Microsoft Graph Security API topics

Security alerts Graph API and MFA

Simonas2210 — Wed, 17 Dec 2025 10:52:03 GMT

Hello,

Does anyone know if https://learn.microsoft.com/en-us/graph/api/resources/partner-security-partnersecurityalert-api-overview?view=graph-rest-beta

Security alerts works with app only method (app + cert or app + secret )? Currently i successfully login to graph using both methods

Welcome to Microsoft Graph!
Connected via apponly access using "ID number"

Then i request to get alerts and i get error code:
WARNING: Error body: {"error":{"code":"UnknownError","message":"{\"Error\":{\"Code\":\"Unauthorized_MissingMFA\",\"Message\":\"MFA is required for this request. The provided authentication token does not have MFA

I found that old API worked with app+user credential only but it's not mentioned in new one about this restriction.

Using Microsoft Graph Security API for Custom Security Automations

Lucaraheller — Tue, 21 Oct 2025 17:08:48 GMT

Hi Security Experts,

I’ve recently started exploring the Microsoft Graph Security API to centralize and automate security operations across different Microsoft 365 services.

The idea is to build a single automation layer that can:

Collect alerts from Defender for Endpoint, Defender for Cloud, and Identity Protection;
Enrich them with context (user, device, and location data);
And automatically push them to an external system like Jira, n8n, or a custom SOAR workflow.

I was able to authenticate and list alerts using the endpoint:

“GET https://graph.microsoft.com/v1.0/security/alerts”

However, I’m still trying to understand the best practices for handling rate limits, pagination, and permissions — especially when integrating continuous polling or real-time ingestion into external tools.

Has anyone here implemented Graph Security API automations in production?
I’d love to hear about your experiences — specifically around performance, alert filtering, and authentication (App Registration vs Managed Identity).

Thanks in advance,
Luca

Graph API - Difference in Calendar events between users

Benjamano — Tue, 09 Sep 2025 09:15:23 GMT

Hi All, I have a .NET 3.1 WebApp running an Application Permission Graph API instance.

I have noticed some discrepancies when using the .Calendar.CalendarView and .Events extensions.

I have found that some events, that should be returned, aren't returned by the API.

This is my C# code that I use:

ICalendarCalendarViewCollectionPage response = await _graphClient.Users[userId].Calendar.CalendarView .Request(new List { new QueryOption("startDateTime", startDate.ToString("yyyy-MM-ddTHH:mm:ssZ")), new QueryOption("endDateTime", endDate.ToString("yyyy-MM-ddTHH:mm:ssZ")) }) .Header("Prefer", "outlook.timezone=\"Europe/London\"") .GetAsync();

Where startDate is a Monday, and endDate is a Sunday.

The UserId is definitely correct as it does return some correct events.

For example, I and another colleague are booked onto a Recurring Teams Meeting.

Neither of us are the organiser but the organiser does exist in the tenant.

When I call the code block above, the meeting IS CORRECTLY returned from that call in the response.

But if I switched the UserId to my Colleague's UserId, it won't return that meeting from the API.

The meeting DOES show on both of our calendars on Outlook Old & New.

I use the old version of outlook, and he uses the new version of outlook.

I'd also like to note that some recurring meetings do show up on the faulty user's Calendar View, just certain ones do not, so I'm pretty sure that the fact that the event is recurring doesn't matter.

Does anyone have any insight into this? Thanks

Authenticating using ConfidentialClient

LukeOB1 — Thu, 28 Aug 2025 08:32:59 GMT

Hello,

Some of our customers are unable to send out automated emails because support for basic authentication with SMTP is being removed.

I am looking at finding a solution and it seems the Graph API is the recommended approach.

I have manage to create a working example using `PublicClientApplicationBuilder` however, this class displays a pop-up requiring the user to sign in, since we have automated services with no user interaction, this is not a good solution.

I have seen some examples using `ConfidentialClientApplicationBuilder` and this seems idea.

However, I have reached multiple dead-ends and everytime receive the error:

> Confidential Client flows are not available on mobile platforms or on Mac.See https://aka.ms/msal-net-confidential-availability for details.

Please would someone be able to help me. Why do I recieve this error? Whatever I do, whatever project I use, WinForm, Console app and Service I always get this error.

