I am trying to download list of incidents from Defender 365 (MDATP).
I have a script to get a Bearer Token:
. 'Functions\Credentials.ps1'
Function GET_BEARER_TOKEN_FOR_MDATP_AUTHENTICATION {
$Body = [Ordered] @{
resource = "$ResourceApplicationIdUri"
client_id = "$ApplicationId"
client_secret = "$ApplicationSecret"
grant_type = 'client_credentials'
}
try {
$Response = Invoke-RestMethod -Method Post -Uri $OAuthenticationURI -Body $body -ErrorAction Stop
}
catch {
Write-Output("unable to get the bearer token")
Exit
}
$BearerToken = $Response.access_token
return $BearerToken
}
$xx = GET_BEARER_TOKEN_FOR_MDATP_AUTHENTICATION
$xx | Out-File '.\Bearer_Token.txt'
That script worked fine. Today, I have been granted permission to display incidents.
When I try to do that, I get the error message:
{
"error": {
"code": "Forbidden",
"message": "The application does not have any of the required application permissions (Incident.ReadWrite.All, Incident.Read.All) to access the resource.",
}
}
When I check in the token tester website: https://jwt.ms/
I cannot see those incident.Read.All Roles but only:
"roles": [
"Alert.ReadWrite.All",
"AdvancedQuery.Read.All"
]
Roles have been given by this instruction manual:
Many Thanks, Aster
so I have found the issue:
$ResourceApplicationIdUri = 'https://api.securitycenter.microsoft.com' (Alerts are allowed) $ResourceApplicationIdUri = 'https://api.security.microsoft.com' (Incidents are allowed)
Regards, Aster