Elisity now integrates with Microsoft Defender for IoT to enhance device discovery and asset intelligence for IoT and OT environments. This integration automatically synchronizes device information, vulnerabilities, and security insights from Defender for IoT sensors into the IdentityGraph, providing enriched context for policy decisions. Organizations using Microsoft's IoT security platform can now leverage this data to strengthen their zero-trust segmentation strategies across operational technology networks.
The Microsoft Defender for IoT integration enables Elisity to automatically enrich devices with critical OT/IoT intelligence including vendor information, device types, firmware versions, industrial protocols, and authorization status. This eliminates manual device classification effort and enables policy-based segmentation decisions based on real-time device context from Defender sensors.
How It Works
Unlike traditional cloud-based integrations, this connector uses a "Local Virtual Edge" architecture where Virtual Edge devices query on-premise Defender sensors on behalf of IdentityGraph. This design keeps sensitive sensor data within your internal network without requiring internet exposure or API gateway deployment. IdentityGraph coordinates enrichment tasks through a Task Broker service, which directs Virtual Edges to query the appropriate sensors based on Site Label mappings.
Key Benefits
| Benefit | Description |
|---|---|
| Automated Device Classification | Defender identifies device types (PLCs, HMIs, RTUs, IP cameras, etc.) and Elisity uses this for automatic policy group assignment |
| Vendor and Model Intelligence | Leverage Defender's device fingerprinting for vendor-specific policies (e.g., "Rockwell PLCs") |
| Firmware Tracking | Identify vulnerable devices needing updates and segment by patch level |
| Protocol Visibility | Create policies based on industrial protocol usage (Modbus, BACnet, etc.) detected by Defender |
| Rogue Device Detection | Automatically quarantine devices marked as unauthorized by Defender |
| No Internet Exposure | Sensors remain internal; Virtual Edges handle queries over your existing network infrastructure |
| Scalable | Supports up to 100 sensors with up to 8,000 devices per sensor |
Prerequisites
- Elisity Cloud Control Center version 16.14.0 or higher
- Virtual Edge version 16.13.0 or higher
- Microsoft Defender for IoT with sensor-based deployment (not cloud-only)
- Administrative access to Defender for IoT sensor management console
- Network connectivity from Virtual Edges to Defender sensors on port 443 (HTTPS)
- Configured Site Labels in Elisity topology
- Super Admin or Tenant Admin role in Cloud Control Center
Design Considerations
Review these deployment requirements and constraints before configuring the integration.
Deployment Requirements
| Requirement | Constraint |
|---|---|
| Virtual Edge Deployment | Virtual Edges that are querying sensors on-premise require a dedicated Virtual Edge group (with no VENs being managed) |
| Virtual Edges per Site | One VE per Site Label only |
| Virtual Edge Location | Must be in same Site Label as devices |
| Site Label Overlap | No overlap - Cannot use the same Site Label across multiple sensors |
| Scale per Sensor | 8,000 devices maximum |
| Total Sensors Supported | 100 sensors maximum |
Planning Checklist
Infrastructure Requirements: Calculate total Virtual Edge groups needed (one per sensor). Provision dedicated VE infrastructure at each site where sensors are deployed. Ensure sufficient resources for VE deployments handling up to 8,000 devices.
Site Label Design: Map each sensor to unique Site Label(s). Verify no Site Label is assigned to multiple sensors. Document sensor-to-Site Label mappings for reference.
Scale Validation: Count devices monitored by each sensor. If any sensor monitors more than 8,000 devices, contact Elisity for architecture review. If total deployment exceeds 100 sensors, contact Elisity for scale planning.
Before You Begin
Inventory Your Defender Sensors: Document how many sensors are deployed and which sites or facilities each sensor monitors.
Plan Virtual Edge Deployment: Identify or provision dedicated Virtual Edge groups for each Defender sensor. Ensure each VE group is dedicated solely to Defender for IoT enrichment and does not share resources with other connectors or services.
Map Sensors to Site Labels: Identify which Site Label(s) in your Elisity topology correspond to the devices monitored by each Defender sensor. Each sensor endpoint will be mapped to one or more Site Labels to determine query routing. Remember that each Site Label can only be assigned to one sensor endpoint.
Verify Network Connectivity: Confirm that Virtual Edges in each Site Label can reach the corresponding Defender sensor on port 443. Test connectivity using: curl -k https://<sensor-ip-or-hostname>/api/v1/devices
Prepare for Multi-Sensor Configuration: If you have multiple sensors, note that each sensor requires a unique API token and separate endpoint configuration. Plan to configure sensors systematically, optionally starting with a pilot sensor before expanding to all sensors.
Configuration
This section walks you through configuring the Microsoft Defender for IoT connector in Cloud Control Center. The integration requires generating API tokens from each Defender sensor and configuring endpoints in Elisity.
Step 1: Generate API tokens in Microsoft Defender for IoT
You must generate a unique API token for each Defender for IoT sensor in your deployment.
