Skip to main content

Microsoft Defender Integration Setup

This guide walks you through integrating Microsoft Defender for Endpoint with RAD Security for unified endpoint detection and response, enabling you to correlate endpoint security events with runtime container and cloud activity. Microsoft Defender for Endpoint provides advanced threat protection, detection, investigation, and response capabilities across your endpoints.

Prerequisites

Before you begin, ensure you have:
  • Admin access to Azure Portal
  • An Azure Active Directory (Entra ID) application created
  • Microsoft Defender for Endpoint subscription
  • Access to RAD Security workspace with integration permissions
Azure AD Application Required: You must have an Azure Active Directory application created before proceeding. Follow Microsoft’s guide to create an app for Defender API access.

Step 1: Access App Registration

1

Log in to Azure Portal

Log in to the Azure Portal with administrative privileges
2

Navigate to App Registrations

  1. Go to Azure Active Directory
  2. Select App registrations
  3. Find and select the application you created for Microsoft Defender API access
3

Note Application Details

From the application’s Overview page, copy the following values:
  • Application (client) ID
  • Directory (tenant) ID
Save these values securely for later configuration.

Step 2: Create Client Secret

1

Navigate to Certificates & Secrets

In your application, click Certificates & secrets in the left navigation
2

Create New Secret

  1. Click New client secret
  2. Add a description (e.g., “RAD Security Integration”)
  3. Select an expiration period
  4. Click Add
3

Save Secret Value

Immediately copy the Secret value that appears
Copy this value now! You will not be able to see the secret value again. If you lose it, you’ll need to create a new secret.

Step 3: Configure API Permissions

Microsoft Defender for Endpoint requires specific API permissions to access security data.
1

Navigate to API Permissions

In your application, click Manage > API permissions
2

Add Required Permissions

Click Add a permission and add all the permissions listed below from each API

Required Permissions

API: Microsoft Threat ProtectionPermissions:
  • Incident.Read - Read incident data
  • Incident.Read.All - Read all incident data
These permissions allow reading incident and threat information across Microsoft 365 Defender.
API: WindowsDefenderATP (Microsoft Defender for Endpoint)Permissions:
  • AdvancedQuery.Read.All - Run advanced queries
  • Alert.Read.All - Read all alerts
  • Machine.Isolate - Isolate machines from network
  • Machine.Read.All - Read all machine information
  • Score.Read.All - Read threat and vulnerability scores
  • Software.Read.All - Read software inventory
These are the core permissions for accessing Defender for Endpoint data including alerts, machines, and threat intelligence.
API: Application Insights APIPermissions:
  • Data.Read - Read Application Insights data
Allows reading telemetry and performance data from Application Insights.
API: Azure Service ManagementPermissions:
  • user_impersonation - Access Azure Service Management as organization users
This permission is required for certain administrative operations.
API: Microsoft.GraphPermissions:
  • Application.Read.All - Read all applications
  • Device.Read.All - Read all devices
These Graph API permissions provide access to device and application information across Azure AD.
1

Review Permissions

After adding all permissions, review the list to ensure all required permissions are present
2

Grant Consent

Click Grant admin consent for [Your Organization]
Admin consent is required! The permissions will not be active until an administrator grants consent.
3

Verify Status

Verify all permissions show a green checkmark in the Status column

Step 4: Determine API Endpoint URL

Microsoft Defender for Endpoint uses different API endpoints based on your data center location.
Refer to Microsoft’s API endpoint documentation to find the correct endpoint for your region.Common Endpoints:
RegionAPI Endpoint
United Stateshttps://api.securitycenter.microsoft.com
United States 2https://api-us2.securitycenter.microsoft.com
United States 3https://api-us3.securitycenter.microsoft.com
Europehttps://api-eu.securitycenter.microsoft.com
United Kingdomhttps://api-uk.securitycenter.microsoft.com
Australiahttps://api-au.securitycenter.microsoft.com
US GCChttps://api-gcc.securitycenter.microsoft.us
US GCC Highhttps://api-gov.securitycenter.microsoft.us
Use the base endpoint URL without the /api/ path. For example: https://api-us3.securitycenter.microsoft.com

Step 5: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Microsoft Defender integration with the following parameters:

Required Parameters

ParameterDescriptionExample
Base URLBase endpoint URL for your region (without /api/)https://api-us3.securitycenter.microsoft.com
Client IdApplication (client) ID from Step 111111111-1111-1111-1111-111111111111
Client SecretClient secret value from Step 2your-secret-value-here
Tenant IDDirectory (tenant) ID from Step 100000000-0000-0000-0000-000000000000
Important: The URL must be the base endpoint without the /api/ path. Incorrect: https://api.securitycenter.microsoft.com/api/ - Correct: https://api.securitycenter.microsoft.com

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Data Sources > Integrations > EDR in RAD Security
  2. Locate your Microsoft Defender integration
  3. Check the connection status shows as Connected
  4. Verify security events are being synced
Your Microsoft Defender for Endpoint integration is now configured! RAD Security can now correlate endpoint security data with container and cloud runtime events.

