Problem with Graph API beta and V2

Question

Problem with Graph API beta and V2

Gonçalo Barbosa 0

Hi,

As you know Microsoft Graph API is migrating

https://dori-uw-1.kuma-moon.com/fi-fi/graph/api/resources/alert?view=graph-rest-beta

Looking at the documentation of Microsoft Graph Security we know that for legacy alerts the request should be:

GET https://graph.microsoft.com/v1.0/security/alerts/<alert_id>

If we take a real example that is retrieving results:

Request:

GET https://graph.microsoft.com/v1.0/security/alerts/<alert_id>

Response:

{

"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts/$entity",

"id": "xxxx",

"azureTenantId": "xxxx",

"azureSubscriptionId": "xxxx",

"riskScore": null,

"tags": [],

"activityGroupName": null,

"assignedTo": null,

"category": "xxxxx",

"closedDateTime": null,

"comments": [],

"confidence": null,

"createdDateTime": "2026-04-06T13:53:34.0293018Z",

"description": "xxxxx ",

"detectionIds": [],

"eventDateTime": "2026-04-06T12:47:52.0409645Z",

"feedback": null,

"incidentIds": [],

"lastEventDateTime": null,

"lastModifiedDateTime": "2026-04-06T13:53:34.3474396Z",

"recommendedActions": [],

"severity": "high",

"sourceMaterials": [],

"status": "newAlert",

"title": "xxxxx",

"vendorInformation": {

    "provider": "Azure Sentinel",

    "providerVersion": null,

    "subProvider": null,

    "vendor": "Microsoft"

},

"alertDetections": [],

"cloudAppStates": [],

"fileStates": [],

"hostStates": [],

"historyStates": [],

"investigationSecurityStates": [],

"malwareStates": [],

"messageSecurityStates": [],

"networkConnections": [],

"processes": [],

"registryKeyStates": [],

"securityResources": [],

"triggers": [],

"userStates": [

    {

        "aadUserId": null,

        "accountName": "xxxxx",

        "domainName": "xxxxx",

        "emailRole": "unknown",

        "isVpn": null,

        "logonDateTime": "2026-04-06T12:47:52.0409645Z",

        "logonId": null,

        "logonIp": "xxxxxx",

        "logonLocation": null,

        "logonType": null,

        "onPremisesSecurityIdentifier": null,

        "riskScore": null,

        "userAccountType": null,

        "userPrincipalName": "xxxxx"

    },

    {

        "aadUserId": null,

        "accountName": "xxxxxx",

        "domainName": "xxxx",

        "emailRole": "unknown",

        "isVpn": null,

        "logonDateTime": "2026-04-06T12:47:52.0409645Z",

        "logonId": null,

        "logonIp": "xxxx",

        "logonLocation": null,

        "logonType": null,

        "onPremisesSecurityIdentifier": null,

        "riskScore": null,

        "userAccountType": null,

        "userPrincipalName": "xxxxx"

    }

],

"uriClickSecurityStates": [],

"vulnerabilityStates": []

}

From what the documentation says the only difference to alerts_v2 is the request path:

GET https://graph.microsoft.com/v1.0/security/alerts_v2/<alert_id>

If we try:

Request:

GET https://graph.microsoft.com/v1.0/security/alerts_v2/<alert_id>

Response:

{

"error": {

    "code": "ResourceNotFound",

    "message": "Alert xxxxx was not found",

    "innerError": {

        "date": "2026-04-07T13:23:27",

        "request-id": "xxxxx",

        "client-request-id": "xxxxx"

    }

}

}

As you can see we cant retrieve the same alert in the other API.

Another related issue that is also happening is for example, if we check available alerts of alerts_v2 API we can retrieve them but then if we take their ids and try on alert v1 sometimes we are able to retrieve them and somestimes dont.

Could you help us with this situation?

0 comments

1 answer

Your answer

Answer 1

alerts and alerts_v2 are two different alert stacks with different back-end providers and object lifecycles. The documentation explicitly calls the original alert resource “legacy” and notes that it is a separate alert type from the newer security alerts/incidents.

Key points based on the documentation:

Legacy alerts vs new alerts
- The legacy alert resource (/security/alerts) is the “first generation” of Microsoft Graph security alerts.
- It federates alerts from specific legacy providers (for example, Azure Sentinel, Defender products) and exposes them via /security/alerts.
- The new alerts/alerts_v2 stack (documented under “alerts and incidents”) is a different resource type and is not just a path alias. Not every legacy alert has a corresponding alerts_v2 object, and vice versa.
- The legacy alerts API is deprecated and will be removed by April 2026; migration to the new alerts/incidents API is recommended.
Why the same ID does not work across /alerts and /alerts_v2
- The ID space is not guaranteed to be shared between the legacy alert resource and the new alerts_v2 resource.
- An alert returned from /security/alerts/{id} can legitimately return ResourceNotFound when queried as /security/alerts_v2/{id} because:
  - That alert may only exist in the legacy pipeline.
  - The provider may not emit it into the new alerts_v2 schema.
  - The new API may normalize or remap identifiers.
- Similarly, alerts returned from /security/alerts_v2 may or may not be available via /security/alerts.
Expected behavior for mixed results
- The behavior described—some alerts visible only in /alerts, some only in /alerts_v2, and some in both—is expected during the coexistence period of the two APIs.
- There is no guarantee that every alert ID from one endpoint is resolvable on the other endpoint.
Practical guidance
- For any new development or migration work, use the new alerts/incidents API (alerts_v2) as the primary source and treat /security/alerts as legacy/compatibility only.
- Do not rely on cross-resolving IDs between /security/alerts and /security/alerts_v2.
- Plan for the removal of the legacy /security/alerts endpoint by April 2026 by updating integrations to the new security alert resource.

References:

Share via

Problem with Graph API beta and V2

1 answer

Your answer