MFA error getting microsoft.graph.partner.security.partnersecurityalerts using application permissions

[JohanKroese]

I'm trying to get a list of partnersecurityalert objects using the microsoft.graph.partner.security Graph API

According to the documentation the API application permission PartnerSecurity.Read.All should be enough to get the list of alerts.

When I use application API permissions to call the API

var result = await graphClient.Security.Partner.SecurityAlerts.GetAsync();
I get the result:

403 ODataError: {"Error":{"Code":"Unauthorized_MissingMFA","Message":"MFA is required for this request. The provided authentication token does not have MFA claims."}}

Tested with both a certificate and with a managed identity (ManagedIdentityCredential object, using federated credential). The same app & graphClient object can use the Grapi API to get SharePoint sites, Teams or other objects.

When using application level permissions there is of course no way to do MFA, so this seems to be a bug in either the Graph API or the SDK.