Creating and Managing API Client in the Azure Active Directory App Registration Console
1. Introduction
In order to connect to a Defender API, an Azure Active Directory application must exists on Azure. Please see the steps for Creating an app to access Microsoft Defender for Endpoint without a user
2. Prerequisites
Before you begin, ensure you have:
- Created an Active Directory Application
3. Creating API Client Secret
Step 1: Access the App registration
- Log in to your Azure Console instance with administrative privileges.
- Click Certificates & secrets, and add a description and select Add.
- Keep the Secret value that appears, you will not be able to see is any other time.
Step 2: API Permissions
In order to query for data from the MS Defender API, you must enable the proper permissions.
- Click Manage > API permissions
- Add the following permissions
- Microsoft Threat Protection
- Incident.Read
- Incident.Read.All
- WindowsDefenderATP
- AdvancedQuery.Read.All
- Alert.Read.All
- Machine.Isolate
- Machine.Read.All
- Score.Read.All
- Software.REad.All
- Application Insights API
- Data.Read
- Azure Service Management
- user_impersonation
- Microsoft.Graph
- Application.Read.All
- Device.Read.All
- Microsoft Threat Protection
- Make sure to Grant admin consent
4. Configure the Integration
Create your integration by supplying all of the required values below:
URL The Base Endpoint URL for your App Registration. See https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list for help finding the correct API Endpoint URL. For example, https://api-us3.securiytcenter.microsoft.com (without "/api/")
ClientId This is the Client Id gathered in step 3
ClientSecret This is the Client Secret gathered in step 3
TenantId This is the value in the App Registration Console and was gathered in step 3