Print

Create Azure App Registration

Copy the URL link to this section to share

Synchronizing data from Microsoft Defender for Endpoint is done using application permissions. Here we are configuring the permissions required for Power BI to connect to the Microsoft API’s to retrieve the data. 

Prerequisites:  The user performing this step requires Global Admin and Subscription Admin rights.

Step

  1. Login to portal.azure.com using a global administrator account.
  2. Search for and select App registrations.
  3. Select New registration.
(click to enlarge)
Step

  1. Enter a Name for the application. (This will not be seen by anyone other than admins.)
  2. Specify who can use the application as Accounts in this organizational directory only.
  3. Select Register.
register defender app
(click to enlarge)
Step

  1. On the Enterprise App page select API Permissions.
  2. Remove the User.Read permission. 
  3. Select Add a permission.
defender remove default permmissions
(click to enlarge)
Step

  1. Select Microsoft Graph.
(click to enlarge)
Step

  1. Select Application permissions.
(click to enlarge)
Step

  1. Search for Security.
  2. Select the following permissions:
    1. SecurityAlert.Read.All
    2. SecurityEvents.Read.All
    3. SecurityIncident.Read.All
  3. Do not select the Add permissions button, continue to the next step.
defender security read permissionspng
(click to enlarge)
Step

  1. Search for Directory.
  2. Select the following permissions:
    1. Directory.Read.All
  3. Do not select the Add permissions button, continue to the next step.
directory read
(click to enlarge)
Step

  1. Search for ThreatHunting.
  2. Select ThreatHunting.Read.All.
  3. Select the Add permissions button.
threat hunting readall
(click to enlarge)
Step

  1. On the Enterprise App page select API Permissions.
  2. Select Add a permission.
defender add more permissions
(click to enlarge)
Step

  1. Select APIs my organization uses.
  2. Search for WindowsDefenderATP.
  3. Select WindowsDefenderATP in the search results.
windows defender atp api
(click to enlarge)
Step

  1. Select Application permissions.
windows defender atp app permissions
(click to enlarge)
Step

  1. Search for Machine.
  2. Select the following permissions:
    1. Machine.Read.All
  3. Do not select the Add permissions button, continue to the next step. 
defender machine readall
(click to enlarge)
Step

  1. Search for SecurityRecommendation.
  2. Select the following permissions:
    1. SecurityRecommendation.Read.All
  3. Do not select the Add permissions button, continue to the next step.
defender security read all
(click to enlarge)
Step

  1. Search for Software.
  2. Select the following permissions:
    1. Software.Read.All
  3. Do not select the Add permissions button, continue to the next step.
defender software read all
(click to enlarge)
Step

  1. Search for Vulnerability.
  2. Select the following permissions:
    1. Vulnerability.Read.All
  3. Select the Add permissions button.
defender vulnerability read all
(click to enlarge)
Step

  1. Select Grant admin consent for <your company name>.
grant defender permissions
(click to enlarge)
Step

  1. Select Yes at the prompt. 
(click to enlarge)
Step

  1. Select Certificates & secrets.
  2. Select New client secret.
  3. Enter a Description.
  4. Select a value for Expires.
  5. Select Add.
defender new secret
(click to enlarge)
Step

  1. Record the Value data as the Azure AD Client Secret. This will be used later in the installation process. The value can only be displayed once, if you fail to record it here you will have to create a new one. 
  2. NOTE: This is the most common mistake made. You do not need the "Secret ID" You just need the "Value".
defender secret value
(click to enlarge)
Step

  1. Select Overview.
  2. Record the Application (client) ID as the Azure AD Client ID. This will be used later in the installation process. 
  3. Record the Directory (tenant) ID as the Azure AD Tenant ID. This will be used later in the installation process. 
  4. The Azure AD Application registration is now complete.
defender app overview
(click to enlarge)