Protect your APIs with Defender for APIs

Defender for APIs in Microsoft Defender for Cloud offers full lifecycle protection, detection, and response coverage for APIs.

Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.

Learn more about the Microsoft Defender for APIs plan in the Microsoft Defender for Cloud.



This article describes how to enable and onboard the Defender for APIs plan in the Defender for Cloud portal. Alternately, you can enable Defender for APIs within an API Management instance in the Azure portal.

Enable the Defender for APIs plan

  1. Sign into the portal, and in Defender for Cloud, select Environment settings.

  2. Select the subscription that contains the managed APIs that you want to protect.

  3. In the APIs plan, select On. Then select Save:

    Screenshot that shows how to turn on the Defender for APIs plan in the portal.

  4. Select Save.


After enabling Defender for APIs, onboarded APIs take up to 50 minutes to appear in the Recommendations tab. Security insights are available in the Workload protections > API security dashboard within 40 minutes of onboarding.

Onboard APIs

  1. In the Defender for Cloud portal, select Recommendations.

  2. Search for Defender for APIs.

  3. Under Enable enhanced security features, select the security recommendation Azure API Management APIs should be onboarded to Defender for APIs:

    Screenshot that shows how to turn on the Defender for APIs plan from the recommendation.

  4. In the recommendation page, you can review the recommendation severity, update interval, description, and remediation steps.

  5. Review the resources in scope for the recommendations:

    • Unhealthy resources: Resources that aren't onboarded to Defender for APIs.
    • Healthy resources: API resources that are onboarded to Defender for APIs.
    • Not applicable resources: API resources that aren't applicable for protection.
  6. In Unhealthy resources, select the APIs that you want to protect with Defender for APIs.

  7. Select Fix:

    Screenshot that shows the recommendation details for turning on the plan.

  8. In Fixing resources, review the selected APIs, and select Fix resources:

    Screenshot that shows how to fix unhealthy resources.

  9. Verify that remediation was successful:

    Screenshot that confirms that remediation was successful.

Track onboarded API resources

After onboarding the API resources, you can track their status in the Defender for Cloud portal > Workload protections > API security:

Screenshot that shows how to track onboarded API resources.

You can also navigate to other collections to learn about what types of insights or risks might exist in the inventory:

Screenshot showing the overview of API collections.

Next steps

Review API threats and security posture.