From 06b836a9505d3b0d223bdbfeb546940fd5ab0e20 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 22 Aug 2018 14:35:10 -0700 Subject: [PATCH] add application consent section --- .../exposed-apis-create-app-nativeapp.md | 6 +++--- .../exposed-apis-create-app-webapp.md | 10 +++++----- .../windows-defender-atp/run-advanced-query-api.md | 14 +++++++++----- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md index 2f96cc142c..f3d72bd653 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md @@ -81,8 +81,8 @@ If you are not familiar with user permissions on WDATP, please refer to [Manage For instance, - - In order to [run advanced queries](run-advanced-query-api.md), check 'Run advanced queries' permission - - In order to [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), check 'Isolate machine' permission + - In order to [run advanced queries](run-advanced-query-api.md), check 'Run advanced queries' permission + - In order to [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), check 'Isolate machine' permission To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. @@ -110,7 +110,7 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co ### Using C# ->The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 +The code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 - Create a new Console Application - Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md index b993edea97..20e0d808b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md @@ -114,13 +114,12 @@ This page explains how to create an app, get an access token to Windows Defender ![Image of multi tenant](images/webapp-edit-multitenant.png) -**Note**: +## Application consent +You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. - You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. +You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. - You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. - - Consent link is of the form: +Consent link is of the form: ``` https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ @@ -217,6 +216,7 @@ Sanity check to make sure you got a correct token: // Do something useful with the response ``` + ## Related topics - [Windows Defender ATP APIs](exposed-apis-intro.md) - [Supported Windows Defender ATP APIs](exposed-apis-list.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index 6f722c1194..b53851bf20 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -125,13 +125,17 @@ Content-Type: application/json​ ## T​roubl​eshooting: -- (403) Forbidden. +- Error: (403) Forbidden - If you get this error when calling WDATP API, your token probably does not include the necessary permission, + + If you get this error when calling WDATP API, your token probably does not include the necessary permission. + Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token. - If the 'roles' section in the token does not include the necessary permission, - - either you did not add the necessary permission to your app (refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app)) - - or you did not authorize your app in the tenant see, [Application consent](exposed-apis-create-app-webapp.md#application-consent). + + If the 'roles' section in the token does not include the necessary permission: + + - The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or, + - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent). ## Related topic