title: Access the Microsoft Defender for Endpoint APIs ms.reviewer: description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities ms.service: defender-endpoint ms.subservice: reference ms.author: painbar author: paulinbar ms.localizationpriority: medium ms.date: 11/11/2025 manager: bagol audience: ITPro ms.collection:
- m365-security
- tier3
- must-keep
ms.topic: reference
ms.custom: api
search.appverid: met150
appliesto:
- Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Important
Advanced hunting capabilities are not included in Defender for Business.
[!INCLUDE Microsoft Defender for Endpoint API URIs for US Government]
Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
Watch this video for a quick overview of Defender for Endpoint's APIs.
[!VIDEO https://learn-video.azurefd.net/vod/player?id=f6300637-b48e-49d7-aa76-2778a711ae6c]
In general, you'll need to take the following steps to use the APIs:
- Create a Microsoft Entra application
- Get an access token using this application
- Use the token to access Defender for Endpoint API
You can access Defender for Endpoint API with Application Context or User Context.
-
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.
Steps that need to be taken to access Defender for Endpoint API with application context:
-
Create a Microsoft Entra Web-Application.
-
Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
-
Create a key for this Application.
-
Get token using the application with its key.
-
Use the token to access the Microsoft Defender for Endpoint API
For more information, see Get access with application context.
-
-
User Context:
Used to perform actions in the API on behalf of a user.
Steps to take to access Defender for Endpoint API with user context:
-
Create Microsoft Entra Native-Application.
-
Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
-
Get token using the application with user credentials.
-
Use the token to access the Microsoft Defender for Endpoint API
For more information, see Get access with user context.
-
Tip
When more than one query request is required to retrieve all the results, Microsoft Graph returns an @odata.nextLink property in the response that contains a URL to the next page of results. For more information, see Paging Microsoft Graph data in your app.