Pre-requisites
Set Up App Registrations in the Azure Portal
App registrations in Microsoft Entra ID (Azure AD) allow applications to authenticate and access Microsoft resources securely.1
Access Azure Portal
- Log in to your Azure Portal.
- Go to Microsoft Entra ID (formerly Azure AD).
- In the left menu, click Manage โ App registrations.
2
Register a New Application
- Click + New registration.
-
Provide the mandatory details:
- (Name: Enter a name for your app (e.g.,
airmdr-defender-atp). - Supported Account Types: Select โAccounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)โ option).
- (Name: Enter a name for your app (e.g.,
- Click Register.
3
Get Application (Client) ID and Tenant ID
- After successful registration, you will see the App Overview page.
Copy Application (Client) ID โ Identifies your app.
Copy Directory (Tenant) ID โ Identifies your Azure AD tenant.
4
Configure API Permissions
- In the application Overview page left navigation pane, select Manage dropdown.
- Click API Permissions.
- Click + Add a permission
- Select APIs my organization uses tab.
-
Search and select the API โWindowsDefenderATPโ.
- Click on Application permissions.
-
Select the required permissions (
Alert.Read.All,File.Read.All,IP.Read.All,Machine.Read.All,SecurityRecommendation.Read.All,Software.Read.All,URL.Read.All,User.Read.All,Vulnerability.Read.All,Alert.ReadWrite.All,Machine.ReadWrite.All). - Click Add permissions at the bottom of the page.
-
Click API permissions, select Yes for Grant admin consent confirmation to allow access.
5
Create a Client Secret (For Authentication)
- In the application Overview page left navigation pane, select Manage dropdown.
- Click Certificates & secrets.
-
Click + New client secret.
-
Enter a description (e.g.,
MySecretKey) and set expiration. - Click Add.
Email the Tenant ID, Client ID and the Client Secret Value to AirMDR or self Configure MDE in AirMDR Integrations Dashboard.
Configure Microsoft Defender for Endpoint in AirMDR Integrations Dashboard
-
Navigate to AirMDR, provide the credentials and click Login.
-
Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations.
-
Use the search option, enter the keyword โMicrosoft Defender for Endpointโ, select the Connections tab, and click the + Create icon.
-
Enter the generated Tenant ID, Client ID and the Client Secret in the Authentication Details field params, and click Create.
Evaluate Microsoft Defender for Endpoint (MDE)
Pre-requisites
Azure App Registration with API permissions for Defender for Endpoint.
Client ID, Tenant ID, and Client Secret.
1
Obtain an Access Token
Open cURL and run the following command to check if your API Access is working:MDE uses OAuth 2.0 authentication. First, request an access token from Microsoft Entra ID (Azure AD):Replace:
<tenant_id>โ Your Azure Directory (Tenant) ID.<client_id>โ Your App Registration Client ID.<client_secret>โ Your App Registration Client Secret.
- This verifies if the user can retrieve device information based on the assigned scope.
2
Test API Access with MDE
Once you have the Expected Response:
A JSON list of devices onboarded to Defender for Endpoint.Expected Response:A list of security alerts detected by Microsoft Defender.Troubleshooting Authentication Issues
access_token, use it in API calls.- To Get Device List
- To Get Alerts
| Error Code | Possible Issue | Solution |
|---|---|---|
| 401 Unauthorized | Invalid token | Regenerate token, check credentials |
| 403 Forbidden | Insufficient API permissions | Grant admin consent in Azure Portal |
| 400 Bad Request | Incorrect request format | Verify API endpoint and headers |
| 500 Internal Server Error | Service issue | Retry later, check the Defender status |