NOTE: Applies to:
Microsoft Defender for Endpoint Plan 1 Microsoft Defender for Endpoint Plan 2 Microsoft Defender for Business
This page describes how to create an application to get programmatic access to Defender for Endpoint without a user.
Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication.
In general, you'll need to take the following steps to use the APIs:
Important: Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Sign in to the Azure portal.
Navigate to Microsoft Entra ID > App registrations > New registration.
In the registration form, choose a name for your application, and then select Register.
To enable your app to access Defender for Endpoint and assign it 'Read all alerts' permission, on your application page, select API Permissions > Add permission > APIs my organization uses >, type WindowsDefenderATP, and then select WindowsDefenderATP.
Note
WindowsDefenderATP does not appear in the original list. Start writing its name in the text box to see it appear.
WindowsDefenderATP
Select Application permissions > Alert.Read.All, and then select Add permissions.
Select appropriate permissions. Read All Alerts is only an example. Here are some examples:
Read All Alerts
Run advanced queries
Isolate machine
Select Grant consent.
Every time you add a permission, you must select Grant consent for the new permission to take effect.
To add a secret to the application, select Certificates & secrets, add a description to the secret, and then select Add.
After you select Add, select copy the generated secret value. You won't be able to retrieve this value after you leave.
Write down your application ID and your tenant ID. On your application page, go to Overview and copy the following.
For Microsoft Defender for Endpoint Partners only. Set your app to be multi-tenanted (available in all tenants after consent). This is required for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is not required if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted, follow these steps:
Go to Authentication, and add https://portal.azure.com as the Redirect URI.
https://portal.azure.com
On the bottom of the page, under Supported account types, select the Accounts in any organizational directory application consent for your multi-tenant app.
You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Defender for Endpoint on behalf of your customer.
You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory.
The consent link is formed as follows:
<span><span class="hljs-attribute">https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true </span></span>
Where 00000000-0000-0000-0000-000000000000 is replaced with your application ID.
00000000-0000-0000-0000-000000000000
Upload a text file to Onehub with the following info:
Was this article helpfu?
Thank you for voting
You are related to multiple companies. Please select the company you wish to login as.