Forum Discussion

Michael Shalev's avatar
Michael Shalev
Former Employee
Apr 18, 2018

Authorization and Microsoft Graph Security API

Understanding authorization when calling the Microsoft Graph Security API High-level summary: Security data accessible via the Microsoft Graph Security API is very sensitive and is protected using ...
Michael Shalev's avatar
Michael Shalev
Former Employee
Oct 15, 2018

Hi Matt,

 

To access SecureScore, you need to meet the product's Role-Based Access Control (RBAC) - in this case to belong to one of the groups listed below - broken out into Read access and Write access:

(for convenience, listing both required Graph Scopes and AAD Roles):

 

Read:

Scopes

 

  • GraphPermissions.SecurityEventsReadAllScope

Roles    

  • AadRoles.ExchangeServiceAdministratorRole
  • AadRoles.SharePointServiceAdministratorRole
  • AadRoles.HelpdeskAdministratorRole
  • AadRoles.UserAccountAdministratorRole
  • AadRoles.ServiceSupportAdministratorRole
  • AadRoles.SecurityReaderRole
  • AadRoles.SecurityAdministratorRole
  • AadRoles.CompanyAdministratorRole

 

Write (Patch):

Scopes:

  • GraphPermissions.SecurityEventsReadWriteAllScope

Roles:

  • AadRoles.SecurityAdministratorRole
  • AadRoles.ExchangeServiceAdministratorRole
  • AadRoles.SharePointServiceAdministratorRole
  • AadRoles.CompanyAdministratorRole

Hope this helps - great if you could confirm after applying the above

Michael

Matt Amphlett's avatar
Matt Amphlett
Copper Contributor
Oct 15, 2018

Hi Michale,

 

Thanks very much for coming back to me.

 

So the user and the app appear to have the appropriate roles/permissions. I even went so far as granting the app all possible permissions and giving the user all possible roles. I have created new test users and new app registrations and tried many other things. Still, I'm getting a 403.

 

This makes me think it's somehow not a problem with permissions but some other configuration issue with the app, ad or tenant. I'm using our companies sandbox tenant, so other engineers are always playing with the config. I plan on trying it out on a different tenant once one becomes available to me.

 

Are you aware of any configuration other than permissions or roles which might cause a 403 response from this endpoint?

 

Thanks again.

 

Matt

 

Edit 16 Oct '18:

 

So I have tried another tenant and am facing the same issue...

 

I think it must be a problem with the configuration of my app since all the users I have tried have access to the secure score via other means (Web portal and Graph explorer app).

 

The app is a JS SPA using the MSAL-Angular library and the implicit auth flow. The MSAL config is as follows:

 

consentScopes: [
  'User.Read',
  'SecurityEvents.Read.All'
],
protectedResourceMap: [
  [
    'https://graph.microsoft.com/beta/organization',
    ['User.Read']
  ],
  [
    'https://graph.microsoft.com/beta/security/secureScores',
    ['SecurityEvents.Read.All']
  ]
]

 

I have tried many other configurations but this is the simplest I believe should work.

 

Any ideas what I might be doing wrong?

 

Thanks again.

 

Matt

Resources