- Access the local sensor management console by navigating to
https://<sensor-ip-or-hostname>in your web browser. - Log in with administrative credentials.
- Navigate to System Settings in the left sidebar menu.
- Click Access Tokens (or API Tokens, depending on your sensor version).
- Click Generate New Token or Create API Token.
- Configure the token settings with a descriptive name such as "Elisity IdentityGraph Integration", select Device Inventory Read or equivalent read-only permission, and choose token validity period if applicable.
- Click Generate or Create.
- Copy the token immediately and store it securely. Most Defender versions display the token only once and it cannot be retrieved later.
- Repeat these steps for each Defender sensor in your deployment.
Step 2: Add Microsoft Defender for IoT connector and configure sensor endpoints
Log into Cloud Control Center and navigate to IdentityGraph > Connectors. Click + ADD CONNECTOR and select Microsoft Defender for IoT from the connector type list.
After selecting the connector type, you are taken directly to the sensor endpoint configuration. Each Defender sensor requires a separate endpoint configuration.
- In the connector configuration page, locate the Endpoints section and click + ADD SENSOR.
- In the Add Sensor dialog, configure the endpoint settings:
-
Endpoint URL: Enter the full API path in the format
https://<sensor-ip-or-hostname>. Examples:https://192.168.100.50orhttps://sensor-building-a.company.com - API Token: Paste the token generated in Step 1 for this sensor
- Site Labels: Select one or more Site Labels where this sensor's monitored devices exist. Choose Site Labels that match the network locations of devices monitored by this sensor. Do not assign the same Site Label to multiple endpoints. An endpoint can be assigned to multiple Site Labels if a sensor monitors devices across multiple network locations.
- Description (optional): Enter a description such as "Building A Sensor" to identify the sensor location
- Click VALIDATE to test connectivity. The validation process verifies Virtual Edge can reach the sensor endpoint, tests API token authentication, and confirms the sensor responds with valid device data.
- If validation succeeds with a green checkmark, click SAVE to add the endpoint.
- To add additional sensors, click + ADD SENSOR again and repeat these steps for each sensor in your deployment.
Validation Results
| Status | Description |
|---|---|
| Success | Endpoint is configured correctly and ready to use |
| 401 Unauthorized | API token is invalid or lacks permissions |
| Connection Timeout | Virtual Edge cannot reach sensor (check network connectivity) |
| 404 Not Found | URL is likely incorrect |
Step 3 (optional): Configure advanced settings
Advanced settings allow you to customize connector behavior, though most deployments can use default values.
In the connector configuration page, expand Advanced Settings and review the available options. Query Exclusion Rules allow you to filter devices from enrichment based on subnet exclusions, MAC pattern exclusions, or VEN exclusions - leave empty to enrich all discovered devices. Connector Data Purging configures how long to retain enrichment data for devices no longer seen by sensors, with default settings appropriate for most deployments. Initial Delay sets the delay before the first query after connector activation and defaults to 0 seconds. Modify settings only if your deployment has specific requirements, then click SAVE if changes were made.
Step 4: Verify connector activation
After adding all sensor endpoints, the connector begins its first refresh cycle immediately. Navigate to IdentityGraph > Connectors to view connector status and verify the connector status shows Active (green). Click the connector name to view per-endpoint status details. All endpoints should show Active status with recent refresh timestamps within the configured refresh interval (default: 3 minutes). If any endpoints show Inactive or Degraded status, proceed to the Troubleshooting section for resolution steps.
Verify the Integration
After configuring the connector, verify that enrichment is working correctly by checking device enrichment data.
View Enriched Device Data
Navigate to IdentityGraph > Devices and select a device that is monitored by one of your Defender for IoT sensors. Click the device to view its details page and scroll to the Connectors or Enrichment Data section. Locate the Microsoft Defender for IoT section and verify that attributes are populated with data from Defender.
The Microsoft Defender for IoT section displays enrichment data including vendor information, device type, operating system, firmware version, detected protocols, authorization status, and other attributes collected by the Defender sensor. Check the Last Updated timestamp to confirm recent enrichment.
Understanding Enrichment Behavior
Site Label-Based Enrichment: Devices are enriched by the sensor endpoint mapped to their Site Label. When a Virtual Edge reports a device in Site Label "Building-A", IdentityGraph queries the Defender sensor endpoint configured for "Building-A". This architecture ensures devices are always enriched by the appropriate local sensor monitoring their network location.
Automatic Enrichment: Enrichment occurs automatically on a 3-minute refresh cycle (default). When a new device is discovered by a Virtual Edge, IdentityGraph immediately queries the corresponding Defender sensor to retrieve device attributes. No manual intervention is required.
Manual Refresh (optional): On the device details page, you can manually trigger enrichment by clicking Refresh Now or Refresh Enrichment. The system creates a high-priority enrichment task and enrichment should complete within 5-30 seconds depending on sensor response time. Verify that the Last Updated timestamp changes to the current time to confirm the refresh succeeded.
