> ## Documentation Index
> Fetch the complete documentation index at: https://docs.airmdr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Defender for Endpoint

> Microsoft Defender for Endpoint (MDE) is an enterprise-grade endpoint security platform that helps prevent, detect, investigate, and respond to advanced threats across endpoints. While MDE primarily focuses on endpoint protection, it also integrates with other Microsoft security solutions to provide extended protection across identities, cloud workloads, and networks.

### Pre-requisites

<Tip>
  User organization must have an eligible **Defender for Endpoint** license.
</Tip>

### Set Up App Registrations in the Azure Portal

App registrations in **Microsoft Entra ID (Azure AD)** allow applications to authenticate and access Microsoft resources securely.

<Steps>
  <Step title="Access Azure Portal">
    1. Log in to your [Azure Portal](https://portal.azure.com/).
    2. Go to **Microsoft Entra ID** (formerly Azure AD).
    3. In the left menu, click **Manage** → **App registrations**.
  </Step>

  <Step title="Register a New Application">
    1. Click **+ New registration**.
    2. Provide the mandatory details:
       * (**Name**: Enter a name for your app (e.g., `airmdr-defender-atp`).
       * **Supported Account Types**: Select "*Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)*" option).
             <img src="https://mintcdn.com/airmdr/wb8NOGyN5Zdemkpe/images/MDE3.png?fit=max&auto=format&n=wb8NOGyN5Zdemkpe&q=85&s=4c2565d2535d78e1a84af22dea350797" alt="" width="787" height="393" data-path="images/MDE3.png" />
    3. Click **Register**.

    <Tip>
      **Redirect URI (Optional)**: If your app uses authentication, enter a URL (e.g., `https://myapp.com/auth`).
    </Tip>
  </Step>

  <Step title="Get Application (Client) ID and Tenant ID">
    1. After successful registration, you will see the **App Overview** page.

    <Check>
      Copy **Application (Client) ID** – Identifies your app.
    </Check>

    <Check>
      Copy **Directory (Tenant) ID** – Identifies your Azure AD tenant.
    </Check>
  </Step>

  <Step title="Configure API Permissions">
    1. In the application Overview page left navigation pane, select **Manage** dropdown.
    2. Click **API Permissions**.
    3. Click **+ Add a permission**
    4. Select **APIs my organization uses** tab.
    5. Search and select the API "**WindowsDefenderATP**".
           <img src="https://mintcdn.com/airmdr/wb8NOGyN5Zdemkpe/images/MDE4.png?fit=max&auto=format&n=wb8NOGyN5Zdemkpe&q=85&s=337c8d9c7e56b6677d27870560b50aef" alt="" width="849" height="254" data-path="images/MDE4.png" />
    6. Click on **Application permissions**.
    7. Select the required permissions:
       * **To Fetch List of Alerts** - `Alert.ReadWrite.All`
       * **To Run Advanced Hunting Query** - `AdvancedQuery.Read.All`
       * **To Get Machine Live Response** - `Machine.LiveResponse`
       * **To Get List of Machines** - `Machine.ReadWrite.All`
       * **Additional Permissions (Optional)** - (`Alert.Read.All`, `File.Read.All`,`IP.Read.All`,`Machine.Read.All`,`SecurityRecommendation.Read.All`,`Software.Read.All`,`URL.Read.All`,`User.Read.All`,`Vulnerability.Read.All`)
    8. Click **Add permissions** at the bottom of the page.
    9. Click **API permissions**, select **Yes** for **Grant admin consent confirmation** to allow access.
           <img src="https://mintcdn.com/airmdr/wb8NOGyN5Zdemkpe/images/MDE5.png?fit=max&auto=format&n=wb8NOGyN5Zdemkpe&q=85&s=c7c1942fc2be57baa3d6e9d31cbda08e" alt="" width="810" height="399" data-path="images/MDE5.png" />
  </Step>

  <Step title="Create a Client Secret (For Authentication)">
    1. In the application Overview page left navigation pane, select **Manage** dropdown.
    2. Click **Certificates & secrets**.
    3. Click **+ New client secret**.
           <img src="https://mintcdn.com/airmdr/wb8NOGyN5Zdemkpe/images/MDE6.png?fit=max&auto=format&n=wb8NOGyN5Zdemkpe&q=85&s=c3d8732152f5e9b62265b292bcf1a6e1" alt="MDE6 Pn" width="874" height="300" data-path="images/MDE6.png" />
    4. Enter a description (e.g., `MySecretKey`) and set expiration.
    5. Click **Add**.

