Merge pull request #8923 from MicrosoftDocs/main

Auto push to live 2025-05-14 10:02:01

Author: Deland-Han

support/entra/entra-id/toc.yml

@@ -309,6 +309,8 @@
         href: users-groups-entra-apis/add-owner-for-application-microsoft-graph.md
       - name: NoPermissionsInAccessToken when calling me endpoint
         href: users-groups-entra-apis/error-call-me-endpoint-microsoft-graph.md
+      - name: HTTP 403 authorization error when calling Microsoft Graph Security API
+        href: users-groups-entra-apis/403-error-when-calling-microsoft-graph-security-api.md
       - name: Tenant doesn't have premium license error when query sign-in activities
         href: users-groups-entra-apis/b2c-or-tenant-premium-license-sign-in-activities.md
    - name: Problem with using the Graph SDK - libraries

support/entra/entra-id/users-groups-entra-apis/403-error-when-calling-microsoft-graph-security-api.md

@@ -0,0 +1,70 @@
+---
+title: HTTP 403 Authorization Error When Calling Microsoft Graph Security API
+description: Provides solutions to an HTTP 403 error that occurs when you call the Microsoft Graph Security API.
+ms.date: 05/14/2025
+ms.service: entra-id
+ms.custom: sap:Getting access denied errors (Authorization)
+ms.reviewer: bachoang, v-weizhu
+---
+# HTTP 403 authorization error when calling the Microsoft Graph Security API
+
+This article provides solutions to an HTTP 403 error that occurs when you call the Microsoft Graph Security API.
+
+## Symptoms
+
+When using the Microsoft Graph Security API to call endpoints such as `https://graph.microsoft.com/v1.0/security/alert` and `https://graph.microsoft.com/beta/security/secoreScores`, you might receive a 403 error with the following message:
+
+> Auth token does not contain valid permissions or user does not have valid roles
+
+## Cause
+
+The error occurs due to one of the following reasons:
+
+- The access token lacks the necessary Microsoft Graph permissions for the security endpoints.
+- The authenticating user that obtains the access token doesn't have a Microsoft Entra admin role required for the delegated permission type token.
+
+## Solution 1: Use valid Microsoft Graph permissions
+
+There are two types of tokens: application and delegated permission tokens. For more information, see [Application and delegated permissions for access tokens in the Microsoft identity platform](../app-integration/application-delegated-permission-access-tokens-identity-platform.md).
+
+For delegated permission tokens, the Microsoft Graph permissions are in the `scp` claim. For application permission tokens, the permissions are in the `roles` claim. To get the required Microsoft Graph permissions, you can refer to the following table, which is also listed in [Authorization and the Microsoft Graph Security API](/graph/security-authorization#register-an-application-with-the-microsoft-identity-platform-endpoint):
+
+|Permission | Entity | Supported requests |
+|:----------|:-------|:-------------------|
+|SecurityActions.Read.All| • [securityActions](/graph/api/resources/securityaction) (preview) | GET |
+|SecurityActions.ReadWrite.All| • [securityActions](/graph/api/resources/securityaction) (preview) | GET, POST |
+|SecurityEvents.Read.All | &bull; [alerts](/graph/api/resources/alert)</br> &bull; [secureScores](/graph/api/resources/securescore) </br> &bull; [secureScoreControlProfiles](/graph/api/resources/securescorecontrolprofiles) | GET |
+|SecurityEvents.ReadWrite.All | &bull; [alerts](/graph/api/resources/alert)</br> &bull; [secureScores](/graph/api/resources/securescore) </br> &bull; [secureScoreControlProfiles](/graph/api/resources/securescorecontrolprofiles) | GET, POST, PATCH |
+|ThreatIndicators.ReadWrite.OwnedBy | &bull; [tiIndicator](/graph/api/resources/tiindicator) (preview) | GET, POST, PATCH, DELETE|
+
+For more information, see [Use the Microsoft Graph security API](/graph/api/resources/security-api-overview) and [Microsoft Graph permissions reference](/graph/permissions-reference).
+
+## Solution 2: Use valid Microsoft Entra admin roles
+
+For delegated permission tokens, the authenticating user needs to have one of the following admin roles:
+
+|Microsoft Entra role|Role template ID|
+|---|---|
+|Security Reader|5d6b6bb7-de71-4623-b4af-96380a352509|
+|Security Administrator|194ae4cb-b126-40b2-bd5b-6091b380977d|
+|Global Administrator|62e90394-69f5-4237-9190-012177145e10|
+
+For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Authorization and the Microsoft Graph Security API](/graph/security-authorization).
+
+The `wids` claim in the token contains the Microsoft Entra role. It can be used to determine whether the user has sufficient privileges.
+
+```json
+"ver": "1.0"
+"wids": [
+   "62e90394-69f5-4237-9190-012177145e10",
+   "b79fbf4d-3ef9-4689-8143-76b194e85509"
+],
+"xms_st":{
+  "sub": "<sub>"
+}
+```
+
+> [!NOTE]
+> If the token is obtained via the [implicit grant flow](/entra/identity-platform/v2-oauth2-implicit-grant-flow), the `wids` claim might not exist. For more information, see [Access tokens in the Microsoft identity platform](/entra/identity-platform/access-tokens). In this case, use a different OAuth 2 grant flow, such as the [authorization code flow](/entra/identity-platform/v2-oauth2-auth-code-flow), to obtain the access token.
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/power-platform/dataverse/email-exchange-synchronization/incoming-emails-unexpectedly-synchronized-have-unexpected-missing-data.md

@@ -63,7 +63,7 @@ To avoid duplicate emails to be tracked or synchronized:
 2. Navigate to **Settings** > **Email Configuration** > **Email Configuration Settings**.
 3. Under the **Set tracking options for emails between Microsoft Dynamics 365 users** setting, clear the **Track emails sent between Dynamics 365 users as two activities** option.
 
