Defender 365 REST API(您没有访问资源所需的任何应用权限(Incident.ReadWrite.All、Incident.Read.All))

Defender 365 REST API (you don't have any of the required app permissions (Incident.ReadWrite.All, Incident.Read.All) to access resource)

我正在尝试从 Defender 365 (MDATP) 下载事件列表。

我有一个获取 Bearer Token 的脚本:

. 'Functions\Credentials.ps1'

Function GET_BEARER_TOKEN_FOR_MDATP_AUTHENTICATION {

    $Body = [Ordered] @{
        resource      = "$ResourceApplicationIdUri"
        client_id     = "$ApplicationId"
        client_secret = "$ApplicationSecret"
        grant_type    = 'client_credentials'
    }

    try {
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthenticationURI -Body $body -ErrorAction Stop
    }
    catch {
        Write-Output("unable to get the bearer token") 
        Exit
    }  
    $BearerToken = $Response.access_token
    
    return $BearerToken
}

$xx = GET_BEARER_TOKEN_FOR_MDATP_AUTHENTICATION
$xx | Out-File '.\Bearer_Token.txt'

那个脚本运行良好。今天,我获得了显示事件的权限。

当我尝试这样做时,我收到错误消息:

{
    "error": {
        "code": "Forbidden",
        "message": "The application does not have any of the required application permissions (Incident.ReadWrite.All, Incident.Read.All) to access the resource.",
 }
}

当我查看令牌测试器网站时:https://jwt.ms/

我看不到那些 incident.Read.All 角色,但只有:

  "roles": [
    "Alert.ReadWrite.All",
    "AdvancedQuery.Read.All"
  ]

本说明手册已给出的角色:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-create-app-web?view=o365-worldwide

非常感谢, 紫苑

所以我发现了问题:

$ResourceApplicationIdUri = 'https://api.securitycenter.microsoft.com'(允许警报) $ResourceApplicationIdUri = 'https://api.security.microsoft.com'(允许事件)

此致, 紫苑