Forum Discussion
XDR advanced hunting region specific endpoints
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it:
1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region?
2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?
1 Reply
Your assessment is correct, and your proposed solution is the right one.
Since the Microsoft Graph advanced hunting API (/security/runHuntingQuery) is not yet available in the sovereign cloud for China (operated by 21Vianet), you cannot rely on it exclusively if you need to support tenants in that region.
Therefore, the recommended approach for an application that must support all regions (Global, US Government, and China) is to implement a conditional logic based on the tenant's region.
Recommended Implementation Strategy:
- Determine the Tenant's Region: Use the OIDC discovery mechanism described in the first point. The domain of the token_endpoint is your most reliable indicator of the region.
- login.microsoftonline.com -> Global
- login.microsoftonline.us -> US Government
- login.chinacloudapi.cn -> China
- Implement Conditional API Logic: In your application's code, use an if/else or switch statement based on the determined region.
- For Global and US Government Tenants:
- Use the Microsoft Graph Advanced Hunting API.
- Request an access token for the appropriate Graph resource (https://graph.microsoft.com or https://graph.microsoft.us ).
- Make your POST request to the corresponding Graph endpoint: https://graph.microsoft.com/v1.0/security/runHuntingQuery or https://graph.microsoft.us/v1.0/security/runHuntingQuery.
- For China Tenants:
- Fall back to the legacy Microsoft Defender XDR Advanced Hunting API.
- Request an access token for the Defender XDR API resource specific to China. The resource URI is typically the API endpoint itself (https://api.securitycenter.windows.azure.cn ).
- Make your POST request to the legacy China-specific endpoint: https://api.securitycenter.windows.azure.cn/api/advancedhunting/run.
- For Global and US Government Tenants:
This hybrid approach ensures your application functions correctly for all customers today while positioning you to easily switch the China tenants to the Graph API once it becomes available there. You would simply update the conditional logic to treat China the same as the global service.
- Determine the Tenant's Region: Use the OIDC discovery mechanism described in the first point. The domain of the token_endpoint is your most reliable indicator of the region.