-   :::image type="content" source="media/incoming-emails-unexpectedly-synchronized-have-unexpected-missing-data/track-emails-sent-between-dynamics-365-as-two-activities.png" alt-text="Screenshot that shows the Set tracking options for emails between Microsoft Dynamics 365 users setting.":::
+   :::image type="content" source="media/incoming-emails-unexpectedly-synchronized-have-unexpected-missing-data/track-emails-sent.png" alt-text="Screenshot that shows the Set tracking options for emails between Microsoft Dynamics 365 users setting.":::
 
 For more information about how the system detects if an email should be automatically promoted, see [Specify which emails are automatically tracked](/power-platform/admin/email-message-filtering-correlation).
 

…tween-dynamics-365-as-two-activities.png …ected-missing-data/track-emails-sent.pngsupport/power-platform/dataverse/email-exchange-synchronization/media/incoming-emails-unexpectedly-synchronized-have-unexpected-missing-data/track-emails-sent-between-dynamics-365-as-two-activities.png renamed to support/power-platform/dataverse/email-exchange-synchronization/media/incoming-emails-unexpectedly-synchronized-have-unexpected-missing-data/track-emails-sent.png support/power-platform/dataverse/email-exchange-synchronization/media/incoming-emails-unexpectedly-synchronized-have-unexpected-missing-data/track-emails-sent-between-dynamics-365-as-two-activities.png renamed to support/power-platform/dataverse/email-exchange-synchronization/media/incoming-emails-unexpectedly-synchronized-have-unexpected-missing-data/track-emails-sent.png

@@ -1,7 +1,7 @@
 ---
 title: Active Directory domain join troubleshooting guidance
 description: Provides guidance to troubleshoot domain join issues.
-ms.date: 05/13/2025
+ms.date: 05/14/2025
 manager: dcscontentpm
 audience: itpro
 ms.topic: troubleshooting
@@ -68,8 +68,8 @@ The following table lists the ports required to be open between the client compu
 
 For more information, see:
 
-- Troubleshoot [Networking error messages and resolutions](troubleshoot-errors-join-computer-to-domain.md#networking-error-messages-and-resolutions)
-- Troubleshoot [Authentication error messages and resolutions](troubleshoot-errors-join-computer-to-domain.md#authentication-error-messages-and-resolutions)
+- [Troubleshoot networking errors](domain-join-networking-errors.md)
+- [Troubleshoot authentication errors](domain-join-authentication-errors.md)
 
 ## Data collections for domain join issues
 

support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md

@@ -25,7 +25,7 @@ Consider either of the following scenarios:
 - You install a new Windows Server 2016 Certification Authority (CA).
 - You configure the compatibility settings of a certificate template by setting **Certification Authority** to **Windows Server 2016** and **Certificate recipient** to **Windows 10 / Windows Server 2016**.
 
-    :::image type="content" source="media/cannot-select-windows-server-2016-ca-compatible-certificate-templates/compatibility-settings-of-a-certificate-template.png" alt-text="Screenshot of the compatibility settings of a certificate template, showing the compatibility level set to Windows Server 2016 and Windows 10.":::
+    :::image type="content" source="media/cannot-select-windows-server-2016-ca-compatible-certificate-templates/compatibility-settings-certificate-template.png" alt-text="Screenshot of the compatibility settings of a certificate template, showing the compatibility level set to Windows Server 2016 and Windows 10.":::
 
 When Windows 10 users try to request certificates by using the CA Web enrollment page (the CEP URL), the certificate template that you configured as described here is not listed as an available template.
 
@@ -44,7 +44,7 @@ To work around this issue, follow these steps:
    - **Certificate Authority**: **Windows Server 2012 R2**  
    - **Certificate recipient**: **Windows 8.1 / Windows Server 2012 R2**  
 
-        :::image type="content" source="media/cannot-select-windows-server-2016-ca-compatible-certificate-templates/compatibility-settings-certificate-template-authority-recipient.png" alt-text="Screenshot of the compatibility settings of a certificate template, showing the compatibility level set to Windows Server 2012 R2 and Windows 8.1.":::
+        :::image type="content" source="media/cannot-select-windows-server-2016-ca-compatible-certificate-templates/certificate-template-authority-recipient.png" alt-text="Screenshot of the compatibility settings of a certificate template, showing the compatibility level set to Windows Server 2012 R2 and Windows 8.1.":::
 
 2. Wait 30 minutes for the CEP server to receive the updated template information (or use the IISReset tool to restart the server).
 3. On the client computer, clear the client-side Enrollment Policy Cache by using the following command in a Command Prompt window:

support/windows-server/certificates-and-public-key-infrastructure-pki/cannot-select-windows-server-2016-ca-compatible-certificate-templates.md

@@ -70,7 +70,7 @@ To configure the IIS Web server in the resource forest, follow these steps:
 
 2. On the IIS Web server, enable **Active Directory Client Certificate Authentication**.
 
-    :::image type="content" source="./media/set-up-certificate-based-authentication-across-forest-without-trust/enable-active-directory-client-certificate-authentication.png" alt-text="Enabling the Active Directory Client Certificate Authentication.":::
+    :::image type="content" source="./media/set-up-certificate-based-authentication-across-forest-without-trust/enable-client-certificate-authentication.png" alt-text="Enabling the Active Directory Client Certificate Authentication.":::
 
 3. On your website, configure **SSL Settings** to **Require SSL** and then under **Client certificates**, select **Require**.