Permissions listed on this page produce the wrong aud claim in the access token, which results in a 403

[RayGHeld]

Following the steps in this document ( which it is not clear at all which api these permissions come from anyway ) and using the Defender API permissions, this results in a token that does not have the proper audience claim in it ( aud ) and so the api returns a 403. The API added to the permissions is the WindowsDefenderATP and the permissions are the ones listed on this document. The aud claim ends up being https://userrequestsgraphapi-prd.trafficmanager.net which the api ( api.securitycenter.microsoft.com...) is rejecting. It can be resolved by changing the scope value in the token request from https://userrequestsgraphapi-prd.trafficmanager.net/.default to: https://api.securitycenter.microsoft.com/.default ( client credentials flow ) and this produces an access token with https://api.securitycenter.microsoft.com as the aud claim and the proper roles listed, and then the api will accept this token. The documentation should be updated to state how the token/permissions are added because there is no guidance for developers -- they are forced to open a support ticket when getting a 403 following this current document.

Thank you!

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 07828149-8c9b-2b6f-b5f6-9558cfcfa650
• Version Independent ID: 2101b098-7da1-86ca-6a31-fddfa7a5cb62
• Content: List machines API
• Content Source: microsoft-365/security/defender-endpoint/get-machines.md
• Product: m365-security
• GitHub Login: @mjcaparas
• Microsoft Alias: macapara

[yogkumgit]

@mjcaparas please help us in resolving this issue. Thanks