ESC
Type to search...
Navigate Open ESC Close

SecurityAlert.ReadWrite.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write All Resources

Allows the app to read and write to all security alerts, without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read and write to all security alerts

Allows the app to read and write to all security alerts, without a signed-in user.

Permission ID: ed4fca05-be46-441f-9803-1873825f8fdb
Delegated Permission Admin consent required

Read and write to all security alerts

Allows the app to read and write to all security alerts, on behalf of the signed-in user.

User sees: Allows the app to read and write all alerts that you have access to.
Permission ID: 471f2a7f-2a42-4d45-a2bf-594d0838070d

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
actorDisplayName StringNullable The adversary or activity group that is associated with this alert.
additionalData security.dictionary A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here.
alertPolicyId StringNullable The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy.
alertWebUrl StringNullable URL for the Microsoft 365 Defender portal alert page.
assignedTo StringNullable Owner of the alert, or null if no owner is assigned.
category StringNullable The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.
classification security.alertClassification Specifies whether the alert represents a true threat. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue.
comments security.alertComment collection Array of comments created by the Security Operations (SecOps) team during the alert management process.
createdDateTime DateTimeOffsetNullable Time when Microsoft 365 Defender created the alert.
customDetails security.dictionary User defined custom fields with string values.
description StringNullable String value describing each alert.
detectionSource security.detectionSource Detection technology or sensor that identified the notable component or activity.
detectorId StringNullable The ID of the detector that triggered the alert.
determination security.alertDetermination Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedAccount, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue.
evidence security.alertEvidence collection Collection of evidence related to the alert.

Showing 15 of 35 properties.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.security.alert",
  "actorDisplayName": "String",
  "additionalData": {
    "@odata.type": "microsoft.graph.security.dictionary"
  },
  "alertWebUrl": "String",
  "assignedTo": "String",
  "category": "String",
  "classification": "String",
  "comments": [
    {
      "@odata.type": "microsoft.graph.security.alertComment"
    }
  ],
  "createdDateTime": "String (timestamp)",
  "customDetails": {
    "@odata.type": "microsoft.graph.security.dictionary"
  },
  "description": "String",
  "detectionSource": "String",
  "detectorId": "String",
  "determination": "String",
  "evidence": [
    {
      "@odata.type": "microsoft.graph.security.alertEvidence"
    }
  ],
  "firstActivityDateTime": "String (timestamp)",
  "id": "String (identifier)",
  "incidentId": "String",
  "incidentWebUrl": "String",
  "investigationState": "String",
  "lastActivityDateTime": "String (timestamp)",
  "lastUpdateDateTime": "String (timestamp)",
  "mitreTechniques": [
    "String"
  ],
  "productName": "String",
  "providerAlertId": "String",
  "recommendedActions": "String",
  "resolvedDateTime": "String (timestamp)",
  "serviceSource": "String",
  "severity": "String",
  "status": "String",
  "systemTags": [
    "String"
  ],
  "tenantId": "String",
  "threatDisplayName": "String",
  "threatFamilyName": "String",
  "title": "String"
}

Relationships

Microsoft Graph v1.0 schema-derived

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
comments security.alertComment collection Array of comments created by the Security Operations (SecOps) team during the alert management process.
evidence security.alertEvidence collection Collection of evidence related to the alert.
mitreTechniques string collection The attack techniques, as aligned with the MITRE ATT&CK framework.
serviceSource security.serviceSource Related serviceSource data exposed by this resource.
severity security.alertSeverity Related severity data exposed by this resource.
status security.alertStatus Related status data exposed by this resource.
systemTags string collection The system tags associated with the alert.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /security/alertsv2
GET /security/alertsv2/{alertId}
POST /security/alertsv2/{alertId}/comments
PATCH /security/alertsv2/{alertId}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /security/alertsv2
GET /security/alertsv2/{alertId}
POST /security/alertsv2/{alertId}/comments
PATCH /security/alertsv2/{alertId}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgSecurityAlertV2 /security/alertsv2
List alertsv2
Get-MgSecurityAlertV2 /security/alertsv2/{alertId}
Get alert
Set-MgSecurityAlert /security/alertsv2/{alertId}/comments
Create comment for alert
Update-MgSecurityAlertV2 /security/alertsv2/{alertId}
Update alert
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaSecurityAlertV2 /security/alertsv2
List alertsv2
Get-MgBetaSecurityAlertV2 /security/alertsv2/{alertId}
Get alert
Set-MgBetaSecurityAlert /security/alertsv2/{alertId}/comments
Create comment for alert
Update-MgBetaSecurityAlertV2 /security/alertsv2/{alertId}
Update alert

Code Examples

C# / .NET SDK
Create comment for alert
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models.Security;

var requestBody = new AlertComment
{
	OdataType = "microsoft.graph.security.alertComment",
	Comment = "Demo for docs",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Alerts_v2["{alert-id}"].Comments.PostAsCommentsPostResponseAsync(requestBody);
JavaScript
Create comment for alert
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const alertComment = {
    '@odata.type': 'microsoft.graph.security.alertComment',
    comment: 'Demo for docs'
};

await client.api('/security/alerts_v2/da637865765418431569_-773071023/comments')
	.post(alertComment);
PowerShell
Create comment for alert
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Security

$params = @{
	"@odata.type" = "microsoft.graph.security.alertComment"
	comment = "Demo for docs"
}

Set-MgSecurityAlert -AlertId $alertId -BodyParameter $params
Python
Create comment for alert
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.security.alert_comment import AlertComment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AlertComment(
	odata_type = "microsoft.graph.security.alertComment",
	comment = "Demo for docs",
)

result = await graph_client.security.alerts_v2.by_alert_id('alert-id').comments.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for SecurityAlert.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent.