Elisity supports simple API connectivity to Microsoft Defender as a method to enrich IT device discovery and identity. This enables asset data from Microsoft Defender to be imported into IdentityGraph for all assets that appear on your Elisity-secured network. This enhances the precision and effectiveness of asset classification.
Prerequisites
- Microsoft Defender Tenant ID
Microsoft Defender App ID
Microsoft Defender App Secret
Steps to Connect Microsoft Defender
Step 1. Access the Enterprise Application Registration page in Microsoft Entra.
Step 2. Click on the New Registration button.
Step 3. Enter a name for the Application: Elisity CCC Defender API Access
Step 4. Select Accounts in this organization only
Step 5. Enter https://portal.azure.com as the Redirect URI. This is only used as a redirect for the application authorization for your Entra tenant. Click Register.
Step 6. After the application is created, navigate to the API Permissions link in the left panel and click on the Add Permission button.
Step 7. Click on the APIs My Organization Uses tab and search for "WindowsDefenderATP"
Step 8. Click on "WindowsDefenderATP" in the list. In the new panel, select Application Permissions then search for “Machine”
Step 9. Click the dropdown arrow beside “Machine” then click the checkbox beside “Machine.Read.All” as shown in the below image.
Step 10. After clicking the Add Permissions button, ensure you select the “Grant Admin Consent for {Organization}” to complete the permissions grant process
Step 11. Navigate to the Certificates & Secrets panel in the left side menu.
Step 12. Make sure the Client Secrets pane is selected then click on the +New client secret button
Step 13. Enter “Elisity CCC Defender Connector” as the description for the client secret and choose a suitable expiration interval based on your organizations policies for API credential rotation
Step 14. After the Client Credential is created be sure to copy the “Value” field as it will not be displayed after navigating from this page. An example of a successfully created credential screen is shown below.
Step 15. Navigate to the Overview page in the left side menu
Step 16. Note the “Application (client) ID” and “Directory (tenant) ID” as these will be used with the Client Secret from above to authenticate Elisity CCC for API access.
Step 17. Lastly the Application must be authorized in Entra. Navigate to the following URL while logged in as an Entra Administrator.
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
where 00000000-0000-0000-0000-000000000000 is the Client ID from the overview page above.
Steps in Cloud Control Center
Step 18. Log into Elisity Cloud Control Center and navigate to Settings > Connectors and select + Add Connector button.
Step 19. A list of tiles will slide out from the right side of the screen. Select configure on the Microsoft Defender connector.
Step 20. Input the Tenant ID, the App ID and the App Secret. Select the Tenant Type - see the table below for details.
| Tenant Type | Details |
|---|---|
| Commercial | Connects to standard Microsoft Defender for Endpoint tenants in the commercial cloud. Select this for most Microsoft 365 and Azure environments. |
| GCC | Connects to Defender for Endpoint tenants hosted in the U.S. Government Community Cloud (GCC) using dedicated API endpoints. Select this if your Defender subscription is in GCC. |
| GCC High | Connects to Defender for Endpoint tenants hosted in the U.S. Government Community Cloud High (GCC High) using the corresponding API endpoints. Select this if your Defender subscription is in GCC High. |
Step 21 (optional). Configure advanced settings for the Microsoft Defender connector.
Advanced Settings
The Advanced Settings tab exposes connector-level tuning options that control how Cloud Control Center queries the connector, how learned data is retained, and how the connector's data is used by IdentityGraph and Insights.
The following chart provides details about each advanced setting.
| Setting | Description |
|---|---|
| Global Timer | The frequency at which Cloud Control Center queries the connector for updates. From 1 to 168 hours. Default is 24 hours. |
| Initial Delay | The delay in seconds before Cloud Control Center initiates the first query to the connector after initially discovering a new device. Default is 0 seconds. |
| Connector Data Purging | When enabled, Cloud Control Center purges all data learned about a device from this connector if the device is no longer found when querying the connected application. The time period between purge events is configurable from 1 to 90 days. The connector status will change from "Up to Date" to "Stale" if the device is no longer known by the connector but prior to the purge event. |
| Query Exclusion Rules | Limit the scope of Cloud Control Center queries by excluding specific Subnets or Virtual Edge Nodes, and by enabling or disabling the querying of devices with Random MAC addresses. |
| Enrichment Lookback Window | Defines how far back IdentityGraph looks for device activity when determining a device's eligibility for enrichment from this connector. Devices whose last seen timestamp falls within the configured window are eligible for enrichment; devices outside the window are not. Increasing this value may improve enrichment coverage for environments with infrequently connected devices (servers, OT systems, remote assets) but can increase processing load. Available values: 1 hour, 1 day, 3 days (default), 7 days, 30 days, 90 days. |
| Trusted Connector |
Controls whether Insights uses data from this connector when generating recommended Policy Groups. When enabled, device attributes from this connector are eligible to inform Insights' Policy Group recommendations. When disabled, Insights ignores this connector as a source for recommendations. Note: This setting only affects Insights recommendations — it does not change device verification status, trust attributes, or how the connector's data is used elsewhere in the platform. |
Step 22. If all of the required connector values are correct, all checks will pass and the connector will be created.
After successfully configuring the Microsoft Defender connector, you should begin to see newly discovered assets enriched with data from Microsoft Defender in IdentityGraph. Any devices learned by Elisity prior to the connector being configured will be automatically scheduled for enrichment during the next 24 hour cycle and based on their attachment timestamp. Alternatively, you can force a refresh by selecting the refresh button next to the Microsoft Defender name under the Trust Attributes section of IdentityGraph.
Connector Status
The Connector status reflects its health and availability based on recent query performance. To ensure accuracy and reduce false positives, the status is determined using a rolling 15-minute evaluation window.
Connector Status Levels:
- Active: Normal operation with minimal query failures.
- Degraded: Increased query failures detected, but the connector is still operational.
- Inactive: The connector is unresponsive due to persistent failures.
Failures are defined as unsuccessful query responses, and the platform continuously monitors performance to update the status accordingly. These status changes are visible in the UI, event logs, and notifications pane for better troubleshooting. Email alerts can also be configured for connector status changes.
If the connector has not been queried within the evaluation window, the last known status is retained. This approach ensures reliable status reporting and helps identify potential issues before they impact operations.
Leveraging Microsoft Defender with Elisity
When Elisity discovers a new asset on the network and the Microsoft Defender connector is active, Cloud Control Center queries the Microsoft Defender platform via API for additional device attributes in order to enrich IdentityGraph. This enriched data is displayed in the IdentityGraph tab of the device and can be leveraged in Policy Group definition.
If a device discovered by Elisity is also known in Microsoft Defender, the Trust Attribute flag for "Known in Microsoft Defender" will be set to Yes. You can then leverage this trust attribute as match criteria in Policy Group definition.
To learn more about how to leverage IdentityGraph Trust Attributes review the Leveraging Trust Attributes for Policy Group Definition article.