I'm trying to do postman access token request to reach the following api :
however the result returned is always the same:
"error": { "code": "Unauthorized", "message": "Unauthorized", "target": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" }
POST : https://login.microsoftonline.com/%7Btenant-id%7D/oauth2/v2.0/token
Body:
client_id : my client id
scope :https://graph.microsoft.com/.default
client_secret : my client secret
grant_type : client_credentials
Header:
Content-Type : x-www-form-urlencoded
The response return me a token that is apparently not recognized by the first request...
I've tried several scopes such as : /.default, user.read openid profile offline_access, https://graph.microsoft.com/.default...
Even if they are all returning me a token, none of them seems to work.
I've also added the right to WindowsDefenderATP > Vulnerability.read, from the azure portal.
Is the problem the scope? What scope should I use if I have a client credential grant type?
You can follow this page in documentation.
You need an application permission since you are making the request with only application credentials. In this case I think you need the Vulnerability.Read.All permission. Don't forget to grant admin consent after adding the required permission.
Here is the scope you should use: