azureapibearer-tokenmicrosoft365-defender

Which scope use to get the access token for Microsoft credential


I'm trying to do postman access token request to reach the following api :

however the result returned is always the same:

"error": {         
"code": "Unauthorized",     
"message": "Unauthorized",   
"target": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"       
}

POST : https://login.microsoftonline.com/%7Btenant-id%7D/oauth2/v2.0/token

Body:

client_id : my client id
scope :https://graph.microsoft.com/.default
client_secret : my client secret
grant_type : client_credentials

Header:

Content-Type : x-www-form-urlencoded

The response return me a token that is apparently not recognized by the first request...

I've tried several scopes such as : /.default, user.read openid profile offline_access, https://graph.microsoft.com/.default...
Even if they are all returning me a token, none of them seems to work.
I've also added the right to WindowsDefenderATP > Vulnerability.read, from the azure portal.

Is the problem the scope? What scope should I use if I have a client credential grant type?


Solution

  • You can follow this page in documentation.

    You need an application permission since you are making the request with only application credentials. In this case I think you need the Vulnerability.Read.All permission. Don't forget to grant admin consent after adding the required permission.

    Here is the scope you should use:

    https://api.securitycenter.microsoft.com/.default