Forum Discussion
Defender for Cloud Inventory API Coverage — No Official Way to Retrieve Per-Resource Coverage?
I'm reaching out to the Microsoft Defender for Cloud team and the broader community because I've run into a gap that I believe others may face too — and I’m hoping for guidance or clarification.
I need to programmatically retrieve a list of resources from a subscription and determine if each resource is covered by a Defender for Cloud plan. This would replicate what we see in the Azure Portal under:
Microsoft Defender for Cloud > Inventory:
The goal is to fetch this data via API and replicate that table — but the problem is that it seems there’s no way to retrieve the “Defender for Cloud” coverage status per resource.
Here’s what I’ve tried so far:
- The /pricings endpoint — returns plan tiers like Free or Standard, but only for the overall subscription or service type, not individual resources.
- Azure Resource Graph — the properties field does not contain any Defender-related indicators that would confirm whether a specific resource is covered.
My Question
Does an API exist today to retrieve per-resource Defender for Cloud coverage?
Is there a /coverage endpoint or equivalent that is officially supported?
If anyone from the Defender for Cloud or Azure product teams can point me in the right direction, I’d truly appreciate it.
Thank you!
1 Reply
As of May 2025, there isn't an official Microsoft Defender for Cloud API that provides per-resource coverage status directly, akin to what is displayed in the Azure Portal under Defender for Cloud > Inventory.
Current Limitations- > /pricings Endpoint: This API returns Defender plan tiers (e.g., Free or Standard) at the subscription or resource type level, not for individual resources.
Azure Resource Graph (ARG): While ARG can list resources and their properties, it doesn't include Defender coverage details per resource.
Alternative Approaches - > Although there's no direct API, you can approximate per-resource coverage using the following methods:
Azure Policy Compliance Data: If you've assigned policies related to Defender for Cloud, you can query compliance results to infer coverage.
Log Analytics Workspace Queries: If Defender for Cloud is configured to send data to a Log Analytics workspace, you can run Kusto queries to identify resources with security recommendations or alerts, indicating coverage.
Azure Resource Graph with Tags or Naming Conventions: If you use specific tags or naming conventions for resources with Defender coverage, ARG can help filter those resources.
My Recommendation: For now, consider implementing one of the alternative approaches mentioned above to approximate per-resource Defender for Cloud coverage. Additionally, you might want to submit feedback to Microsoft requesting more granular API support for this functionality.
