Defender for Cloud Inventory API Coverage — No Official Way to Retrieve Per-Resource Coverage?

As of May 2025, there isn't an official Microsoft Defender for Cloud API that provides per-resource coverage status directly, akin to what is displayed in the Azure Portal under Defender for Cloud > Inventory.

Current Limitations- > /pricings Endpoint: This API returns Defender plan tiers (e.g., Free or Standard) at the subscription or resource type level, not for individual resources.

Azure Resource Graph (ARG): While ARG can list resources and their properties, it doesn't include Defender coverage details per resource.

Alternative Approaches - > Although there's no direct API, you can approximate per-resource coverage using the following methods:

Azure Policy Compliance Data: If you've assigned policies related to Defender for Cloud, you can query compliance results to infer coverage.

Log Analytics Workspace Queries: If Defender for Cloud is configured to send data to a Log Analytics workspace, you can run Kusto queries to identify resources with security recommendations or alerts, indicating coverage.

Azure Resource Graph with Tags or Naming Conventions: If you use specific tags or naming conventions for resources with Defender coverage, ARG can help filter those resources.

My Recommendation: For now, consider implementing one of the alternative approaches mentioned above to approximate per-resource Defender for Cloud coverage. Additionally, you might want to submit feedback to Microsoft requesting more granular API support for this functionality.