    <Warning>
      Copy and secure the **Value** (**Client Secret**) immediately – (It won’t be shown again!)
    </Warning>

    <Check>
      <Icon icon="mail" /> Email the **Tenant ID**, **Client ID** and the **Client Secret Value** to AirMDR or self Configure MDE in AirMDR Integrations Dashboard.
    </Check>
  </Step>
</Steps>

### Configure Microsoft Defender for Endpoint in AirMDR Integrations Dashboard

1. Navigate to [AirMDR](https://app.airmdr.com/auth/login), provide the credentials and click **Login.**
   <img src="https://mintcdn.com/airmdr/wnBXbVlE7mmN9W6R/images/Datadog11.png?fit=max&auto=format&n=wnBXbVlE7mmN9W6R&q=85&s=94afec6835b90abcec516831e584184f" alt="" width="443" height="568" data-path="images/Datadog11.png" />
2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select **Integrations.**
   <img src="https://mintcdn.com/airmdr/wnBXbVlE7mmN9W6R/images/Datadog9.png?fit=max&auto=format&n=wnBXbVlE7mmN9W6R&q=85&s=314cbc6e406f70453a592159150f36e2" alt="" width="311" height="473" data-path="images/Datadog9.png" />
3. Use the search option, enter the keyword "**Microsoft Defender for Endpoint**", select the **Connections** tab, and click the **+ Create** icon.
   <img src="https://mintcdn.com/airmdr/-EZh6YrIIs69rcCd/images/MDE.png?fit=max&auto=format&n=-EZh6YrIIs69rcCd&q=85&s=c4c7a46beb6c07800d160bff67fdc2b1" alt="" width="1189" height="289" data-path="images/MDE.png" />
4. Enter the generated **Tenant ID, Client ID** and the **Client Secret** in the Authentication Details field params, and click **Save.**
   <img src="https://mintcdn.com/airmdr/wb8NOGyN5Zdemkpe/images/MDE2.png?fit=max&auto=format&n=wb8NOGyN5Zdemkpe&q=85&s=b3b8dbcde5d048084e6d67b29bce2e24" alt="" width="724" height="582" data-path="images/MDE2.png" />

### Evaluate Microsoft Defender for Endpoint (MDE)

### Pre-requisites

<Check>
  **Azure App Registration** with API permissions for **Defender for Endpoint**.
</Check>

<Check>
  **Client ID, Tenant ID, and Client Secret**.
</Check>

<Steps>
  <Step title="Obtain an Access Token">
    Open **cURL** and run the following command to check if your API Access is working:

    MDE uses **OAuth 2.0 authentication**. First, request an access token from **Microsoft Entra ID (Azure AD)**:

    ```text theme={null}

    curl -X POST "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token" \
         -H "Content-Type: application/x-www-form-urlencoded" \
         -d "client_id=<client_id>" \
         -d "client_secret=<client_secret>" \
         -d "grant_type=client_credentials" \
         -d "scope=https://api.security.microsoft.com/.default"
    ```

    **Replace:**

    * `<tenant_id>` – Your Azure Directory (Tenant) ID.
    * `<client_id>` – Your App Registration **Client ID**.
    * `<client_secret>` – Your App Registration **Client Secret**.

    **Expected Response (Success)**:

    ```json theme={null}

    {
      "token_type": "Bearer",
      "expires_in": 3599,
      "access_token": "eyJ0eXAiOiJKV1QiLCJhb..."
    }
    ```

    * This verifies if the user can retrieve **device information** based on the assigned scope.
  </Step>

  <Step title="Test API Access with MDE">
    Once you have the `access_token`, use it in API calls.

    * **To Get Device List**

    ```text theme={null}

    curl -X GET "https://api.security.microsoft.com/api/machines" \
         -H "Authorization: Bearer <access_token>" \
         -H "Content-Type: application/json"
    ```

    **Expected Response:** A JSON list of devices onboarded to Defender for Endpoint.

    * **To Get Alerts**

    ```text theme={null}

    curl -X GET "https://api.security.microsoft.com/api/alerts" \
         -H "Authorization: Bearer <access_token>" \
         -H "Content-Type: application/json"
    ```

    **Expected Response:**

    A list of security alerts detected by Microsoft Defender.

    **Troubleshooting Authentication Issues**

    | Error Code                | Possible Issue               | Solution                               |
    | ------------------------- | ---------------------------- | -------------------------------------- |
    | 401 Unauthorized          | Invalid token                | Regenerate token, check credentials    |
    | 403 Forbidden             | Insufficient API permissions | Grant admin consent in Azure Portal    |
    | 400 Bad Request           | Incorrect request format     | Verify API endpoint and headers        |
    | 500 Internal Server Error | Service issue                | Retry later, check the Defender status |
  </Step>
</Steps>
