azureazure-ad-graph-apimicrosoft365-defender

Microsoft Defender for Cloud Apps REST API- Insufficient role based permissions


I am trying to investigate file uploads to see if they are matched by File Scan policies in Microsoft Defender for Cloud Apps (aka MCAS). I can see them fine at the portal but I need to automate the process via API.

As per documentation, I did create Azure AD application and provided the permissions. This is needed to get access token which is needed to make api calls. Azure AD App Permissions

I am getting Insufficient role based permissions error when I call https://aspnet4you2.us3.portal.cloudappsecurity.com/api/v1/files/. I get same error if I use https://portal.cloudappsecurity.com/cas/api/v1/files/

Any idea how to solve this Insufficient permission issue?

Calling cloudappsecurity API


Solution

  • I tried to reproduce the same in my environment and got below results

    I registered one Azure AD application and granted API permissions as below:

    enter image description here

    Now I generated access token via Postman with below parameters:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    
    client_id:appID
    grant_type:client_credentials
    client_secret:secret
    scope:05a65629-4c1b-48c1-a78b-804c4abdd4af/.default
    

    Response:

    enter image description here

    When I used the above token to get files with both URLs, I got same error as below:

    GET https://portal.cloudappsecurity.com/cas/api/v1/files/
    Authorization: Bearer <token>
    

    enter image description here

    GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
    Authorization: Bearer <token>
    

    enter image description here

    With the same token, I'm able to call all other APIs like alerts, activities etc. like below:

    GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/alerts/
    Authorization: Bearer <token>
    

    enter image description here

    Note that, calling file APIs is not available in application context.

    Alternatively, you can make use of Legacy Method by generating one API token like below:

    Go to Defender for Cloud Apps portal -> Settings -> Security extensions -> API tokens -> Add a token

    enter image description here

    Now, enter Token name and select Generate as below:

    enter image description here

    API token will be generated successfully and copy the token to use in Postman:

    enter image description here

    When I used the above API token to call files API with both URLs, I got response successfully as below:

    GET https://portal.cloudappsecurity.com/cas/api/v1/files/
    Authorization: Token <token>
    

    enter image description here

    GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
    Authorization: Token <token>
    

    enter image description here

    You can try the same in your environment by generating API token instead of Bearer token to call Files API.

    Reference:

    Defender for Cloud Apps file API “Insufficient role based permissions” by Sangho Cho