Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud gives you a complete view of your APIs across Azure API Management, Function Apps, and Logic Apps. It helps you improve API security by finding misconfigurations and vulnerabilities. This article explains how to enable API security posture management in your Defender CSPM plan and assess your API security. Defender CSPM onboards APIs without an agent and regularly checks for risks and sensitive data exposure. It provides prioritized risk insights and mitigation through API attack path analysis and security recommendations.
Note
API discovery and security posture capabilities in Microsoft Defender for Cloud now also support Function Apps and Logic Apps. This feature is currently available in Preview.
Prerequisites
- Read about Improve your API security posture.
- You need a Microsoft Azure subscription. If you don't have one, you can sign up for a free subscription.
- Enable Defender for Cloud on your Azure subscription.
- Enable Defender Cloud Security Posture Management (CSPM) on your Azure subscription.
- The Subscription Owner must enable the CSPM plan to access all features.
- Ensure the APIs you want to protect are deployed in Azure API Management, Function Apps, or Logic Apps.
Cloud and region support
API Security Posture Management within Defender CSPM is available in the Azure commercial cloud, in the following regions:
- Asia (Southeast Asia, EastAsia)
- Australia (Australia East, Australia Southeast, Australia Central, Australia Central 2)
- Brazil (Brazil South, Brazil Southeast)
- Canada (Canada Central, Canada East)
- Europe (West Europe, North Europe)
- India (Central India, South India, West India)
- Japan (Japan East, Japan West)
- UK (UK South, UK West)
- US (East US, East US 2, West US, West US 2, West US 3, Central US, North Central US, South Central US, West Central US, East US 2 EUAP, Central US EUAP)
Review the latest cloud support information for Defender for Cloud plans and features in the cloud support matrix.
API support
Feature | Supported |
---|---|
Availability | Azure API Management: This feature is available in the Premium, Standard, Basic, and Developer tiers of Azure API Management. Does not support APIs that are exposed using the API Management self-hosted gateway, or managed using API Management workspaces. Azure App Services: Supported Azure Function App hosting tiers include Premium, Elastic Premium, Dedicated (App Service), and App Service Environment (ASE). For Azure Logic Apps, supported tiers include Standard (Single-Tenant) and App Service Environment (ASE). Consumption tier Function Apps, Consumption tier Logic Apps, and Azure Arc-enabled Logic Apps are not supported. |
API types | Support only for REST APIs. |
Enable API security posture management extension
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Navigate to Environment settings.
Select the relevant subscription in scope.
Go to the Defender CSPM plan and select Settings.
Enable API security posture management.
Select Save.
You'll see a notification message confirming that the settings were saved successfully. Once enabled, APIs start onboarding and appear in your Defender for Cloud Inventory within a few hours.
View API inventory
APIs onboarded to the Defender CSPM plan appear in the API security dashboard under Workload protection and Microsoft Defender for Cloud Inventory.
Navigate to the Cloud Security section of the Defender for Cloud menu and select API security under Advanced Workload protections.
The dashboard shows the number of onboarded APIs, broken down by API collections, endpoints, and Azure API Management services. It includes a summary of APIs onboarded for threat detection security coverage with Defender for APIs workload protections plan.
To see APIs onboarded to the Defender CSPM plan for posture protection, apply the filter Defender plan == Defender CSPM.
Drill down into the API collection details page to review security findings for specific API operations. These are visible in the side context pane when you select an API operation of interest.
API endpoint detailed findings
Sensitive Information Type: Provides details on the sensitive information exposed in API URL paths, query parameters, request bodies, and response bodies based on supported data types, along with the source of the information type found.
Additional Information: In the case of API response bodies, this shows which HTTP response codes contained sensitive information (such as 2xx, 3xx, 4xx).
Review API security posture findings along with your API inventory in the Microsoft Defender for Cloud Inventory experience.
Note
Sensitive data exposure won't be scanned if the sensitive data discovery extension is turned off. Enable sensitive data discovery to scan for sensitive information in your APIs. This setting only affects APIs onboarded to the Defender CSPM plan. If you have the Defender for APIs workload protection plan enabled on the same APIs, they will still be scanned for sensitive data.
Investigate API security recommendations
API endpoints are continuously assessed for misconfigurations and vulnerabilities, including authentication flaws and inactive APIs. Security recommendations are generated with associated risk factors like external exposure and data sensitivity risks. The importance of the security recommendations is calculated based on these risk factors. Learn more about risk-based security recommendations.
To investigate your API security posture recommendations:
- Navigate to the Defender for Cloud main menu and select Recommendations.
- Use the Group by Title toggle to organize recommendations.
- Apply filters to narrow down API-related recommendations. Filter by Resource Type (e.g., API Management Operation or API Endpoint), or filter by Recommendation Name to target specific API security issues.
To explore the full list of API-related recommendations, see the APIs section in the Defender for Cloud recommendation reference guide.
Explore API risks and remediate with attack path analysis
The cloud security explorer helps you identify potential security risks in your cloud environment by querying the cloud security graph.
Sign in to the Azure portal.
Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.
Use the built-in query template to quickly identify APIs with security insights.
Alternatively, build a custom query with Cloud Security Explorer to find API risks and see API endpoints connected to backend compute or data stores. For example, you can see API endpoints routing traffic to virtual machines with remote code vulnerabilities.
Attack path analysis in Defender for Cloud addresses security issues that pose immediate threats to your cloud applications and environments. Identify and remediate API-led attack paths to address your most critical API risks that can significantly threaten your organization.
In the Defender for Cloud menu, go to Attack path analysis.
Filter by resource type API Management operation to investigate API-related attack paths.
View the security recommendations for your API endpoints in scope and remediate the recommendations to protect your APIs from high-risk attack surfaces.
Offboard API security posture protection
APIs that are part of the Defender CSPM plan can't be offboarded individually. If you want to offboard all APIs from the Defender CSPM plan, go to the Defender CSPM Plan Settings page and disable the API posture extension.
Related content
- Monitor for API threats using Defender for APIs Workload Protection.