Skip to content

Latest commit

 

History

History
94 lines (68 loc) · 3.96 KB

api-access.md

File metadata and controls

94 lines (68 loc) · 3.96 KB
title description ms.service f1.keywords ms.author author ms.localizationpriority manager audience ms.collection ms.topic search.appverid ms.custom ms.date
Access the Microsoft Defender XDR APIs
Learn how to access the Microsoft Defender XDR APIs
defender-xdr
NOCSH
macapara
mjcaparas
medium
dansimp
ITPro
m365-security
tier3
must-keep
reference
MOE150
MET150
api
02/08/2024

Access the Microsoft Defender XDR APIs

[!INCLUDE Microsoft Defender XDR rebranding]

Applies to:

  • Microsoft Defender XDR

Note

Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft Defender XDR exposes much of its data and actions through a set of programmatic APIs. These APIs help you automate workflows and make full use of Microsoft Defender XDR's capabilities.

In general, you'll need to take the following steps to use the APIs:

  • Create a Microsoft Entra application
  • Get an access token using this application
  • Use the token to access the Microsoft Defender XDR API

Note

API access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.

Once you've accomplished these steps, you're ready to access the Microsoft Defender XDR API using a particular context.

Application context (Recommended)

Use this context for apps that run without a signed-in user present, such as background services or daemons.

  1. Create a Microsoft Entra web application.
  2. Assign the desired permissions to the application.
  3. Create a key for the application.
  4. Get a security token using the application and its key.
  5. Use the token to access the Microsoft Defender XDR API.

For more information, see Create an app to access Microsoft Defender XDR without a user.

User context

Use this context to perform actions on behalf of a single user.

  1. Create a Microsoft Entra native application.
  2. Assign the desired permission to the application.
  3. Get a security token using the user credentials for the application.
  4. Use the token to access the Microsoft Defender XDR API.

For more information, see Create an app to access Microsoft Defender XDR APIs on behalf of a user.

Partner context

Use this context when you need to provide an app to many users across multiple tenants.

  1. Create a Microsoft Entra multi-tenant application.
  2. Assign the desired permission to the application.
  3. Get admin consent for the app from each tenant.
  4. Get a security token using user credentials based on a customer's tenant ID.
  5. Use the token to access the Microsoft Defender XDR API.

For more information, see Create an app with partner access to Microsoft Defender XDR APIs.

Related articles