I am storing my Client, Tenant and Secret in a database table and here is my code:

``` vb

Private Async Function GetAppAuthentication() As Task(Of AuthenticationResult)

Dim folderAccess = BLL.L2S.SystemApplicationGateway.GetFolderAccess(mBLL_SY.ReadonlyDbContext)

If folderAccess Is Nothing Then

Return Nothing

End If

Dim app = ConfidentialClientApplicationBuilder.Create(folderAccess.Client) _

.WithClientSecret(folderAccess.Secret) _

.WithTenantId(folderAccess.Tenant) _

.Build()

Dim scopes As String() = {"https://outlook.office365.com/.default"}

Dim result As AuthenticationResult = Await app.AcquireTokenForClient(scopes).ExecuteAsync()

Return result

End Function

```

I am using .Net Framework 4.7.2, we have Windows Services and WinForms apps and both need to send out emails.

The error message is very confusing to me because of course it is not a mobile app, and I have even created a UnitTest that seemingly works fine which again is very confusing to me.

This is urgent as this is already causing issues for our customers.

Thanks in advanc

Fetching user/riskyusers/risk_detections info in incremental approach

esanya2280 — Mon, 26 May 2025 06:33:24 GMT

Hi All,

Using @odata.deltaLink I am able to track changes in Microsoft Graph data for users.

DeltaLink we can’t get changes related to SIGNINACTIVITY, AUTHENTICATION_METHODS_USER_REGISTRATION_DETAILS , USER_APP_ROLE_ASSIGNMENT.

At present risky_users and risky_detections are not supported by delta queries.

Any other approach where we can track changes apart from DeltaLink.

Note: Apart from storing in DB and comparing.

How to retrieve productName for incidents using Microsoft Graph API?

esanya2280 — Sun, 13 Apr 2025 09:08:24 GMT

When using Microsoft Graph Security API, is it possible to get the productName field directly in the incident response (e.g., from /security/incidents endpoint)? Or is it only available at the alert level via /security/incidents/{id}/alerts?

Get Custom Details from Sentinel

Bharath_M — Sat, 08 Mar 2025 15:08:28 GMT

How do I go about getting the custom details set using https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts using REST API?

I need to do this outside of logic app and using REST API. The incidents API endpoint doesn’t provide this detail and I couldn’t find any API endpoint listed in https://learn.microsoft.com/en-us/rest/api/securityinsights/operation-groups?view=rest-securityinsights-2024-01-01-preview that would allow me get to get the custom details with the values.

Is there a sentinel or a graph API endpoint that’ll allow for me to get this information?

Microsoft Defender "XDR" endpoint API Access (Powershell Script)

samuel2120 — Fri, 13 Sep 2024 16:16:14 GMT

Hi Everyone,

We are trying to access different part of Microsoft Defender.

More precisely Endpoint after the XDR integration.

We want to be able to get the different Permission Role and Device Group created.

Also, the list of all advanced feature if they are enabled or not.

We want to be able to get information like this

The thing is, we try in a lot of way and could not find documentation about this precise request.

We try with Graph Api and Rest Api.

Always got error 401 (No permission).

Could it be that those API are Private API from Microsoft ?

https://security.microsoft.com/apiproxy/mtp/rbacManagementApi/rbac/user_roles

https://security.microsoft.com/apiproxy/mtp/rbacManagementApi/rbac/machine_groups

https://security.microsoft.com/apiproxy/mtp/settings/GetAdvancedFeaturesSetting

Alerts V2 Subscription

RcRonco — Sun, 31 Mar 2024 11:07:26 GMT

I want to start get notified to Alerts v2 through Microsoft Graph Change notification.

But subscription is not supported, any idea how can I do it? or ETA for support?

Major Delay with /alerts endpoint

skisec — Tue, 26 Mar 2024 13:56:25 GMT

Hey folks,

I've been seeing some significant delays with the /alerts API endpoint. Ball park range of 2-5 hours.

For example, there is an alert in Azure Sentinel that fires at ~13:00 UTC (based on TimeGenerated field). Our internal process that polls for new events from /alerts every ~2-3minutes doesn't pick up this new alert until ~17:00 UTC.

I know there is the /alerts_v2 endpoint, and we're working on upgrading our processes to use that - but for the time being, I'm trying to find a solution / answer to this particular endpoint.

Anyone experience this or have any insights?

MS Graph Authorization issue (Status code 401) - Power Automate Flow for Copilot Studio

perlite77 — Sun, 24 Mar 2024 12:08:41 GMT

Hi Folks,

I am trying to develop a MS Power Automate Flow that can post QMS documents information to Copilot Studio bot based on users' question. I am using 'Create text with GPT using Prompt" to extract users' intention about documents from their natural language. Then use HTTP connector to post the results to Copilot Studio bot. I have done all the steps:

1. Registered App in Azure Portal

2. Granted Sites.Selected (Read) permission to my app so that it can read the information from QMS document library in SharePoint. We only want the app permission related to subsite not the whole site.

