What scope to use to acquire token for resource R with permission P? For example, MS Defender API?

[dt-flo]

Hello,

is it possible to gain an access token for https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines?view=o365-worldwide via interactive auth? I can't provide any other resource than microsoft graph and so I can't specify the correct scopes.

[rayluo]

But that same doc already describes the scopes, although they use the term "permissions". Do they not work?

[dt-flo]

But that same doc already describes the scopes, although they use the term "permissions". Do they not work?

Unfortunately, they do not work, because those permissions are not valid graph API scopes. Requesting those permissions at graph API results in an error: Scopes not valid.

[dt-flo]

The following get request works:
https://login.microsoftonline.com/TENANT_ID/oauth2/authorize?client_id=CLIENT_ID&response_type=token&resource=https%3A%2F%2Fapi.securitycenter.microsoft.com

The important part is the parameter "resource" that specifies exactly what resource the requested API key is for.

[rayluo]

The resource parameter is for an older version of token endpoint. MSAL libraries all use scope.

Generally speaking, a scope can be concatenated by resource R and permission P, so you use R/P. For example, MS Defender API's resource is https://api.securitycenter.microsoft.com and a permission is Machine.Read. I tried https://api.securitycenter.microsoft.com/Machine.Read with MSAL Python and it at least yielded a meaningful error ("need admin approval") which is probably due to my existing test app was not set up for consuming Defender API. Regardless, you can try that scope and see if it can carry you further.

[dt-flo]

It worked! Thank you very much!