Error using get-graphsecurityalert

%3CLINGO-SUB%20id%3D%22lingo-sub-750804%22%20slang%3D%22en-US%22%3EError%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-750804%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20getting%20the%20following%20error%20when%20executing%26nbsp%3Bget-graphsecurityalert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5Cget-graphsecurityalert%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3Eget-graphsecurityalert%20%3A%20Request%20to%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%2F%3F%24top%3D100%26amp%3B%24filter%3D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%2F%3F%24top%3D100%26amp%3B%24filter%3D%3C%2FA%3Efailed%20with%20HTTP%20Status%20Forbidden%20Forbidden%3C%2FSTRONG%3E%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20get-graphsecurityalert%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20NotSpecified%3A%20(%3A)%20%5BWrite-Error%5D%2C%20WriteErrorException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20Microsoft.PowerShell.Commands.WriteErrorException%2CGet-GraphSecurityAlert%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20follow%20the%20instructions%20from%20the%20following%20URL%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblog.ciaops.com%2F2019%2F04%2F17%2Fusing-interactive-powershell-to-access-the-microsoft-graph%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.ciaops.com%2F2019%2F04%2F17%2Fusing-interactive-powershell-to-access-the-microsoft-graph%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20first%20attempt%20to%20use%20Microsoft%20Graph.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Larry%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-750804%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EUsing%20Microsoft%20Graph%20Security%20API%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768668%22%20slang%3D%22en-US%22%3ERe%3A%20Error%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768668%22%20slang%3D%22en-US%22%3EHi%20Larry%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20most%20likely%20getting%20a%20forbidden%20status%20code%20because%20you%20may%20have%20skipped%20the%20step%20to%20give%20your%20application%20admin%20consent%20when%20registering%20your%20application%20in%20Azure%20Portal.%20%3CBR%20%2F%3ETo%20make%20sure%20your%20application%20has%20the%20necessary%20permissions%2C%20check%20Azure%20Portal%20to%20make%20sure%20your%20application%20has%20the%20green%20check%20marks%20next%20to%20the%20%22SecurityEvents.ReadWrite.All%22%20permissions%20stating%20that%20the%20tenant%20admin%20has%20given%20conset.%20Additionally%2C%20make%20sure%20that%20the%20user%20running%20the%20PowerShell%20script%20is%20a%20member%20of%20an%20Azure%20Active%20Directory%20Limited%20Admin%20role%20-%20either%20Security%20Reader%20or%20Security%20Administrator%20role.%20If%20the%20non-admin%20user%20is%20not%20in%20one%20of%20the%20mentioned%20roles%2C%20they%20cannot%20access%20security%20related%20data.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps%2C%3CBR%20%2F%3EEdward%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772193%22%20slang%3D%22en-US%22%3ERe%3A%20Error%20using%20get-graphsecurityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F128268%22%20target%3D%22_blank%22%3E%40Edward%20Koval%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThank%20you..%20is%20was%20permission.%20I%20incorrectly%20selected%20Security.Action%20instead%20of%20Security.Event.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThank%20you%20again%2C%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E-Larry%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Larry Jones
Occasional Contributor

I'm getting the following error when executing get-graphsecurityalert.

 

PS C:\get-graphsecurityalert


get-graphsecurityalert : Request to https://graph.microsoft.com/v1.0/security/alerts/?$top=100&$filter= failed with HTTP Status Forbidden Forbidden
At line:1 char:1
+ get-graphsecurityalert
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-GraphSecurityAlert

 

I follow the instructions from the following URL:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

 

This is my first attempt to use Microsoft Graph.

 

Thanks,

 

-Larry

 

 

2 Replies
Hi Larry,

You are most likely getting a forbidden status code because you may have skipped the step to give your application admin consent when registering your application in Azure Portal.
To make sure your application has the necessary permissions, check Azure Portal to make sure your application has the green check marks next to the "SecurityEvents.ReadWrite.All" permissions stating that the tenant admin has given conset. Additionally, make sure that the user running the PowerShell script is a member of an Azure Active Directory Limited Admin role - either Security Reader or Security Administrator role. If the non-admin user is not in one of the mentioned roles, they cannot access security related data.

Hope this helps,
Edward

@Edward Koval 

 
Thank you.. is was permission. I incorrectly selected Security.Action instead of Security.Event.
 
Thank you again,
 
-Larry
Related Conversations