Forum Discussion
Authorization and Microsoft Graph Security API
Hi,
I'm trying to access the secure score endpoint via my app. The app and user have the required permissions as per this post, however, I am still getting a 403 when attempting to call any of the security endpoints. The app is able to successfully call other graph endpoints.
Is it possible to get more info about exactly why access is denied? The response body just states that the token or user do not have required permissions. An example request id is: "b58137f1-37ea-40fb-93bb-20497b922df6".
The same user is able to make requests to the endpoint just fine using the Graph Explorer app. I have also compared the token permissions in the scp claim and given my app (and token) identical permissions but still, I get 403!
Have been struggling with this for some time now. Seemingly everything is configured correctly. Anything to shed some more light on exactly what is required would be greatly appreciated.
Thanks,
Matt
Hi Matt,
To access SecureScore, you need to meet the product's Role-Based Access Control (RBAC) - in this case to belong to one of the groups listed below - broken out into Read access and Write access:
(for convenience, listing both required Graph Scopes and AAD Roles):
Read:
Scopes
- GraphPermissions.SecurityEventsReadAllScope
Roles
- AadRoles.ExchangeServiceAdministratorRole
- AadRoles.SharePointServiceAdministratorRole
- AadRoles.HelpdeskAdministratorRole
- AadRoles.UserAccountAdministratorRole
- AadRoles.ServiceSupportAdministratorRole
- AadRoles.SecurityReaderRole
- AadRoles.SecurityAdministratorRole
- AadRoles.CompanyAdministratorRole
Write (Patch):
Scopes:
- GraphPermissions.SecurityEventsReadWriteAllScope
Roles:
- AadRoles.SecurityAdministratorRole
- AadRoles.ExchangeServiceAdministratorRole
- AadRoles.SharePointServiceAdministratorRole
- AadRoles.CompanyAdministratorRole
Hope this helps - great if you could confirm after applying the above
Michael
Hi Michale,
Thanks very much for coming back to me.
So the user and the app appear to have the appropriate roles/permissions. I even went so far as granting the app all possible permissions and giving the user all possible roles. I have created new test users and new app registrations and tried many other things. Still, I'm getting a 403.
This makes me think it's somehow not a problem with permissions but some other configuration issue with the app, ad or tenant. I'm using our companies sandbox tenant, so other engineers are always playing with the config. I plan on trying it out on a different tenant once one becomes available to me.
Are you aware of any configuration other than permissions or roles which might cause a 403 response from this endpoint?
Thanks again.
Matt
Edit 16 Oct '18:
So I have tried another tenant and am facing the same issue...
I think it must be a problem with the configuration of my app since all the users I have tried have access to the secure score via other means (Web portal and Graph explorer app).
The app is a JS SPA using the MSAL-Angular library and the implicit auth flow. The MSAL config is as follows:
consentScopes: [
'User.Read',
'SecurityEvents.Read.All'
],
protectedResourceMap: [
[
'https://graph.microsoft.com/beta/organization',
['User.Read']
],
[
'https://graph.microsoft.com/beta/security/secureScores',
['SecurityEvents.Read.All']
]
]I have tried many other configurations but this is the simplest I believe should work.
Any ideas what I might be doing wrong?
Thanks again.
Matt
