Skip to main content

Microsoft Defender for Endpoint

Visualize Microsoft Defender for Endpoint resources, map Defender users to employees, and monitor changes through queries and alerts.


To use this integration, you must have:

  • An Azure account with an App Registration to provide credentials for the JupiterOne integration to authenticate with Microsoft Graph APIs. The App Registration also defines the permissions the integration requires and which the target tenant must authorize.
  • An Active Directory tenant to target for data ingestion. It is possible to target the Active Directory tenants defined in the Azure account holding the App Registration.
  • A Microsoft Defender for Endpoint account to create devices and run attacks via simulation technique, which can track vulnerabilities data, user groups creation and mapping users to devices.

Configuration in Microsoft Defender for Endpoint

In Microsoft Defender for Endpoint:

  1. Create a Microsoft Defender for Endpoint account.
  2. Add devices.

In the Azure Portal

  1. Navigate to App Registrations.
  2. Click New Registration.
  3. Enter a name for the app.
  4. Select the supported account type.
  5. Click Register.

Add API permissions

In your new app registration, go to API Permissions under Manage in the left-side panel.

  1. If your app has already been assigned the User.Read permission, remove it using the context menu. It is not needed for the integration to run.
  2. If a warning appears saying "This scope is required for proper application functionality.", it can be safely ignored.
  3. Click Add a permission > Microsoft Graph.
  4. When presented with "What type of permissions does your application require?", select Application permissions.
  5. Add the Organization.Read.All permission and Directory.Read.All permission.
  6. Click Add permissions.
  7. Click Add a permission again.
  8. Under APIs my organization uses, search "WindowsDefenderATP" and click the result.
  9. When presented with "What type of permissions does your application require?", select Application permissions and add the following:
    • Machine.Read.All permission
    • User.Read.All permission
    • Vulnerability.Read.All permission
  10. Click Add permission.
  11. Grant admin consent for the API permissions.

Add Client Secret

  1. In your app registration, click Certificates & secrets.
  2. Under Client Secrets, click New client secret.
  3. Add a description for the secret.
  4. Select a secret expiration that matches your needs for secret rotation.
  5. Click Add.
  6. Copy the secret value using the Copy to Clipboard icon (highlighting and copying will not copy the full value).
Granted API Permissions usage

Microsoft Graph

  1. Organization.Read.All
    • Read organization information
    • Needed for creating the Account entity
  2. Directory.Read.All
    • Read directory data
    • Needed for creating User, Group, and GroupUser entities


  1. Machine.Read.All
    • Read machine information
    • Needed for creating Device and HostAgent entities
  2. User.Read.All
    • Read user profiles
    • Needed for creating User entities
  3. Vulnerability.Read.All
    • Read Threat and Vulnerability Management vulnerability information
    • Needed for creating Vulnerability entity

Configuration in JupiterOne

To install the Microsoft Defender for Endpoint integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Microsoft Defender for Endpoint. Click New Instance to begin configuring your integration.

Creating a configuration requires the following:

  • The Account Name used to identify the Microsoft Defender for Endpoint account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Client Secret value that you copied earlier.

  • Tenant (Directory ID) and Client ID (Application ID), located in your App Registration's Overview tab.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.