Error using get-graphsecurityalert

%3CLINGO-SUB%20id%3D%22lingo-sub-750804%22%20slang%3D%22en-US%22%3EError%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750804%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20getting%20the%20following%20error%20when%20executing%26nbsp%3Bget-graphsecurityalert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5Cget-graphsecurityalert%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3Eget-graphsecurityalert%20%3A%20Request%20to%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%2F%3F%24top%3D100%26amp%3B%24filter%3D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%2F%3F%24top%3D100%26amp%3B%24filter%3D%3C%2FA%3Efailed%20with%20HTTP%20Status%20Forbidden%20Forbidden%3C%2FSTRONG%3E%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20get-graphsecurityalert%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20NotSpecified%3A%20(%3A)%20%5BWrite-Error%5D%2C%20WriteErrorException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20Microsoft.PowerShell.Commands.WriteErrorException%2CGet-GraphSecurityAlert%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20follow%20the%20instructions%20from%20the%20following%20URL%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblog.ciaops.com%2F2019%2F04%2F17%2Fusing-interactive-powershell-to-access-the-microsoft-graph%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.ciaops.com%2F2019%2F04%2F17%2Fusing-interactive-powershell-to-access-the-microsoft-graph%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20first%20attempt%20to%20use%20Microsoft%20Graph.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Larry%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-750804%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EUsing%20Microsoft%20Graph%20Security%20API%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768668%22%20slang%3D%22en-US%22%3ERe%3A%20Error%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768668%22%20slang%3D%22en-US%22%3EHi%20Larry%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20most%20likely%20getting%20a%20forbidden%20status%20code%20because%20you%20may%20have%20skipped%20the%20step%20to%20give%20your%20application%20admin%20consent%20when%20registering%20your%20application%20in%20Azure%20Portal.%20%3CBR%20%2F%3ETo%20make%20sure%20your%20application%20has%20the%20necessary%20permissions%2C%20check%20Azure%20Portal%20to%20make%20sure%20your%20application%20has%20the%20green%20check%20marks%20next%20to%20the%20%22SecurityEvents.ReadWrite.All%22%20permissions%20stating%20that%20the%20tenant%20admin%20has%20given%20conset.%20Additionally%2C%20make%20sure%20that%20the%20user%20running%20the%20PowerShell%20script%20is%20a%20member%20of%20an%20Azure%20Active%20Directory%20Limited%20Admin%20role%20-%20either%20Security%20Reader%20or%20Security%20Administrator%20role.%20If%20the%20non-admin%20user%20is%20not%20in%20one%20of%20the%20mentioned%20roles%2C%20they%20cannot%20access%20security%20related%20data.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps%2C%3CBR%20%2F%3EEdward%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772193%22%20slang%3D%22en-US%22%3ERe%3A%20Error%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128268%22%20target%3D%22_blank%22%3E%40Edward%20Koval%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThank%20you..%20is%20was%20permission.%20I%20incorrectly%20selected%20Security.Action%20instead%20of%20Security.Event.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThank%20you%20again%2C%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E-Larry%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Larry Jones
Contributor

I'm getting the following error when executing get-graphsecurityalert.

 

PS C:\get-graphsecurityalert


get-graphsecurityalert : Request to https://graph.microsoft.com/v1.0/security/alerts/?$top=100&$filter= failed with HTTP Status Forbidden Forbidden
At line:1 char:1
+ get-graphsecurityalert
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-GraphSecurityAlert

 

I follow the instructions from the following URL:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

 

This is my first attempt to use Microsoft Graph.

 

Thanks,

 

-Larry

 

 

2 Replies
Hi Larry,

You are most likely getting a forbidden status code because you may have skipped the step to give your application admin consent when registering your application in Azure Portal.
To make sure your application has the necessary permissions, check Azure Portal to make sure your application has the green check marks next to the "SecurityEvents.ReadWrite.All" permissions stating that the tenant admin has given conset. Additionally, make sure that the user running the PowerShell script is a member of an Azure Active Directory Limited Admin role - either Security Reader or Security Administrator role. If the non-admin user is not in one of the mentioned roles, they cannot access security related data.

Hope this helps,
Edward

@Edward Koval 

 
Thank you.. is was permission. I incorrectly selected Security.Action instead of Security.Event.
 
Thank you again,
 
-Larry
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
48 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies