deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 08:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Improve documentation

Browse Source
This commit is contained in:
David Laufer 2018-07-30 09:26:11 +03:00
parent c279b95e42
commit d7053a02f4
2 changed files with 19 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md
View File

@ -97,6 +97,21 @@ This page explains how to create an app, get an access token to Windows Defender
![Image of multi tenant](images/webapp-edit-multitenant.png) ![Image of multi tenant](images/webapp-edit-multitenant.png)
## Application consent
You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
Consent link is of the form:
```
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
```
where 00000000-0000-0000-0000-000000000000 should be replaced with your Azure application ID
## Get an access token ## Get an access token
For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
@ -117,7 +132,7 @@ The token is displayed in the application window
### Using Curl ### Using Curl
> [!NOTE] > [!NOTE]
> The below procedure supposed Curl is already installed on your computer > The below procedure supposed Curl for Windows is already installed on your computer
- Open a command window - Open a command window
- Set CLIENT_ID to your Azure application ID - Set CLIENT_ID to your Azure application ID
@ -125,9 +140,6 @@ The token is displayed in the application window
- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application - Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
- Run the below command: - Run the below command:
> [!NOTE]
> The below syntax is for curl in Windows. For Linux you should use $CLIENT_ID instead of %CLIENT_ID% (same for CLIENT_SECRET and TENANT_ID)
``` ```
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
``` ```
@ -145,20 +157,5 @@ You will get an answer of the form:
![Image of token validation](images/webapp-validate-token.png) ![Image of token validation](images/webapp-validate-token.png)
## Application consent
You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
Consent link is of the form:
```
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
```
where 00000000-0000-0000-0000-000000000000 should be replaced with your Azure application ID
## Related topics ## Related topics
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) - [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md)

6
windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection.md
View File

@ -126,9 +126,9 @@ Content-Type: application/json
- (403) Forbidden. - (403) Forbidden.
If you get this error when calling WDATP API, your token probably does not include the necessary permission. If you get this error when calling WDATP API, your token probably does not include the necessary permission,
Please refer to section "Verify you can access WDATP app using your app" in Create an AAD app. [Check the permissions](exposed-apis-windows-defender-advanced-threat-protection-new.md#validate-the-token) included in your token.
If the 'roles' section in the token does not include the necessary permission, either you did not add the necessary permission to your app (refer to step 6 in Create an AAD app) or you did not authorized your app in the tenant (refer to "Application consent" in Create an AAD app) If the 'roles' section in the token does not include the necessary permission, either you did not add the necessary permission to your app (refer to step 6 in [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app)) or you did not authorized your app in the tenant (refer to [Application consent](exposed-apis-windows-defender-advanced-threat-protection-new.md#application-consent))
## Related topic ## Related topic