What Data is Synced

Once configured, RAD Security will sync the following data from Microsoft Defender:
  • Security alerts and detections
  • Incident data and timeline
  • Alert severity and status
  • Investigation states
  • Automated investigation results
  • Machine inventory
  • Device health status
  • Operating system details
  • Network information
  • Onboarding status
  • Risk scores
  • Threat and vulnerability scores
  • Exposure scores
  • Software vulnerabilities
  • Security recommendations
  • Attack surface reduction data
  • Installed software
  • Software versions
  • Vulnerability associations
  • End-of-life software detection
  • Custom query results
  • Historical security data
  • Behavioral analytics
  • Threat hunting insights

Use Cases

Unified Threat Detection

Correlate endpoint threats with container and cloud runtime activity for comprehensive threat detection.

Cross-Platform Response

Trigger coordinated response actions across endpoints and cloud workloads when threats are detected.

Container Escape Detection

Identify when compromised containers attempt to affect or escape to the host system.

Lateral Movement Tracking

Track attacker movement across endpoints and containerized infrastructure.

Troubleshooting

Possible causes:
  • Client ID, Tenant ID, or Client Secret is incorrect
  • Client secret has expired
  • Application registration was deleted
Solution:
  • Verify all credentials are copied correctly
  • Check client secret expiration date
  • Ensure the Azure AD application still exists
  • Verify Tenant ID matches your Azure directory
Possible causes:
  • Required API permissions not granted
  • Admin consent not provided
  • Missing permissions from one or more APIs
Solution:
  • Review all 5 API sections and verify all permissions are present
  • Ensure permissions are Application type, not Delegated
  • Click “Grant admin consent” if any permissions show “Not granted”
  • Wait a few minutes for permissions to propagate after granting consent
Possible causes:
  • Using incorrect regional endpoint
  • Including /api/ in the URL
  • Typo in the endpoint URL
Solution:
  • Verify your Defender data center location
  • Check Microsoft’s endpoint documentation
  • Ensure URL does NOT end with /api/
  • Common mistake: https://api.securitycenter.microsoft.com/api/ (wrong) vs https://api.securitycenter.microsoft.com (correct)
Possible causes:
  • No devices onboarded to Defender
  • Defender subscription not active
  • Initial sync still in progress
  • Regional endpoint mismatch
Solution:
  • Verify devices are onboarded to Microsoft Defender for Endpoint
  • Check Defender subscription status
  • Allow up to 15 minutes for initial data sync
  • Confirm you’re using the correct regional API endpoint
  • Review integration logs in RAD Security for specific errors
Possible causes:
  • Application permissions instead of delegated (or vice versa)
  • Permissions granted but consent not admin-approved
  • Cached permission state
Solution:
  • Verify permissions are Application type for service-to-service
  • Ensure admin consent is granted (not just added)
  • Try revoking and re-granting admin consent
  • Clear browser cache or try in incognito mode

Security Best Practices

Rotate Secrets Regularly

Set short expiration periods for client secrets and rotate before expiry to maintain security.

Least Privilege Access

Only grant the minimum required permissions. Remove unused permissions to reduce attack surface.

Monitor API Usage

Regularly review API calls and application sign-ins to detect anomalous activity.

Secure Credential Storage

Store client secrets in a secure vault. Never commit credentials to version control.

Track Expiration Dates

Set reminders for client secret expiration to prevent service disruptions.

Separate Applications

Create dedicated applications for different integrations rather than reusing the same app.

Additional Resources

Create Defender API App

Microsoft’s guide to creating an app for Defender API access

Defender API Endpoints

Complete list of regional API endpoints

Next Steps

EDR Integrations Overview

Explore other EDR integration options

Runtime Security

Learn about RAD’s container runtime security

Alerts & Incidents

Configure correlated alerts and incident management

Microsoft Entra ID

Add Microsoft Entra ID for identity integration