Error using get-graphsecurityalert

%3CLINGO-SUB%20id%3D%22lingo-sub-750804%22%20slang%3D%22en-US%22%3EError%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750804%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20getting%20the%20following%20error%20when%20executing%26nbsp%3Bget-graphsecurityalert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5Cget-graphsecurityalert%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3Eget-graphsecurityalert%20%3A%20Request%20to%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%2F%3F%24top%3D100%26amp%3B%24filter%3D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%2F%3F%24top%3D100%26amp%3B%24filter%3D%3C%2FA%3Efailed%20with%20HTTP%20Status%20Forbidden%20Forbidden%3C%2FSTRONG%3E%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20get-graphsecurityalert%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20NotSpecified%3A%20(%3A)%20%5BWrite-Error%5D%2C%20WriteErrorException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20Microsoft.PowerShell.Commands.WriteErrorException%2CGet-GraphSecurityAlert%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20follow%20the%20instructions%20from%20the%20following%20URL%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblog.ciaops.com%2F2019%2F04%2F17%2Fusing-interactive-powershell-to-access-the-microsoft-graph%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.ciaops.com%2F2019%2F04%2F17%2Fusing-interactive-powershell-to-access-the-microsoft-graph%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20first%20attempt%20to%20use%20Microsoft%20Graph.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Larry%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-750804%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EUsing%20Microsoft%20Graph%20Security%20API%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768668%22%20slang%3D%22en-US%22%3ERe%3A%20Error%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768668%22%20slang%3D%22en-US%22%3EHi%20Larry%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20most%20likely%20getting%20a%20forbidden%20status%20code%20because%20you%20may%20have%20skipped%20the%20step%20to%20give%20your%20application%20admin%20consent%20when%20registering%20your%20application%20in%20Azure%20Portal.%20%3CBR%20%2F%3ETo%20make%20sure%20your%20application%20has%20the%20necessary%20permissions%2C%20check%20Azure%20Portal%20to%20make%20sure%20your%20application%20has%20the%20green%20check%20marks%20next%20to%20the%20%22SecurityEvents.ReadWrite.All%22%20permissions%20stating%20that%20the%20tenant%20admin%20has%20given%20conset.%20Additionally%2C%20make%20sure%20that%20the%20user%20running%20the%20PowerShell%20script%20is%20a%20member%20of%20an%20Azure%20Active%20Directory%20Limited%20Admin%20role%20-%20either%20Security%20Reader%20or%20Security%20Administrator%20role.%20If%20the%20non-admin%20user%20is%20not%20in%20one%20of%20the%20mentioned%20roles%2C%20they%20cannot%20access%20security%20related%20data.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps%2C%3CBR%20%2F%3EEdward%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772193%22%20slang%3D%22en-US%22%3ERe%3A%20Error%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128268%22%20target%3D%22_blank%22%3E%40Edward%20Koval%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThank%20you..%20is%20was%20permission.%20I%20incorrectly%20selected%20Security.Action%20instead%20of%20Security.Event.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThank%20you%20again%2C%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E-Larry%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Highlighted
Larry Jones
Occasional Contributor

I'm getting the following error when executing get-graphsecurityalert.

 

PS C:\get-graphsecurityalert


get-graphsecurityalert : Request to https://graph.microsoft.com/v1.0/security/alerts/?$top=100&$filter= failed with HTTP Status Forbidden Forbidden
At line:1 char:1
+ get-graphsecurityalert
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-GraphSecurityAlert

 

I follow the instructions from the following URL:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

 

This is my first attempt to use Microsoft Graph.

 

Thanks,

 

-Larry

 

 

2 Replies
Hi Larry,

You are most likely getting a forbidden status code because you may have skipped the step to give your application admin consent when registering your application in Azure Portal.
To make sure your application has the necessary permissions, check Azure Portal to make sure your application has the green check marks next to the "SecurityEvents.ReadWrite.All" permissions stating that the tenant admin has given conset. Additionally, make sure that the user running the PowerShell script is a member of an Azure Active Directory Limited Admin role - either Security Reader or Security Administrator role. If the non-admin user is not in one of the mentioned roles, they cannot access security related data.

Hope this helps,
Edward

@Edward Koval 

 
Thank you.. is was permission. I incorrectly selected Security.Action instead of Security.Event.
 
Thank you again,
 
-Larry
Related Conversations
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Early preview of Microsoft Edge group policies
Sean Lyndersay in Discussions on
65 Replies
*Updated 9/3* Syncing in Microsoft Edge Preview Channels
Elliot Kirk in Articles on
201 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
2 Replies