Reputation: 483
Microsoft Defender for Cloud Apps REST API- Insufficient role based permissions
I am trying to investigate file uploads to see if they are matched by File Scan policies in Microsoft Defender for Cloud Apps (aka MCAS). I can see them fine at the portal but I need to automate the process via API.
As per documentation, I did create Azure AD application and provided the permissions. This is needed to get access token which is needed to make api calls.
I am getting Insufficient role based permissions error when I call https://aspnet4you2.us3.portal.cloudappsecurity.com/api/v1/files/. I get same error if I use https://portal.cloudappsecurity.com/cas/api/v1/files/
Any idea how to solve this Insufficient permission issue?
Upvotes: 0
Views: 1469
Answers (1)
Reputation: 22452
I tried to reproduce the same in my environment and got below results
I registered one Azure AD application and granted API permissions as below:
Now I generated access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:client_credentials
client_secret:secret
scope:05a65629-4c1b-48c1-a78b-804c4abdd4af/.default
Response:
When I used the above token to get files with both URLs, I got same error as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Bearer <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Bearer <token>
With the same token, I'm able to call all other APIs like alerts, activities etc. like below:
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/alerts/
Authorization: Bearer <token>
Note that, calling
file APIsis not available in application context.
Alternatively, you can make use of Legacy Method by generating one API token like below:
Go to Defender for Cloud Apps portal -> Settings -> Security extensions -> API tokens -> Add a token
Now, enter Token name and select Generate as below:
API token will be generated successfully and copy the token to use in Postman:
When I used the above API token to call files API with both URLs, I got response successfully as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Token <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Token <token>
You can try the same in your environment by generating API token instead of Bearer token to call Files API.
Reference:
Defender for Cloud Apps file API “Insufficient role based permissions” by Sangho Cho
Upvotes: 2
Related Questions
- Azure Active Directory appRoleAssignments "Permission being assigned was not found on application"
- API Permission Status not granted warning in Azure AD Application API Permission
- Trying to get an app permission for User creation of Graph api in azure active directory ,but failed in getting permissions
- Defender 365 REST API (you don't have any of the required app permissions (Incident.ReadWrite.All, Incident.Read.All) to access resource)
- Client app calls protected Api by Azure AD with Admin Role
- Azure AD application permission with scopping
- Microsoft Graph API -Insufficient privileges, Request_ResourceNotFound - Azure Permissions Issues
- Azure Active directory API permissions
- API Permission in AZURE AD (version july 19)
- Call Microsoft Graph API - App only unauthorized error