Graph Security endpoint throwing an HTTP 403 with ADALJS

时间:2019-04-23 15:19:03

标签: javascript azure-active-directory microsoft-graph adal.js microsoft-graph-security

Trying to build a client-side app using the Microsoft Graph Security API.

We've made the grants in the Azure Portal, granted Admin Consent, and the JWT is showing the scopes are present (snippet below):

"scp": "Calendars.Read MailboxSettings.Read offline_access People.Read profile SecurityEvents.Read.All SecurityEvents.ReadWrite.All User.Read User.Read.All",

Here's how we're requesting the token:

// acquire token for ms graph. the service we're acquiring a token for 
// should be the same service we call in the ajax request below
authContext.acquireToken('https://graph.microsoft.com', (error, token) => {
    // Handle ADAL Error
    if (error || !token) {
        printErrorMessage('ADAL Error Occurred: ' + error);
        return;
    }

    this.token = token; //update our data with the token
});

But when we hit the endpoint with a web call, we're still getting a 403 with no data returned:

$.ajax({
    type: "GET",
    url: "https://graph.microsoft.com/v1.0/security/alerts",
    headers: {
        'Authorization': 'Bearer ' + this.token,
    }
}).done(async (data) => {
    console.log(data);
}).fail(() => {
    console.log('Error getting top 10 people!');
});

And here's the underlying error (via Postman):

{
  "error": {
    "code": "UnknownError",
    "message": "Auth token does not contain valid permissions or user does not have valid roles.",
    "innerError": {
      "request-id": "6411dbc9-eebb-4522-b789-62ab5f754d0c",
      "date": "2019-04-23T15:17:12"
    }
  }
}

Edit: The user accessing the app has the "Security reader" Directory role attached.

directory_role

Any assistance would be GREATLY appreciated. :)

2 个答案:

答案 0 :(得分:1)

您的应用似乎具有正确的作用域,但是从Microsoft Graph Security API请求警报的用户在Azure AD中没有Security reader角色。

要向用户添加角色,请以租户管理员身份登录Azure门户,然后选择Azure Active Directory刀片> Users>选择用户名> Directory Role>然后选择Add role

一旦用户有权读取安全信息,他们就应该能够通过Microsoft Graph Security API接收警报。

来源:https://docs.microsoft.com/graph/security-authorization#assign-azure-ad-roles-to-users

答案 1 :(得分:0)

我一直在与一些MS DEV资源进行幕后工作,我们相信我们已经找到了为什么不起作用的原因。

来自电子邮件:

默认情况下,通过AAD进行的隐式授权使用response_mode = fragment。将响应模式更改为response_mode = form_post后,id令牌和访问令牌(如果需要)将作为POST请求发送,并包含允许使用Graph API安全端点的wids声明。

建议的解决方法是基本上构建一个服务器端应用程序,以捕获具有角色的POST请求,然后使用该应用程序调用Graph Security API。

这有效,但基本上意味着隐式流客户端应用程序本质上与Graph Secuirty API不兼容。非常令人沮丧,很难从文档中查找。

希望MS可以提出其他一些机制。

相关问题
最新问题