I figured this out finally after being persistent. The key is getting the Azure Instance Metadata Service (IMDS) endpoint string to get the right token. The IMDS is the local URL used to request a token in Azure Automation that is stored in the environment variable: $env:IDENTITY_ENDPOINT. Basically the request URL was too complicated to get to work in order to request a token from Login.MicrosoftOnline.com using the scope of 'https://api.securitycenter.microsoft.com/.default'
On a whim, I tried the following and it worked. This has to be attempted within an Azure Automation Runbook:
$sourceAppIdUri = 'https://api.securitycenter.microsoft.com/.default'
$response = Get-AzAccessToken -ResourceUri $sourceAppIdUri
$token = $response.token
$Headers = @{'Authorization' = "Bearer $token"}
$body = @{
'$top' = 10
}
$defendermachines = Invoke-RestMethod -method get -uri "https://api.securitycenter.microsoft.com/api/machines" -Headers $Headers -body $body -contenttype "Application/json" -erroraction continue
I didn't know that you could use the Security Center API scope for the ResourceURI in the Get-AzAccessToken cmdlet. I still wish I know what the magic string is to get the IMDS to pull a token but this works just fine.
Hope this helps anyone looking into this.