Does Graph Security eDiscovery API support client_credentials grant type?

Question

I am testing Security eDiscovery graph API. The API works with authorization_code grant_type. However, when I use client_credentials grant_type, the APIs fail and return below error:

{ "error": { "code": "Unauthorized", "message": "Invalid scopes. Scopes = [].", "innerError": { "date": "2024-11-23T01:27:52", "request-id": "c297c67b-77fe-44b8-a0e9-0c6be0c96604", "client-request-id": "c297c67b-77fe-44b8-a0e9-0c6be0c96604" } } }

I can make sure that the client_id has been granted "eDiscovery.Read.All" application permission, which can be seen in jwt.ms. Besides, this access token works with other Graph APIs, such as https://graph.microsoft.com/v1.0/security/alerts_v2. And in API document (https://learn.microsoft.com/en-us/graph/api/resources/security-ediscoverycase?view=graph-rest-1.0), it says both delegated and application permission types are supported.

Answer 1

Hello sysint,

Thank you for reaching out to Microsoft Support!

According to the documentation, the eDiscovery API does support client_credentials grant type, but after testing, we also encountered the 401 error, even though permissions have been granted to the eDiscovery.Read.All and eDiscovery.ReadWrite.All applications.

After checking, the endpoint previously supported delegation permissions only, and the application permissions were recently introduced, so the error may not be fully adapted, we recommend you give feedback here, and we recommend that you use delegated permissions to access the endpoint before this fix.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.