The issue I am facing is that the HTTP action is still showing unauthorized Status code 401.

Could you guide me if there is something incomplete or insufficient? Many thanks.

After running please see below error:

Best regards,

perlite77

Connect Swimlane to pull Defender for Cloud Alerts

SergioT1228 — Thu, 14 Mar 2024 17:19:45 GMT

using Swimlane to ingest our alerts from Defender for cloud, I have setup our Access with the following items:

URL: https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts?api-version=2022-01-01https://graph.microsoft.com/v1.0/security/alerts

Token URL: https://login.microsoftonline.com/tenant-ID/oauth2/v2.0/token

Client ID: pulled from Registered App

Client Secret: Created a New Ceretificates & secrets and added that Value

Scope: https://graph.microsoft.com/.default

When I run my Action to capture the "List of Alerts", I receive the following error:

"reason": "Bad Request",
"json_body": {
"error": "invalid_request",
"error_description": "AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request...."

What parameters and how are those added and to which section? I'm new to API calls and not sure of the process.

Appreciate your help,

Serge

403 Forbidden error when using create team Graph API

ArohiD — Wed, 19 Jul 2023 20:19:43 GMT

Hi,

I have been using the create team API, it was working fine couple days back, there was no change in permissions or even in the code. Since 2 days we are facing 403 forbidden error.

URL:

https://graph.microsoft.com/v1.0/teams

with request payload as mentioned below:

{

"email address removed for privacy reasons": "https://graph.microsoft.com/v1.0/teamsTemplates('standard')",

"displayName": "Architecture test Team",

"description": "The team for those in architecture design."

}

I have provided the required permissions for both application as well as delegated. Please find screenshot of the same

The response is:

{

"error": {

"code": "Forbidden",

"message": "Failed to execute Templates backend request CreateTeamFromTemplateRequest. Request Url: https://teams.microsoft.com/fabric/apac/templates/api/team, Request Method: POST, Response Status Code: Forbidden, Response Headers: Strict-Transport-Security: max-age=2592000x-operationid: e0e36994bd8341ce936b7ef080a64f52x-telemetryid: 00-e0e36994bd8341ce936b7ef080a64f52-49c1a1267b1789f1-01X-MSEdge-Ref: Ref A: 21AF592ACFD244CA86C67D5750C3F243 Ref B: TYO01EDGE2718 Ref C: 2023-07-19T20:16:46ZDate: Wed, 19 Jul 2023 20:16:46 GMT, ErrorMessage : {\"errors\":[{\"message\":\"Error when calling Middle Tier. Message: ''. Error code: 'GetApplicableSkuCategoriesForUserFailed'. Status code: Forbidden.\",\"errorCode\":\"Unknown\"}],\"operationId\":\"e0e36994bd8341ce936b7ef080a64f52\"}",

"innerError": {

"code": "AccessDenied",

"innerError": {},

"date": "2023-07-19T20:16:46",

"request-id": "e0e36994-bd83-41ce-936b-7ef080a64f52",

"client-request-id": "4aa73188-19d4-9382-2235-0530552047ec"

}

Any help in this regard is appriciated.

Thank you.

Possible to forward Azure Backup workload alerts to Azure Monitor and use Graph API to export?

SpeedRacer — Fri, 09 Jun 2023 14:43:30 GMT

Is it possible to forward Azure Backup workload alerts to Azure Monitor and then use Graph API to export the alert events?

Are all Azure Monitor events stored in a Log analytics workspace?

Thx

Auditing / Configuring Defender Alerts/Rules/Emails/Notifications

Kevin_Crouch — Thu, 01 Jun 2023 19:36:24 GMT

Hey there!
I am trying to find a way to audit (and hopefully configure!) the Defender notification emails to make sure they are configured to send to our helpdesk, so it can start our ticketing process.

Short of creating a custom application, and trying to subscribe or poll manually across every tenant, the best I have found so far is manually opening these for every separate customer to try and setup the settings

So starting from https://security.microsoft.com for each customer, going to Settings, and following the mentioned path, or navigating to the URL on the right in turn with each customer tenantID filled in

Incident Notifs	M365 Defender > Email Notifs > Incidents	https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID>
Actions	M365 Defender > Email Notifs > Actions	https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID>
Threat Analytics	M365 Defender > Email Notifs > Threat Analytics	https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID>
Alert Tuning/Suppression	M365 Defender > Alert Tuning	https://security.microsoft.com/securitysettings/defender/alert_suppression?tid=<EachCustomerTenantID>
Endpoint Alerts	Endpoints > Email Notifications > Alerts	https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=alerts&tid...<EachCustomerTenantID>
Endpoint Vulnerabilities	Endpoints > Email Notifications > Vulnerabilities	https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=vulnerabil...<EachCustomerTenantID>
Identity Health Notifs	Microsoft Defender for Identity > Health Issues	https://security.microsoft.com/settings/identities?tabid=healthIssuesNotifications&tid=<EachCustomerTenantID>
Identity Alerts	Microsoft Defender for Identity > Alert	https://security.microsoft.com/settings/identities?tabid=securityAlertsNotifications&tid=<EachCustomerTenantID>

