Microsoft Defender for Identity is a cloud-based security solution that provides identity monitoring across your organization. Defender for Identity is fully integrated with Microsoft Defender XDR, and leverages signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced threats directed at your organization. For detailed information, please refer to the Microsoft’s official documentation.

Integration Method: API

Tables: User Inventory Info (5003)

This integration supports the following type of events.

This integration supports the following versions.

Note:

Microsoft Defender for Identity is a continuously updated cloud service. As for this document preparation, the latest release was in March 2025.

Prerequisites

• The user should have access to the Azure portal with an account that has the Global Administrator privilege. 

• The user should have access to the DataBee console.

Configuration Overview

1. Create an application with required permissions to fetch the data.

2. Create Microsoft Defender for Identity Data Feed in the DataBee console with the required Client credentials.

   DataBee Parameter	Azure Parameter
   Client Key	Application (Client) ID
   Client Secret	Client Secret Value
   Token URL(<application_id>)	Directory (Tenant) ID

Azure Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator privilege.  

2. In the search bar, search for App Registrations and select it.
    

3. On the “App registrations” page, click New registration. The “Register an application” window will open.  
    

4. On the “Register an application” window: 

   1. Under ‘Name’, enter your Application Name then click on Register to create the application.
       

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     

Add Endpoint Access

Once the application is created, two permissions should be provided to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.  

Add Permissions  

From the Azure Active Directory portal:  

1. Select the application registered in the previous step.

2. Under Manage, click API Permissions and then click Add a Permission, the ‘Request API permissions’ window will appear. 
    

3. On “Request API permissions” window, Click on Microsoft APIs then on Microsoft Graph.
    

4. Click on Application Permissions.
    

5. The following permissions need to be granted for the endpoint to function properly: 

   Event	Type	Permission
   Users	Application	AuditLog.Read.All
   Users	Application	User.Read.All

6. In the Select permissions search bar, enter the permissions shown above, and check the box to include them. 
    

7. Click the Add permissions button after selecting all required permissions.
    

8. On the “API permissions” page, click Grant Admin Consent for <tenant>. 
    

9. Click the Yes button on the consent confirmation.
    

10. The necessary permissions have now been added for the endpoints. After this step, the permissions should include at least the minimum required permissions shown in the screenshot below.
     

Create the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

1. Select the application created above.

2. Under Manage, Click Certificates & Secrets, and then Client Secrets. 
    

3. Click New client secret. Then “Add a client secret” window appears. 
    

4. On “Add a client secret” window:

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

   2. Then click on Add to create the client secret.
       
      

      Note:

      The user needs to re-create the client secret when it expires.

5. Copy the ‘Value’ fields for later use.
    

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Microsoft Defender for Identity and click it as shown below.

   

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: OAuth2

   • API Base URL: this is the base URL that DataBee will interact with.

   • Client Key: paste the Client ID generated earlier in the Azure portal.

   • Client Secret: paste the Client Secret value generated earlier in the Azure portal.

   • Token URL: replace <application_id> with your Directory (Tenant) ID.

   • Event Types: preselected for all the event types that integration pulls.

     

6. Click Submit.

Troubleshooting Tips

• If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1^st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• If you are facing response code – 403 this might be possibly due to missing permissions. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.