Authenticate to Microsoft Defender for Endpoint API using Managed Identity or Azure Automation

Question

Hi,

I need to access the Microsoft Defender for Endpoint API using our managed identity in Azure Automation. I have successfully given my managed identity for Azure Automation access to the WindowsDefenderATP Enterprise App. However, when I attempt to authenticate to the Defender APIs, Azure Automation gets "Unauthorized". I know that I can create an App Registration and use a client Id and secret to get a token and access the API but I am trying to avoid that and just use the managed ID for Azure Automation. Does anyone know if this is possible?

Answer 1

I figured this out finally after being persistent. The key is getting the Azure Instance Metadata Service (IMDS) endpoint string to get the right token. The IMDS is the local URL used to request a token in Azure Automation that is stored in the environment variable: $env:IDENTITY_ENDPOINT. Basically the request URL was too complicated to get to work in order to request a token from Login.MicrosoftOnline.com using the scope of 'https://api.securitycenter.microsoft.com/.default'

On a whim, I tried the following and it worked. This has to be attempted within an Azure Automation Runbook:

$sourceAppIdUri = 'https://api.securitycenter.microsoft.com/.default'
$response = Get-AzAccessToken -ResourceUri $sourceAppIdUri
$token = $response.token

$Headers = @{'Authorization' = "Bearer $token"}

$body = @{
    '$top' = 10
}

$defendermachines = Invoke-RestMethod -method get -uri "https://api.securitycenter.microsoft.com/api/machines" -Headers $Headers -body $body -contenttype "Application/json" -erroraction continue

I didn't know that you could use the Security Center API scope for the ResourceURI in the Get-AzAccessToken cmdlet. I still wish I know what the magic string is to get the IMDS to pull a token but this works just fine.

Hope this helps anyone looking into this.

Answer 2

In general, you'll need to take the following steps to use the APIs:

• Create an AAD application
• Get an access token using this application
• Use the token to access Defender for Endpoint API

You can access Defender for Endpoint API with Application Context or User Context.

• Application Context: (Recommended)

Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.

Steps that need to be taken to access Defender for Endpoint API with application context:

1. Create an AAD Web-Application.
   1. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
      1. Create a key for this Application.
         1. Get token using the application with its key.
            1. Use the token to access the Microsoft Defender for Endpoint API

                       For more information, see [Get access with application context](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp?view=o365-worldwide).
               

• User Context:

Used to perform actions in the API on behalf of a user.

Steps to take to access Defender for Endpoint API with user context:

1. Create AAD Native-Application.
   1. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
      1. Get token using the application with user credentials.
         1. Use the token to access the Microsoft Defender for Endpoint API

                 For more information, see [Get access with user context](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp?view=o365-worldwide).
            

More info: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/apis-intro?view=o365-worldwide

Hope this helps!