I can easily get Incidents or Alerts for a specific tenant, even across tenants through DAP/GDAP/CSP rights. However - rather than querying hundreds of tenants, or trying to set up WebHook subscriptions or similar for them - I was going to just start with Auditing (and possibly manually configuring) the Notification Emails and Alerts to send an email to our ticketing system that we could follow up on.

However, I can't find any PowerShell commands or API where I can access these notification settings (access the actual ALERTS themselves, no problem, but not audit the actual Notification Configuration on more than an individual Alert/Incident level)

The backend of security.microsoft.com uses private API endpoints like https://security.microsoft.com/apiproxy/mtp/k8s/settings/ThreatAnalyticNotificationsSettings

https://security.microsoft.com/apiproxy/mtp/k8s/cloud/public/internal/IncidentNotificationSettingsV2 as an example for Incident Notifications.

The list above is the URLs that you access as the Administrator to configure these by hand, but I am hoping to find a way to get API/Programmatic/Scripted access to these values - but I cannot find any (public) API that seems to access them other than manually. Does anyone have an idea?

Create alert when a login was attempted from certain IP address (or block of addresses)

LBarrera1104 — Wed, 17 May 2023 15:20:38 GMT

I'm trying to create an alert when there is a login attempt to certain IP, using the following MG Graph PS command:

$newAlert = Invoke-RestMethod -Uri $alertUrl -Method Post -Headers $authHeader -Body $alertBody

The response I got is:

Invoke-RestMethod: {"error":{"code":"","message":"POST is not supported"....

$alertUrl = "https://graph.microsoft.com/v1.0/security/alerts"

$AlertBody = { "networkConnections": [{ "destinationAddress": "30.1XX.XX.XX" }],
"title": "Login Attempt from Specific IP",
"category": "SuspiciousActivity",
"description": "Login attempt detected from IP address: 30.1XX.XX.XX",
"vendorInformation": {
"subProvider": "Sub Prov EFI",
"provider": "Prov EFI"},
"assignedTo": "me",
"cloudAppStates": [{
"servicePlanId": "00000000-0000-0000-0000-000000000000",
"appId": "00000002-0000-0ff1-ce00-000000000000"}]
}

Assume Headers are OK (they are, verified)

Question: What caused the error?. Is that the endpoint URI is not the correct one? or is that this kind of alerts cannot be set using Graph?

How can I publish any application in MS Defender portal?

bharvibhut — Wed, 19 Apr 2023 11:30:04 GMT

I want to create an indicators in defender from my application using API. Just want to know if I can publish my application on defender portal, just the way we can publish a data connector and other services in sentinel portal.

Issues with timespan on log analytics query API

SecAutEng — Fri, 14 Apr 2023 17:49:07 GMT

Hi,

This appears to be the best place for this query:

We've been trying to set the API timespan for log analytics queries.

However, even when using the correct ISO8601 format (PT1H for example), it does not work as it should - it does not work in a comparable manner to using the time period piece in the UI. There is no difference between using the Timespan piece and not - it returns the same details either way, in the example I was testing, multiple weeks worth (no time period was set inside the query).

Query - Get - REST API (Azure Log Analytics) | Microsoft Learn

Is this a bug, or is there a different format required for this? We have also tried with 1H, 01:00:00, etc., to no avail.

Many thanks,

Keith

Status and access to eDiscovery results using API

Haniel Croitoru — Sun, 26 Mar 2023 01:44:19 GMT

Hi,

I'm new to using the Graph API's for eDiscovery and am stuck on a few operations. Once I created a Case, Collection, Review Set, and associated the Collection with the Review Set, the discovery begins automatically. Great, so far!

However, periodically I want to check the status on the discovery and review the results once the discovery is done. Anyone know if this is possible and how?

Thanks,

-Haniel

Microsoft security graph API vs Microsoft sentinel , right solution to integrate with ServiceNow?

Sanesh_PC — Fri, 17 Mar 2023 13:49:27 GMT

Microsoft security graph API vs Microsoft sentinel , what is the right solution to integrate with ServiceNow? does Microsoft security API give more insights than Sentinel?