CrowdStrike
[ QUESTION ] Unable to authenticate with parent CID but child CID works
I have been having this issue for a while now, but now with Falcon-MCP available and wanting to use some automation tools; it's brought this topic to the top of my issues list.
In my testing currently, the API key has read and write access to every scope available, and this is in our parent CID. The following example below works just fine in a specific CID.
Code:
$ClientID=’%REDACTED%’
$Secret=’%REDACTED%’
$BaseURL=”https://api.us-2.crowdstrike.com”
Request-FalconToken -ClientId $ClientID -ClientSecret $Secret
Error:
Write-Result : {"code":403,"message":"access denied, authorization failed"}
Alternative:
Request-FalconToken -ClientId $ClientID -ClientSecret $Secret -MemberCid $MemberCid
Results:
This works as expected, and the Test-FalconToken states the token is true and I can run commands against the CID in question.
Top level issue(s):
- If I wanted to get into my parent CID and pull a list of all the CID's in our ecosystem there is no way to do this currently.
- I am suspecting because of this issue, this is why falcon-mcp is failing to authenticate to the tenant.
API clients created in parent CIDs can be used two ways:
- Authenticate with the parent CID
- Authenticate with a child CID by using
MemberCid
Assuming you have created the client in your parent CID, the first example you provided should allow you to authenticate. Request-FalconToken works as expected in the Flight Control environment I have available for testing.
If you are using a parent/child setup (i.e. not grandparent/parent/child), try re-creating the API client. I'm not sure how a grandparent CID might complicate the use of the API client.
If that does not resolve your issue, a support ticket with CrowdStrike might be your next step to have someone review the backend API logs.