Troubleshooting
| Issue | Resolution |
|---|---|
| 401 Unauthorized | API token is invalid, expired, or lacks permissions. Verify the token was copied correctly. Log into the Defender sensor console and verify the token exists with device inventory read access. Generate a new API token, update the connector endpoint configuration, then click Validate and Save. |
| Connection Timeout | Virtual Edge cannot reach the sensor. Verify the sensor URL is correct and the sensor is online. Test connectivity manually: curl -k https://<sensor-ip-or-hostname>/api/v1/devices. Check firewall rules allow traffic on port 443. Verify DNS resolution if using hostname. Review Virtual Edge logs at /var/log/elisity/ve-connector-service.log. |
| Connector Status: Degraded | Some sensor endpoints are working while others are failing. Click the connector name to view per-endpoint status details. Identify which endpoints show Inactive or error status. Review error messages for each failing endpoint and troubleshoot individually using the steps for specific error types. Working endpoints continue enriching devices during troubleshooting. |
| Device Not Enriched | Device is not receiving enrichment data. Verify the device exists in the Defender sensor with a MAC address (required for matching). Confirm the device is in a Site Label with a configured endpoint. Check that the Virtual Edge reporting the device is assigned to the correct Site Label. Verify the connector status is Active. Review query exclusion rules to ensure the device is not being filtered. Try manual refresh on the device to trigger immediate enrichment. |
| No Virtual Edge Available | No Virtual Edge can execute enrichment tasks. Verify Virtual Edges are online in the Site Label assigned to the endpoint. Confirm Virtual Edges are running version 16.13.0 or higher. Check Virtual Edge Task Broker connectivity. Review Virtual Edge logs for Task Broker connection errors at /var/log/elisity/ve-connector-service.log. Restart Virtual Edge service if needed. Verify Site Label configuration in topology matches endpoint configuration. |
| Slow Enrichment | Enrichment tasks are queuing or processing slowly. Check Virtual Edge CPU and memory utilization. Verify sensor response times are normal. Review Task Broker queue depth (contact Elisity Support). Consider deploying dedicated Virtual Edge for enrichment workload. Check network latency between Virtual Edge and sensor. Verify no competing workloads on Virtual Edge consuming resources. |
Maintenance Tasks
Rotating API Tokens
API tokens should be rotated periodically as part of security best practices. Recommended schedule: Every 90-180 days or per your organization's security policy.
Process: Log into the Defender sensor management console and navigate to System Settings then Access Tokens. Generate a new API token with the same permissions and copy the new token. In Cloud Control Center, navigate to the connector configuration and edit the affected endpoint. Replace the old token with the new token, click Validate to confirm connectivity, then click Save. Verify endpoint status returns to Active within one refresh cycle.
Updating Sensor Network Information
If a Defender sensor's IP address or hostname changes, navigate to the connector configuration in Cloud Control Center and edit the affected endpoint. Update the Endpoint URL with the new address, click Validate to test connectivity, then click Save. Verify endpoint status shows Active. No API token change is needed unless the token was also regenerated.
Removing Decommissioned Sensors
When a Defender sensor is permanently removed from your deployment, navigate to the connector configuration and locate the endpoint for the decommissioned sensor. Click Delete or Remove Endpoint, confirm the deletion, and click Save. Devices previously enriched by that sensor will retain cached data but will not receive updates. Consider reassigning those devices to a different sensor's monitoring zone if continued enrichment is needed.
Best Practices
Plan Infrastructure Before Deploying: Provision dedicated Virtual Edge groups for each Defender sensor before beginning configuration. Ensure sufficient Virtual Edge resources are available to support your sensor deployment without sharing VE groups across connectors or services.
Start with a Pilot Sensor: For large deployments with many sensors, configure one endpoint first. Verify enrichment works correctly for one week before adding remaining sensors.
Document Sensor-to-Site Label Mappings: Maintain documentation showing which Defender sensor monitors which Site Labels. This is critical for troubleshooting and for planning sensor additions or changes.
Monitor Virtual Edge Resource Utilization: After deployment, monitor CPU and memory usage on Virtual Edges handling enrichment tasks. Set alerts for utilization exceeding 80%.
Establish Token Rotation Schedule: Create a schedule for rotating API tokens every 90-180 days. Document procedures and ensure multiple team members can perform the task.
Test Connectivity Before Saving: Always use the Validate button when adding or modifying endpoints. This catches configuration errors before they impact enrichment.
Configure Endpoints Systematically: For multi-sensor deployments, develop a systematic approach to configuration. Consider configuring sensors in batches by geographic region or facility type.
Review Advanced Settings Carefully: Leave advanced settings at default values unless you have specific requirements. Query exclusion rules and custom refresh intervals should only be modified after understanding their impact on enrichment behavior.