Skip to main content

Microsoft Defender Vulnerability Management Integration Setup

This guide walks you through integrating Microsoft Defender Vulnerability Management (part of Microsoft Defender for Endpoint) with RAD Security, allowing you to import vulnerability findings and correlate them with runtime container and cloud activity. Microsoft Defender Vulnerability Management provides continuous, agent-based discovery and assessment of software vulnerabilities, security recommendations, and exposure scores across your devices.
This is a Vulnerabilities integration that imports vulnerability findings from Defender. If you want to ingest Defender alerts and incidents for endpoint detection and response instead, see the Microsoft Defender (EDR) setup guide. You can configure both integrations side by side.

Prerequisites

Before you begin, ensure you have:
  • Admin access to Azure Portal
  • An Azure Active Directory (Entra ID) application created
  • Microsoft Defender for Endpoint subscription with Vulnerability Management enabled
  • Access to RAD Security workspace with integration permissions
Azure AD Application Required: You must have an Azure Active Directory application created before proceeding. Follow Microsoft’s guide to create an app for Defender API access.

Step 1: Access App Registration

1

Log in to Azure Portal

Log in to the Azure Portal with administrative privileges
2

Navigate to App Registrations

  1. Go to Azure Active Directory
  2. Select App registrations
  3. Find and select the application you created for Microsoft Defender API access
3

Note Application Details

From the application’s Overview page, copy the following values:
  • Application (client) ID
  • Directory (tenant) ID
Save these values securely for later configuration.

Step 2: Create Client Secret

1

Navigate to Certificates & Secrets

In your application, click Certificates & secrets in the left navigation
2

Create New Secret

  1. Click New client secret
  2. Add a description (e.g., “RAD Security Vulnerability Integration”)
  3. Select an expiration period
  4. Click Add
3

Save Secret Value

Immediately copy the Secret value that appears
Copy this value now! You will not be able to see the secret value again. If you lose it, you’ll need to create a new secret.

Step 3: Configure API Permissions

Microsoft Defender Vulnerability Management requires read access to vulnerability, software, and device data.
1

Navigate to API Permissions

In your application, click Manage > API permissions
2

Add Required Permissions

Click Add a permission, select APIs my organization uses, search for WindowsDefenderATP, and add the Application permissions listed below

Required Permissions

API: WindowsDefenderATP (Microsoft Defender for Endpoint)Permissions (Application type):
  • Vulnerability.Read.All - Read Threat and Vulnerability Management vulnerability information
  • Software.Read.All - Read software inventory
  • Machine.Read.All - Read all machine (device) information
  • Score.Read.All - Read threat and vulnerability exposure scores
These are the read-only Vulnerability Management permissions needed to import findings, affected software, devices, and exposure scores. Grant Application permissions (not Delegated) for service-to-service access.
1

Review Permissions

After adding the permissions, review the list to ensure all required permissions are present
2

Grant Consent

Click Grant admin consent for [Your Organization]
Admin consent is required! The permissions will not be active until an administrator grants consent.
3

Verify Status

Verify all permissions show a green checkmark in the Status column

Step 4: Determine API Endpoint URL

Microsoft Defender for Endpoint uses different API endpoints based on your data center location.
Refer to Microsoft’s API endpoint documentation to find the correct endpoint for your region.Common Endpoints:
RegionAPI Endpoint
United Stateshttps://api.securitycenter.microsoft.com
United States 2https://api-us2.securitycenter.microsoft.com
United States 3https://api-us3.securitycenter.microsoft.com
Europehttps://api-eu.securitycenter.microsoft.com
United Kingdomhttps://api-uk.securitycenter.microsoft.com
Australiahttps://api-au.securitycenter.microsoft.com
US GCChttps://api-gcc.securitycenter.microsoft.us
US GCC Highhttps://api-gov.securitycenter.microsoft.us
Use the base endpoint URL without the /api/ path. For example: https://api-us3.securitycenter.microsoft.com

Step 5: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Microsoft Defender Vulnerability Management integration with the following parameters:

Required Parameters

ParameterDescriptionExample
Base URLBase endpoint URL for your region (without /api/)https://api-us3.securitycenter.microsoft.com
Client IdApplication (client) ID from Step 111111111-1111-1111-1111-111111111111
Client SecretClient secret value from Step 2your-secret-value-here
Tenant IDDirectory (tenant) ID from Step 100000000-0000-0000-0000-000000000000
Important: The URL must be the base endpoint without the /api/ path. Incorrect: https://api.securitycenter.microsoft.com/api/ - Correct: https://api.securitycenter.microsoft.com

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Data Sources > Integrations > Vulnerabilities in RAD Security
  2. Locate your Microsoft Defender Vulnerability Management integration
  3. Check the connection status shows as Connected
  4. Verify vulnerability data is being synced
Your Microsoft Defender Vulnerability Management integration is now configured! RAD Security can now import vulnerability findings and correlate them with runtime security events.

What Data is Synced

Once configured, RAD Security will sync the following data from Microsoft Defender Vulnerability Management:
  • CVE identifiers
  • Vulnerability severity scores
  • CVSS scores and vectors
  • Affected software and versions
  • Exploit availability information
  • Device (machine) inventory
  • Operating system details
  • Installed software inventory
  • Asset metadata and onboarding status
  • Exposure and threat scores
  • Security recommendations
  • Remediation guidance
  • Patch availability status

Use Cases

Runtime Exploit Detection

Detect when vulnerabilities identified by Defender are actively being exploited in your environment.

Risk-Based Prioritization

Prioritize vulnerabilities based on runtime exposure, active exploitation, and criticality.

Automated Response

Trigger automated responses when high-risk vulnerabilities are detected on critical assets.

Compliance Validation

Verify vulnerability remediation efforts with runtime validation.

Troubleshooting

Possible causes:
  • Client ID, Tenant ID, or Client Secret is incorrect
  • Client secret has expired
  • Application registration was deleted
Solution:
  • Verify all credentials are copied correctly
  • Check client secret expiration date
  • Ensure the Azure AD application still exists
  • Verify Tenant ID matches your Azure directory
Possible causes:
  • Required API permissions not granted
  • Admin consent not provided
  • Permissions added as Delegated instead of Application
Solution:
  • Verify Vulnerability.Read.All, Software.Read.All, Machine.Read.All, and Score.Read.All are present
  • Ensure permissions are Application type, not Delegated
  • Click “Grant admin consent” if any permissions show “Not granted”
  • Wait a few minutes for permissions to propagate after granting consent
Possible causes:
  • Using incorrect regional endpoint
  • Including /api/ in the URL
  • Typo in the endpoint URL
Solution:
  • Verify your Defender data center location
  • Check Microsoft’s endpoint documentation
  • Ensure URL does NOT end with /api/
  • Common mistake: https://api.securitycenter.microsoft.com/api/ (wrong) vs https://api.securitycenter.microsoft.com (correct)
Possible causes:
  • No devices onboarded to Defender
  • Vulnerability Management not enabled
  • Initial sync still in progress
  • Regional endpoint mismatch
Solution:
  • Verify devices are onboarded to Microsoft Defender for Endpoint
  • Confirm Defender Vulnerability Management is enabled for your tenant
  • Allow up to 15 minutes for initial data sync
  • Confirm you’re using the correct regional API endpoint
  • Review integration logs in RAD Security for specific errors

Security Best Practices

Least Privilege Access

Only grant the read permissions listed above. Avoid adding write or isolation permissions to this vulnerability integration.

Rotate Secrets Regularly

Set short expiration periods for client secrets and rotate before expiry to maintain security.

Secure Credential Storage

Store client secrets in a secure vault. Never commit credentials to version control.

Separate Applications

Create a dedicated application for this integration rather than reusing an existing app.

Additional Resources

Create Defender API App

Microsoft’s guide to creating an app for Defender API access

Defender API Endpoints

Complete list of regional API endpoints

Next Steps

Vulnerabilities Overview

Explore other vulnerability integration options

Runtime Security

Learn how RAD correlates vulnerabilities with runtime threats

Microsoft Defender (EDR)

Add Microsoft Defender for endpoint detection and response

Alerts & Incidents

Configure alerts for vulnerability-related events