Get eDiscovery cases as application
I'm trying to automate purges.
I've created an application, given it the Application right eDiscovery.ReadWrite.All, and given consent.
I've created an oauth2 access token, and verified that the scope is present in the JWT token.
However, when I call https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases with the Authorization: Bearer {accesstoken} I get a 401 error.
According to the documentation that I found (https://learn.microsoft.com/en-us/graph/api/security-casesroot-list-ediscoverycases?view=graph-rest-1.0&tabs=http) the application right should be enough to access this endpoint.
Am I missing something? Do I need to give my app additional rights? Or does (despite what the documentation says) application access not work, and do I need to use delegated permissions?
Code (Python):
Get access token using tenant, app and secret (obviously not given here), and create the header:
body = { "client_id": app, "scope": "https://graph.microsoft.com/.default", "grant_type": "client_credentials", "client_secret": secret }
token = requests.post("https://login.microsoftonline.com/{}/oauth2/v2.0/token".format(tenant), data=body).json()['access_token']
header = { 'Authorization': "Bearer {}".format(token) }
Now try a call to users:
users = requests.get('https://graph.microsoft.com/v1.0/users', headers=header).json()['value']
len(users)
This results in 100. So the token works.
Let's look at the JWT token:
decoded = jwt.decode(token, options={'verify_signature': False})['roles']
pprint.pprint(decoded)
This gives a list of roles:
[
...
'eDiscovery.ReadWrite.All',
...
]
The eDiscovery role is in there.
But when I try to get the ediscovery cases:
requests.get('https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases', headers=header)
<Response [401]>
Joost
Initially, I registered one application and granted eDiscovery.ReadWrite.All permission of Application type with consent:
When I ran the python code to list eDiscovery cases with token generated with service principal, I too got same error:
To resolve the error, you need make use of ExchangeOnlineManagement PowerShell module for creating service principal and assigning role to it.
Before creating service principal, get the object ID and application ID of your registered application from Enterprise Applications tab:
Now, install ExchangeOnlineManagement module and create service principal by connecting to it with below PowerShell commands:
Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-IPPSSession
New-ServicePrincipal -AppId "spAppId" -ObjectId "spObjectId" -DisplayName "DiscoveryApp"
Get-ServicePrincipal
Response:
Now, run below PowerShell commands to assign eDiscoveryManager and eDiscoveryAdministrator roles to the service principal:
Add-RoleGroupMember -Identity "eDiscoveryManager" -Member "spObjectId"
Get-RoleGroupMember -Identity "eDiscoveryManager"
Add-eDiscoveryCaseAdmin -User "spObjectId"
Get-eDiscoveryCaseAdmin
Response:
When I ran the python code again after assigning roles to service principal, I got the response successfully like this:
import requests
import json
import jwt
TENANT_ID = "tenantId"
CLIENT_ID = "appId"
CLIENT_SECRET = "secret"
TOKEN_URL = f"https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token"
def get_access_token():
body = {
"client_id": CLIENT_ID,
"scope": "https://graph.microsoft.com/.default",
"grant_type": "client_credentials",
"client_secret": CLIENT_SECRET
}
response = requests.post(TOKEN_URL, data=body)
if response.status_code == 200:
return response.json()["access_token"]
else:
print(f"Error fetching token: {response.status_code} - {response.text}")
return None
def decode_jwt(token):
decoded_token = jwt.decode(token, options={"verify_signature": False})
roles = decoded_token.get("roles", [])
print("\nAssigned Roles in JWT Token:")
print(roles)
print()
return roles
def get_ediscovery_cases(access_token):
url = "https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases"
headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json"
}
response = requests.get(url, headers=headers)
print(response)
print(response.text)
if __name__ == "__main__":
access_token = get_access_token()
if access_token:
decode_jwt(access_token)
get_ediscovery_cases(access_token)
Response:
Reference:
Set up app-only access for Microsoft Purview eDiscovery by using Microsoft Graph APIs
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions