Use the Microsoft Graph Security API


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses. Use the Microsoft Graph Security API to build applications that:

  • Consolidate and correlate security alerts from multiple sources
  • Unlock contextual data to inform investigations
  • Automate security tasks, business processes, workflows, and reporting
  • Send threat indicators to Microsoft products for customized detections
  • Invoke actions to in response to new threats
  • Provide visibility into security data to enable proactive risk management

The Microsoft Graph Security API includes the following key entities.

Actions (preview)

Take immediate action to defend against threats using the Microsoft Graph Security securityAction entity. When a security analyst discovers a new indicator, such as a malicious file, URL, domain, or IP address, protection can be instantly enabled in your Microsoft security solutions. Invoke an action for a specific provider, see all actions taken, and cancel an action if needed. Try security actions with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) to block malicious activity on your Windows endpoints using properties seen in alerts or identified during investigations.

Note: Currently security actions only support application permissions.


Alerts are potential security issues within a customer's tenant that Microsoft or partner security solutions have identified and flagged for action or notification. With the Microsoft Graph Security alerts entity, you can unify and streamline management of security issues across all integrated solutions. This also enables applications to correlate alerts and context to improve threat protection and response. With the alert update capability, you can sync the status of specific alerts across different security products and services that are integrated with the Microsoft Graph Security API by updating your alerts entity.

Alerts from the following providers are available via the Microsoft Graph Security API. Support for GET alerts, PATCH alerts, and Subscribe (via webhooks) is indicated in the following table.

Security provider

GET alert

PATCH alert

Subscribe to alert

Azure Security Center

Azure Active Directory Identity Protection

File issue *

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)

File issue *

Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) **

File issue

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) ***

File issue *

Microsoft 365

File issue

File issue

Azure Information Protection (preview)

File issue *

Azure Sentinel (preview)

Not supported in Azure Sentinel

Note: New providers are continuously onboarding to the Microsoft Graph Security ecosystem. To request new providers or for extended support from existing providers, file an issue in the Microsoft Graph Security GitHub repo.

* File issue: Alert status gets updated across Microsoft Graph Security API integrated applications but not reflected in the provider’s management experience.

** Microsoft Defender for Endpoint requires additional user roles to those required by the Microsoft Graph Security API. Only the users in both Microsoft Defender for Endpoint and Microsoft Graph Security API roles can have access to the Microsoft Defender for Endpoint data. Because application-only authentication is not limited by this, we recommend that you use an application-only authentication token.

*** Microsoft Defender for Identity alerts are available via the Microsoft Defender for Cloud Apps integration. This means you will get Microsoft Defender for Identity alerts only if you have joined Unified SecOps and connected Microsoft Defender for Identity into Microsoft Defender for Cloud Apps. Learn more about how to integrate Microsoft Defender for Identity and Microsoft Defender for Cloud Apps.

Attack simulation and training (preview)

Attack simulation and training is part of Microsoft Defender for Office 365. This service lets users in a tenant experience a realistic benign phishing attack and learn from it. Social engineering simulation and training experiences for end users help reduce the risk of users being breached via those attack techniques. The attack simulation and training API enables tenant administrators to view launched simulation exercises and trainings, and get reports on derived insights into online behaviors of users in the phishing simulations.

Information protection

Labels - Information protection labels provide details about how to properly apply a sensitivity label to information. The information protection label API describes the configuration of sensitivity labels that apply to a user or tenant.

Threat assessment - The Microsoft Graph threat assessment API helps organizations to assess the threat received by any user in a tenant. This empowers customers to report spam emails, phishing URLs, or malware attachments they receive to Microsoft. The policy check result and rescan result can help tenant administrators understand the threat scanning verdict and adjust their organizational policy.

Secure Score

Microsoft Secure Score is a security analytics solution that gives you visibility into your security portfolio and how to improve it. With a single score, you can better understand what you have done to reduce your risk in Microsoft solutions. You can also compare your score with other organizations and see how your score has been trending over time. The Microsoft Graph Security secureScore and secureScoreControlProfile entities help you balance your organization's security and productivity needs while enabling the appropriate mix of security features. You can also project what your score would be after you adopt security features.

Threat intelligence indicators (preview)

Threat indicators, also referred to as indicators of compromise (IoCs), represent data about known threats, such as malicious files, URLs, domains, and IP addresses. Customers can generate indicators through internal threat intelligence gathering or acquire indicators from threat intelligence communities, licensed feeds, and other sources. These indicators are then used in various security tools to defend against related threats.

The Microsoft Graph Security tiIndicators entity allows customers to feed threat indicators to Microsoft security solutions to enable block and alert actions on malicious activity or allow, which suppresses actions for indicators determined not to be relevant to an organization. When sending indicators, both the Microsoft solution that will utilize the indicator and the action to be taken on that indicator are specified.

You can integrate the tiIndicator entity into your application or use one of the following integrated threat intelligence platforms (TIP):

Threat indicators sent via the Microsoft Graph Security API are available today in the following products:

  • Azure Sentinel – Enables you to correlate threat indicators with log data to get alerts on malicious activity.
  • Microsoft Defender for Endpoint – Enables you to alert and/or block on threat indicators associated with malicious activity. You can also allow an indicator for ignoring the indicator from automated investigations. For details about the types of indicators supported and limits on indicator counts per tenant, see Manage indicators.

Support in other Microsoft security services will be available soon.

Common use cases

The following are some of the most popular requests for working with the Microsoft Graph Security API.

Use cases REST resources Try it in Graph Explorer
Actions (preview)
Get security action Get security action{id}
List security actions List security actions
Create security actions Create security actions
Cancel security action Cancel security actions{id}/cancelSecurityAction
List alerts List alerts
Update alerts Update alert
Update multiple alerts{alert-id}
Attack simulation and training (preview)
List simulations List simulations
Get simulation overview report Get simulation overview report{id}/report/overview
List simulation users report List simulation users report{id}/report/simulationUsers
Secure scores
List secure scores List secureScores
Secure score control profiles
List secure score control profiles List secureScoreControlProfiles
Update secure score control profiles Update secureScoreControlProfiles{id}
Threat intelligence indications (preview)
Get TI indicator Get tiIndicator{id}
List TI Indicators List tiIndicators
Create TI Indicator Create tiIndicator
Submit TI Indicators Submit tiIndicators
Update TI Indicators Update tiIndicator
Update multiple tiIndicators{id}
Delete TI Indicators Delete tiIndicator
Delete multiple tiIndicators
Delete tiIndicator by externalId

You can use Microsoft Graph webhooks to subscribe to and receive notifications about updates to Microsoft Graph Security API entities.

What's new

Find out about the latest new features and updates for these API sets.

Next steps

The Microsoft Graph Security API can open up new ways for you to engage with different security solutions from Microsoft and partners. Follow these steps to get started:

Need more ideas? See how some of our partners are using Microsoft Graph.

See also

Code and contribute to these Microsoft Graph Security API samples:

Explore other options to connect with the Microsoft Graph Security API:

Engage with the community: