Invoke-MgGraphRequest not working for "api.securitycenter.microsoft.com"

Question

Invoke-MgGraphRequest not working for "api.securitycenter.microsoft.com"

Opened this issue 14 days ago · 1 comments

Describe the bug

I was trying to use Invoke-MgGraphRequest with api.securitycenter and it doesn't work. It works using old MSAL.PS methods so I would guess it's the same thing. Is that expected?

Connect-MgGraph -Scopes 'User.Read.All', 'Directory.Read.All', 'SecurityIdentitiesHealth.Read.All', 'SecurityAlert.Read.All' -NoWelcome

# works
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/users" -Method Get -Verbose
# doesn't work
Invoke-MgGraphRequest -Uri "https://api.securitycenter.microsoft.com/api/alerts" -Method Get -Verbose

Expected behavior

Invoke-MgGraphRequest should work with all URL's

How to reproduce

Connect-MgGraph -Scopes 'User.Read.All', 'Directory.Read.All', 'SecurityIdentitiesHealth.Read.All', 'SecurityAlert.Read.All' -NoWelcome

# works
Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/users" -Method Get -Verbose
# doesn't work
Invoke-MgGraphRequest -Uri "https://api.securitycenter.microsoft.com/api/alerts" -Method Get -Verbose

SDK Version

2.23.0

Latest version known to work for scenario above?

No response

Known Workarounds

MSAL.PS module

Debug output

Click to expand log

``` Invoke-MgGraphRequest : GET https://api.securitycenter.microsoft.com/api/alerts HTTP/1.1 401 Unauthorized Transfer-Encoding: chunked Connection: keep-alive Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Fri, 20 Sep 2024 10:37:16 GMT WWW-Authenticate: Bearer Content-Type: application/json; charset=utf-8 {"error":{"code":"Unauthorized","message":"Invalid Authorization payload.","target":"|bacd29ce-4fb3ae258a3201fc."}} At C:\Support\GitHub\GraphEssentials\Examples\GraphTest.ps1:5 char:1 + Invoke-MgGraphRequest -Uri "https://api.securitycenter.microsoft.com/ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Method: GET, Re...4ea93e814321 }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest ```

Configuration

Windows 11 PS 7

Other information

Not relevant

Answer 1 · 2024-09-20T10:50:58.000Z

It seems there are also graph.microsoft.com security endpoints as available:

https://developer.microsoft.com/en-us/graph/graph-explorer?request=security/alerts_v2&method=GET&version=beta&GraphUrl=https://graph.microsoft.com

And this works:

$T = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/security/alerts_v2" -Method Get -Verbose
$T.Value

So I would guess the question is - if that's the right approach and api.securitycenter.microsoft.com is deprecated?