![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 72%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
To export a complete tenant-level list of all devices and their active software vulnerabilities (CVE IDs), use Microsoft Defender Vulnerability Management / Defender for Endpoint assessment export APIs rather than the Defender for Cloud CSV export, which is limited and focused on alerts/recommendations.
There are two main API approaches, depending on organization size and data volume.
- Full software vulnerabilities assessment – JSON (small/medium tenants)
This method returns all known vulnerabilities per device as paginated JSON, with one record per unique combination of:
- DeviceId
- SoftwareVendor
- SoftwareName
- SoftwareVersion
- CveId
Key properties include:
- CveId – CVE identifier
- DeviceId – device unique ID
- DeviceName – FQDN of the device
- CvssScore, ExploitabilityLevel, VulnerabilitySeverityLevel
- DiskPaths, RegistryPaths
- RecommendedSecurityUpdate / RecommendedSecurityUpdateId
Process to build a CSV:
- Call the “Export software vulnerabilities assessment (JSON response)” API.
- Follow @odata.nextLink to page through all results.
- From each record, extract at least DeviceName and CveId (and any other desired fields).
- Flatten the JSON into a tabular structure and write to CSV (for example, using a script in PowerShell, Python, or similar).
This method is recommended for organizations with fewer than ~100K devices.
- Full software vulnerabilities assessment – via files (large tenants)
For larger environments or when faster, bulk export is needed, use the file-based export:
- API:
GET /api/machines/SoftwareVulnerabilitiesExport - Permissions required (app or delegated):
- Application:
Vulnerability.Read.All - Delegated:
Vulnerability.Read
- Application:
- Parameters:
-
sasValidHours– number of hours the download URLs remain valid (max 6 hours).
-
The response contains:
- Export files – array of download URLs to GZIP-compressed, multiline JSON files
- GeneratedTime – snapshot generation time
Process to build a CSV:
- Call
GET /api/machines/SoftwareVulnerabilitiesExportwith appropriate permissions. - From the response, collect all URLs in the
Export filesarray. - Download each file (they are GZIP compressed, multiline JSON).
- Decompress and parse each JSON line as a record. Each record represents a unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId.
- Extract fields such as DeviceName and CveId, plus any others needed (CvssScore, ExploitabilityLevel, etc.).
- Combine all records into a single dataset and export to CSV.
This method is recommended for organizations with more than ~100K devices and is optimized for large data volumes.
- Delta export (optional, for ongoing reporting)
After an initial full export, use the delta export API to maintain an up-to-date CSV without re-pulling the entire dataset:
- Delta export returns entries with:
- DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion, CveId
- EventTimestamp, FirstSeenTimestamp, LastSeenTimestamp
- Status (New, Fixed, Updated)
- VulnerabilitySeverityLevel, ExploitabilityLevel
- RecommendedSecurityUpdate / RecommendedSecurityUpdateId
Use this to:
- Track new vulnerabilities (Status = New)
- Track remediated vulnerabilities (Status = Fixed)
- Update existing rows when Status = Updated
- Defender for Cloud CSV exports (alerts/recommendations only)
Defender for Cloud can export:
- Alerts to CSV via Security alerts → Download CSV report
- Recommendations to CSV via Recommendations → Download CSV report
However:
- These exports are limited by Azure Resource Graph to 25,000 rows.
- They contain alerts and recommendations, not a full per-device CVE inventory.
For a complete tenant-wide mapping of all devices to all active CVEs, use the Defender Vulnerability Management / Defender for Endpoint software vulnerabilities assessment export APIs as described above, then transform the JSON into CSV.
References: