Forum Discussion

AndrewX's avatar
AndrewX
Iron Contributor
Feb 09, 2019
Solved

403 Forbidden response when requesting Microsoft Security Graph API

Hello, i am developing an app, nodejs, and running into http 403 when calling the https://graph.microsoft.com/v1.0/security/alerts endpoint.   I have assigned myself and my app the `security reader...
  • Kevin Blumenfeld's avatar
    Kevin Blumenfeld
    Feb 23, 2019

    I too am getting 403 using PowerShell while taking the same steps.  The same code works for other applications, such as fetching email from exchange mailbox folders

     


    $Headers = @{
    "Authorization" = "Bearer $Token"
    }

    $RestSplat = @{
    Uri = 'https://graph.microsoft.com/beta/security/secureScores?$top=5'
    Headers = $Headers
    Method = 'Get'
    ContentType = 'application/json'
    }
     
    Invoke-RestMethod @RestSplat
     
    ... a bit redacted but you get the gist
     
    EDIT: Granting Application Permissions instead of Delegate Permissions enabled me to return data
    again this is for Secure Score but worth noting
sssaang's avatar
sssaang
Copper Contributor
Jan 20, 2021

Hi Ediward, 

I recently implemented MS OAuth into the login system of my application.

The thing is when my server sends a request to https://graph.microsoft.com/v1.0/me with an access_token, it throws 403: Forbidden error.
What I have figured out so far is that the access token is valid as I checked in http://www.jwt.ms and it seems that the error is thrown only when a user's account is a school associated Microsoft account. (I myself tried logging in through my school account and it failed but other personal accounts worked just fine)

I would appreciate your insights regard this issue

Edward Koval 

Seeker621's avatar
Seeker621
Copper Contributor
Jun 06, 2021
Hey sssaang I figured this out. The reason why you're getting a 403 is that the organization (your school) has not granted consent to your application. So there are likely 3 MSFT Graph APIs that required administrator consent: Sign users in, View user' basic profile, and maintain access to your data. My guess is that they're all delegated to the admin role to consent.

So likely you need to open up a ticket with whoever manages that Azure AD/Office 365 account and ask them to "Grant Admin Consent for <YOUR_APP> to everyone.

TL;DR there's nothing wrong with your app, it's the school/org that needs to allow it.

I hope this helps.

Resources