Using Microsoft Graph Security API for Custom Security Automations

Hi Security Experts,

I’ve recently started exploring the Microsoft Graph Security API to centralize and automate security operations across different Microsoft 365 services.

The idea is to build a single automation layer that can:

• Collect alerts from Defender for Endpoint, Defender for Cloud, and Identity Protection;
• Enrich them with context (user, device, and location data);
• And automatically push them to an external system like Jira, n8n, or a custom SOAR workflow.

I was able to authenticate and list alerts using the endpoint:

“GET https://graph.microsoft.com/v1.0/security/alerts”

However, I’m still trying to understand the best practices for handling rate limits, pagination, and permissions — especially when integrating continuous polling or real-time ingestion into external tools.

Has anyone here implemented Graph Security API automations in production?
I’d love to hear about your experiences — specifically around performance, alert filtering, and authentication (App Registration vs Managed Identity).

Thanks in advance,
Luca