Forum Discussion

PooleofMana's avatar
PooleofMana
Copper Contributor
Jul 21, 2025

Unable to add Endpoints and Vulnerability management in XDR Permissions

Hi, I have defender for endpoint running on obver 400 devices. I have 10 with Bus Premium, 5 with E5, and the rest E3.

I am getting incidents for DFE, and this is being sent to my SOAR platform for analysis, but when I pivot back using client-sync, I cannot see DFE incidents. 

I have gone into Settings > XDR > Workload settings, and can only see the below

There does not appear to be the option to grant the roles I have provided for my SOAR user the ability to see Endpoint and Vulnerability management.

Really scratching my head here. Help?

alerts
automation
microsoft defender for endpoint
microsoft sentinel
onboarding

3 Replies

    • labNeos's avatar
      labNeos
      Copper Contributor
      Jul 29, 2025

      Hello, this track seems correct to me, not tested.
      Access Endpoint and Vulnerability Management in Microsoft Defender XDR via SOAR

      1. Register an App in Entra ID (Azure AD)

      The SOAR platform must be represented by an app registration in Entra ID. This app will authenticate and call Microsoft Defender APIs.

      2. Assign API Permissions

      While 'Vulnerability.Read.All' does not exist, the app should be granted the following permissions:

      - SecurityIncident.Read.All (Microsoft Graph API)
      - SecurityAlert.Read.All (Microsoft Graph API)
      - Device.Read.All (Defender for Endpoint API)
      - Access to /api/vulnerabilities (Defender for Endpoint API)

      These permissions must be admin-consented in Entra ID.

      3. Use Defender XDR Unified RBAC

      Microsoft Defender XDR uses a centralized RBAC model. You must create or assign a custom role with the following permissions:

      - Vulnerability management (read/write)
      - Endpoint security settings (read/write)
      - Incident read access

      Assign this role to the service principal of your SOAR app.

      4. Use Defender for Endpoint API Endpoints

      To retrieve vulnerability and endpoint data, use the following endpoints:

      - GET /api/machines
      - GET /api/machines/{id}/vulnerabilities
      - GET /api/vulnerabilities

      These endpoints are part of the Defender for Endpoint API, not Microsoft Graph.

      • PooleofMana's avatar
        PooleofMana
        Copper Contributor
        Aug 04, 2025

        Hi, We already have an app registration in Entra for the SOAR. And alerts are coming through fine into that. 
        The alerts come from DFE into Sentinel, then through to SOAR. If the analyst cannot determine enough information from the alert directly and needs to investigate, they will go to Sentinel and click "Investigate in Defender XDR" But that button then throws an error and says permissions are not granted.

Resources