Overview of Microsoft 365 Defender APIs

Applies to:

  • Microsoft 365 Defender

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft 365 Defender is built on top of an integration-ready platform.

Use the Microsoft 365 Defender APIs to automate workflows based on the shared incident and advanced hunting tables.

  • Combined incidents queue - Focus on what's critical by grouping the full attack scope and all impacted assets together under the incident API.

  • Cross-product threat hunting - Leverage your security team's organizational knowledge to hunt for signs of compromise, by creating your own custom queries to sift over raw data collected across multiple protection products.

Along with these Microsoft 365 Defender-specific APIs, each of our other security products expose additional APIs to help you take advantage of their unique capabilities.

Learn more

Understand how to access the APIs
Learn about API quotas and licensing
Access the Microsoft 365 Defender APIs
Build apps
Create a 'Hello world' app
Create an app to access Microsoft 365 Defender APIs on behalf of a user
Create an app to access Microsoft 365 Defender without a user
Create an app with multi-tenant partner access to Microsoft 365 Defender APIs
Troubleshoot and maintain your apps
Understand API error codes
Manage secrets in your apps with Azure Key Vault
Implement OAuth 2.0 authorization for user sign in