Threat & Vulnerability Management APIs are now generally available

Published Apr 13 2020 11:45 PM 13.1K Views

We are excited to announce that Microsoft Defender Advanced Threat Protection (ATP) Threat & Vulnerability Management APIs are now generally available!

Threat & Vulnerability Management APIs can help drive more clarity in your organization with customized views into your security posture and can also help alleviate your security teams’ workload. They do this by automating vulnerability management workflows—from data collection, to risk score analysis, and integrating its capabilities with your other organizational processes and solutions.

The new Threat & Vulnerability Management APIs are exposed through the standard Azure Active Directory-based authentication and authorization model which allows developers and Software-as-a-service (SaaS) application users easy access to robust functionalities. See our documentation for available APIs and try them out using the Microsoft Defender ATP API Explorer tool.


Now, let’s look at how you can use Threat & Vulnerability Management APIs in your daily security administration work.


Create custom interface and reports

With Threat & Vulnerability Management APIs, you can create meaningful reports while allowing flexibility in using the solution components, such as exposure score, installed software, vulnerabilities, and security recommendations in an automated fashion.


The custom interface that you’ll create can show just the right amount of information that you need at the right time, giving you a simpler task view or list for your day-to-day work. This can help streamline your user experience according to your organization’s needs.


In a previous blog, we walked you through creating custom reports using Microsoft Defender ATP APIs and Power BI. To build on the resources we shared for custom reports on GitHub, you can now also use this Threat & Vulnerability Management dashboard.




Save time and resources through automation

Designed for automation-focused security teams, you can identify and expose common, repeatable activities so you can stop worrying about routine tasks and start investing in your greater vulnerability management strategy.


Looking for a good place to start? Check out the linked Power Automation to automate email notification on any new vulnerabilities that meet the criteria of your organization.



To set this up:

  1. Follow the steps described here and create an app to access Microsoft Defender ATP APIs. Provide the app Vulnerability.Read.All permission.
  2. Import the TVM_FlowSample.Zip file linked to this blog and add it to your Power Automation environment.
  3. Set the Get vulnerabilities HTTP call with your app details:



Get data visibility across solutions

You can invoke the API to drive data exchange between Microsoft Defender ATP Threat & Vulnerability Management and other solutions in your environment. In addition to ad-hoc integrations, we are constantly working on extending our network of partners.


Skybox® Security, a global leader in cybersecurity management, announced its partnership with Microsoft Defender ATP and the Microsoft Intelligent Security Association (MISA). This partnership will strengthen Skybox’s vulnerability detection capabilities with the inclusion of critical data from Threat & Vulnerability Management. It thereby expands Skybox’s vulnerability management for enterprises that continue to deploy workloads across hybrid and cloud network environments. Learn more about the integration here and watch this video for details.


If you would like to see additional integrations with Microsoft Defender ATP, go to the Partner Application page in the Microsoft Defender Security Center, and click Recommend other partners.


Solutions that can empower your organization

A typical enterprise depends on multiple security systems to operate and to combat advanced cyber adversaries. At Microsoft, we believe that when these solutions work together, you gain greater efficiency, speed, and stronger defenses. Threat & Vulnerability Management APIs can help empower you to deliver greater value to your vulnerability management program.

As always, we welcome and appreciate your feedback.
@Efrat Kliger 


Senior Member

Will people with very large deployments need to modify the TVM dashboard queries due to the 10,000 row return in line with API limits. 


Hi @SteveEllis , the dashboard should work fine for large organizations as well. Feel free to contact us here if you encounter any issue.

Occasional Contributor

Will the API be able to get information from the Microsoft 365 security portal (


We are looking into using this portal within our organization and building automation around it, but because currently I don't seem to able to get the information about the incident id's that are created on that portal and not related to MDATP.


@bthomas , we are working on exposing a new Incident API for MTP that would cover Incidents from the different workloads. I would be happy to include you in the private preview once available. Stay tuned!

Occasional Contributor

@Efrat Kliger That's good to hear. What do you need from my end to get included in the private preview (once available)?



API's are great starting point. I have two questions:


1) Authentication using local tokens

In contrast to using a App Registration Service Principals, for Azure REST API we normally log on using locally cached credentials. I wonder if users having the role Security Adminstrator or Security Reader can obtain access to Threat & Vulnerability Management API's. The same question is for Service Principals that are used in Azure DevOps Powershell tasks, where we usally grab the local tokens for the logged on Service Connnection. Using App Regsitration Service Principals only invloves exposing secrets to users, which is not very desirable. I tried using the locally cached tokens, but got 401 Unautorized errors returned.


2) Machines data model

When listing machine the data is missing the unique Azure Resource ID. The only way finding back the machine is by its name an IP address, which may be in a multi-subscription, multi-resource group environment not uniquely identifiable. Netiher is it the other way around we a known VM may not be found only by its name and IP address. It is possible to include the Azure Unique Resource ID in the dataset, as it can be found in the Azure Metadata Instance API (see


Thanks a lot in advance.





For #1 did you checked out the option to get access token with user credentials -
For #2 Not clear to me what ID exactly are you looking for? maybe you can share a screenshot in a private message.





@bthomas you can send me your details (tenant ID, Mail)  in the private message

Is it possible to get historical data? (for example score over time)

Version history
Last update:
‎Jul 16 2020 02:13 PM
Updated by: