Forum Discussion
Authorization and Microsoft Graph Security API
Hey Michael Shalev, thank you for the insight on api authorizations!
Are there any security implications to be wary of when granting application-level authorization for an application? or is this merely the same authorization level as the delegated privileges but without the need for a user sign-in?
jyisas There are significant security considerations when using application auth, specifically: this will bypass role based access control (RBAC) enforcement which is defined and enforced at user level, i.e when User/Delegated auth mode is used.
The recommended practice when using app-level auth would be to enforce necessary access control in the app calling the Graph Security API
It's unfortunate that there is no option to use the "Security Operator" role just for the implementation use cases where there is only the requirement to read and update (e.g. close) MS Graph Security API security alerts under a delegated permissions scenario. In that case the only option available seems to require the "Security Admin" role to be assigned. At the same time there are also challenges with monitoring and alerting options if we use app-level auth.
