Updates from editor

Author: v-phoebh

support/entra/entra-id/users-groups-entra-apis/403-error-when-calling-microsoft-graph-security-api.md

@@ -1,33 +1,33 @@
 ---
-title: HTTP 403 authorization error when calling the Microsoft Graph Security API
-description: Provides soltions to an HTTP 403 error that occurs when you call the Microsoft Graph Security API.
-ms.date: 05/06/2025
+title: HTTP 403 Authorization Error When Calling Microsoft Graph Security API
+description: Provides solutions to an HTTP 403 error that occurs when you call the Microsoft Graph Security API.
+ms.date: 05/14/2025
 ms.service: entra-id
 ms.custom: sap:Getting access denied errors (Authorization)
 ms.reviewer: bachoang, v-weizhu
 ---
 # HTTP 403 authorization error when calling the Microsoft Graph Security API
 
-This article provides soltions to an HTTP 403 error that occurs when you call the Microsoft Graph Security API.
+This article provides solutions to an HTTP 403 error that occurs when you call the Microsoft Graph Security API.
 
 ## Symptoms
 
-When using the Microsoft Graph Security API to call endpoints such as `https://graph.microsoft.com/v1.0/security/alert` and `https://graph.microsoft.com/beta/security/secoreScores`, you might get an 403 error with the following message:
+When using the Microsoft Graph Security API to call endpoints such as `https://graph.microsoft.com/v1.0/security/alert` and `https://graph.microsoft.com/beta/security/secoreScores`, you might receive a 403 error with the following message:
 
 > Auth token does not contain valid permissions or user does not have valid roles
 
 ## Cause
 
 The error occurs due to one of the following reasons:
 
-- The access token lacks the necessary Microsoft Graph permission for the security endpoints.
-- The authenticating user that obtains the access token isn't in a required Azure AD admin role for delegated permission type token.
+- The access token lacks the necessary Microsoft Graph permissions for the security endpoints.
+- The authenticating user that obtains the access token doesn't have a Microsoft Entra admin role required for the delegated permission type token.
 
-## Solution 1: Use valid Microsoft Graph permission
+## Solution 1: Use valid Microsoft Graph permissions
 
-There are two types of tokens: application and delegated permission token. For more information, see [Application and delegated permissions for access tokens in the Microsoft identity platform](../app-integration/application-delegated-permission-access-tokens-identity-platform.md).
+There are two types of tokens: application and delegated permission tokens. For more information, see [Application and delegated permissions for access tokens in the Microsoft identity platform](../app-integration/application-delegated-permission-access-tokens-identity-platform.md).
 
-For delegated permission token, Microsoft Graph permission is in the `scp` claim. For application permission token, the permission is in the `roles` claim. To get the required Microsoft Graph permissoin, you can refer to the following table that listed in [Authorization and the Microsoft Graph Security API](/graph/security-authorization#register-an-application-with-the-microsoft-identity-platform-endpoint):
+For delegated permission tokens, the Microsoft Graph permissions are in the `scp` claim. For application permission tokens, the permissions are in the `roles` claim. To get the required Microsoft Graph permissions, you can refer to the following table, which is also listed in [Authorization and the Microsoft Graph Security API](/graph/security-authorization#register-an-application-with-the-microsoft-identity-platform-endpoint):
 
 |Permission | Entity | Supported requests |
 |:----------|:-------|:-------------------|
@@ -41,7 +41,7 @@ For more information, see [Use the Microsoft Graph security API](/graph/api/reso
 
 ## Solution 2: Use valid Microsoft Entra admin roles
 
-For delegated permission token, the authenticating user needs to be in one of the following admin roles:
+For delegated permission tokens, the authenticating user needs to have one of the following admin roles:
 
 |Microsoft Entra role|Role template ID|
 |---|---|
@@ -51,7 +51,7 @@ For delegated permission token, the authenticating user needs to be in one of th
 
 For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Authorization and the Microsoft Graph Security API](/graph/security-authorization).
 
-The `wids` claim in the token contains the Microsoft Entra role. It can be used to determine if the user has the sufficient privilege.
+The `wids` claim in the token contains the Microsoft Entra role. It can be used to determine whether the user has sufficient privileges.
 
 ```json
 "ver": "1.0"
@@ -65,6 +65,6 @@ The `wids` claim in the token contains the Microsoft Entra role. It can be used
 ```
 
 > [!NOTE]
-> If the token is obtained via the [implicit grant flow](/entra/identity-platform/v2-oauth2-implicit-grant-flow), the `wids` claim might not exist. For more information, see [Access tokens in the Microsoft identity platform](/entra/identity-platform/access-tokens). In this case, use a different OAuth 2 grant flow such as [authorization code flow](/entra/identity-platform/v2-oauth2-auth-code-flow) to obtain the access token.
+> If the token is obtained via the [implicit grant flow](/entra/identity-platform/v2-oauth2-implicit-grant-flow), the `wids` claim might not exist. For more information, see [Access tokens in the Microsoft identity platform](/entra/identity-platform/access-tokens). In this case, use a different OAuth 2 grant flow, such as the [authorization code flow](/entra/identity-platform/v2-oauth2-auth-code-flow), to obtain the access token.
 
-[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]