Getting 401 doing a GET from https://wdatp-alertexporter-us.windows.com/api/alerts – Microsoft Q&A

Hi,

Working with a customer to get their Defender Endpoint Alerts.

Following instructions here

https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api

I am able to get the Access Token with the info provided by the customer (tenantId, appId, and appSecret)

However getting a 401 attempting

curl -s -v -X GET \  
-H "Content-Type: application/json" \  
-H "Accept: application/json" \  
-H "Authorization: Bearer $token" \  
https://wdatp-alertexporter-us.windows.com/api/alerts  

When I checked the access token at https://jwt.ms/ I see these these roles

  "roles": [  
    "Url.Read.All",  
    "Ip.Read.All",  
    "Ti.Read.All",  
    "User.Read.All",  
    "Alert.Read.All",  
    "Software.Read.All",  
    "File.Read.All",  
    "Vulnerability.Read.All",  
    "AdvancedQuery.Read.All"  
  ]  

Noticed that they do not match the roles listed in this doc:

https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp#validate-the-token

Do I need all of those roles listed in the doc?

If not, what are the minimum set of roles I need to GET alerts via
wdatp-alertexporter-us.windows.com/api/alerts

Or do you see anything else wrong with my request that might be causing the 401 error?

Thanks – Mike