSplat... a bit redacted but you get the gistEDIT: Granting Application Permissions instead of Delegate Permissions enabled me to return dataagain this is for Secure Score but worth noting
Edward KovalMicrosoft
Hi AndrewX,
You may have changed your API permissions after giving your application admin consent. When you give admin consent, Azure AD will take a "snapshot" of the permissions at the time of consent. Then if you change the permissions later, you will need to re-do the admin consent process again.
Try typing
https://login.microsoftonline.com/common/adminconsent?client_id={YOUR-APP-ID}into your browser window to prompt the admin consent for your application again. For more details refer to Permissions and consent in the Azure Active Directory v2.0 endpoint.
If this doesn't resolve your issue, feel free to send me a private message.
Thanks,
EdwardHi Ediward,
I recently implemented MS OAuth into the login system of my application.
The thing is when my server sends a request to https://graph.microsoft.com/v1.0/me with an access_token, it throws 403: Forbidden error.
What I have figured out so far is that the access token is valid as I checked in www.jwt.ms and it seems that the error is thrown only when a user's account is a school associated Microsoft account. (I myself tried logging in through my school account and it failed but other personal accounts worked just fine)I would appreciate your insights regard this issue
- Hey sssaang I figured this out. The reason why you're getting a 403 is that the organization (your school) has not granted consent to your application. So there are likely 3 MSFT Graph APIs that required administrator consent: Sign users in, View user' basic profile, and maintain access to your data. My guess is that they're all delegated to the admin role to consent.
So likely you need to open up a ticket with whoever manages that Azure AD/Office 365 account and ask them to "Grant Admin Consent for <YOUR_APP> to everyone.
TL;DR there's nothing wrong with your app, it's the school/org that needs to allow it.
I hope this helps.
Edward Koval I got the error post login when trying the OIDC example for ADAL https://github.com/Azure-Samples/active-directory-java-webapp-openidconnect/tree/master
Any idea where I can change the permissions for my app.
- Chi_Nguyen
anotherrohit The repo has been archived and that is for Graph API, which may be different from Graph Security API. You can also check out our Graph Security API's Quickstart samples that have authentication examples in C#, Python, Nodejs. Let us know if you still run into the issue.
I too am getting 403 using PowerShell while taking the same steps. The same code works for other applications, such as fetching email from exchange mailbox folders
$Headers = @{"Authorization" = "Bearer $Token"}$RestSplat = @{Headers = $HeadersMethod = 'Get'ContentType = 'application/json'}Invoke-RestMethod @RestSplat... a bit redacted but you get the gistEDIT: Granting Application Permissions instead of Delegate Permissions enabled me to return dataagain this is for Secure Score but worth noting
