Microsoft Defender for Cloud is a Cloud Native Application Protection Platform (CNAPP) that provides comprehensive security management across your cloud and on-premises resources. To use the Microsoft Defender for Cloud connector, you need to enable one of the two Cloud Security Posture Management (CSPM) options: Foundational CSPM or Defender CSPM. This will allow you to query for Cloud Asset Inventory, regulatory compliance standards, and cloud app events.
The Defender for Cloud Apps activity log may be accessed via the "query events" endpoint, if your Microsoft tenant is configured appropriately. Please consult Get started with Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud Apps setup guide. Keep in mind that to use this feature, you will need an E5 license. If you wish to access Microsoft 365 events in this way, you will also need to enable auditing in Purview. You can find more documentation on how to connect support apps to your Defender for Cloud Apps instance here.
Before you begin, ensure you have:
- Access to an Azure account via the Entra Portal or Azure Portal.
- Permission to create new app registrations
If you plan to use the "query events" feature, ensure you have configured your Microsoft tenant according to the documentation linked in the previous section.
In order to query for Cloud Asset Inventory and Compliance Standards please enable either Foundational CSPM or Defender CSPM
- Log in to the Entra or Azure portal.
- Navigate to "App registrations", then select "New registration".
- Click "Register" to complete the application registration.
- Be sure to note the Application (client) ID and Directory (tenant) ID.
- Within the app registration you just created, navigate to "Manage" > "API Permissions".
- Click "Add a permission".
- There are no Api Permissions required for Defender for Cloud compliance and inventory queries.
However, in order to query events from MIcrosoft Cloud App, the following Api Permissions are required: Add the following additional permissions:- Microsoft Cloud App Security
- discovery.read
- investigation.read
- Microsoft Graph user.read
- Microsoft Cloud App Security
- Click "Grant admin consent".
- Before proceeding, verify the following:
- All permissions you added are Application permissions and not Delegated permissions
- All require permissions are present.
- Admin consent shows up as "granted" for your tenant.
- Within the app registration you created earlier, navigate to "Manage" > "Certificates & secrets" > "Client secrets".
- Click "New client secret".
- Fill in a description and expiration.
- Click "Add" to create the secret.
- Be sure to note the Value and Secret ID. Keep in mind you will not be able to view the secret value again after you navigate away from the page.
The Microsoft Defender for Cloud APIs require a base URL for your specific region. The base URL follows this format: https://api-{region}.securitycenter.microsoft.com
For example:
- US region:
https://api-us2.securitycenter.microsoft.com - EU region:
https://api-eu.securitycenter.microsoft.com
If you plan to use the Cloud App Events API, the system automatically derives the appropriate URL from your base URL. The Cloud App Events API uses a different URL format: https://{tenantId}.{region}.portal.cloudappsecurity.com
The system extracts the region from your base URL and combines it with your tenant ID to construct the Cloud App Events URL. For example:
- Base URL:
https://api-us2.securitycenter.microsoft.com - Derived Cloud App Events URL:
https://{tenantId}.us2.portal.cloudappsecurity.com
You only need to provide the base URL - the Cloud App Events URL will be automatically generated when needed.
Create your integration by supplying all of the required values below:
URL: the URL you determined previously.
Client ID: the client ID you gathered in step 3.
Client Secret: the client secret gathered in step 5.
Tenant ID: the tenant ID you gathered in step 3.
Subscription ID: this is the subscripton Id of your tenant and can be found in Azure by searching for Subscriptions.