Share via

Defender API Endpoint Migration - 403 Errors with New Base URL

Michael Spence 0 Reputation points
2026-05-07T12:15:52.76+00:00

Issue Summary:

We're experiencing 403 permission errors when switching from the legacy Defender API endpoint

(https://api.securitycenter.windows.com) to the new documented endpoint (https://api.security.microsoft.com) for our

ThreatStream integration.

Background:

We maintain an integration between Anomali ThreatStream and Microsoft Defender for Endpoint. We were referred to Microsoft Support

Current State:

Questions:

  1. Is https://api.security.microsoft.com the official replacement for https://api.securitycenter.windows.com?
  2. If yes, is there a migration timeline or deprecation date for the legacy endpoint?
  3. Are there additional permissions or configuration changes required for the new endpoint beyond what was needed for the legacy

endpoint?

  1. Does the Advanced Hunting API migration to Microsoft Graph (documented here) affect standard Defender API calls?

Request:

Please confirm the correct endpoint and any additional steps needed to migrate from the legacy Defender API endpoint to the new

one without permission errors.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 13,405 Reputation points Microsoft External Staff Moderator
    2026-05-07T12:48:27.16+00:00

    Michael Spence Yes, https://api.security.microsoft.com is the official and current base endpoint for Microsoft Defender for Endpoint APIs. The legacy endpoint https://api.securitycenter.windows.com is still functional for backward compatibility, but Microsoft recommends using the new endpoint going forward. At this time, no formal deprecation date has been announced for the legacy endpoint.

    Regarding the 403 permission errors, no additional Defender API permissions are required beyond what was previously used. The issue is typically caused by the OAuth token being requested for the old resource audience. When calling the new endpoint, the access token must be obtained using the following scope:

    https://api.security.microsoft.com/.default

    If the token is still issued for https://api.securitycenter.windows.com, the new endpoint will reject the request with a 403 error, even though the permissions are correctly configured.

    The Advanced Hunting API migration to Microsoft Graph only affects Advanced Hunting queries and does not impact standard Defender for Endpoint APIs (alerts, machines, indicators, actions, etc.). Standard Defender API calls continue to work through api.security.microsoft.com.

    Summary / Required Action:

    • Use https://api.security.microsoft.com as the base URL
    • Update the token request scope to https://api.security.microsoft.com/.default
    • No permission changes are required
    • Advanced Hunting migration to Microsoft Graph is separate and does not affect standard APIs

    This should resolve the permission errors when migrating from the legacy endpoint.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.