Skip to main content
Sign in

Creating a SaaS Management Integration for Microsoft Defender

  • May 23, 2026 09:00
  • Updated

Sync Microsoft Defender with Oomnitza to gain visibility into security threats, device compliance, and your organization’s overall security posture across IT assets.

A list of the applications that users in your organization access are retrieved.

Before you start

To create the integration, you must retrieve the following information from Microsoft Defender:

  • API URL. See the section Generate a token in Managing internal tokens. When you generate a token you are are provided with a custom portal URL. The generic portal URL will work, but according to Microsoft Defender documentation, it is slower than the custom portal URL that is provided when you generate a token.
    The format of the custom portal URL is as follows: https://<tenant_portal>-cloudappsecurity.com
    Example: https://tenant2eu1-cloudappsecurity.com
  • API key. See the section Generate a token in Managing internal tokens.

Creating the integration

Log into Oomnitza.

  1. Click Configuration.
  2. On the Integrations: Overview page, click Block view block_view_grey_icon.svg.
  3. Scroll down to the SaaS Management Integrations section and click the Microsoft Defender tile.
  4. Click Connect
  5. Enter your API URL.
  6. Enter your API key.

Adding an integration user

To easily find the records that are uploaded to Oomnitza, it's best practice to create a dedicated user account for each integration. This will make it easier for you to retrieve the records that are uploaded to Oomnitza from the vendor application. 

small_blue_link.svg Creating integration users 

In the Integration details section:

  1. Select the integration user.
  2. Add one or more integration contacts. The persons you add will receive and in-app notification and an email when an integration fails, starts processing but fails to complete processing within 24 hours, or fails to run when scheduled.
  3. Select a default Oomnitza role such as Employee. All user records that are uploaded from Microsoft Defender will be assigned the role that you select. A record for each user will be added to the People page.
    last_activity_icon.svg The lookback synchronization period for the initial sync with Oomnitza is set to 3 months.
  4. Select the format that you want to use for the username.
  5. If you don’t want users to log in to Oomnitza, select Restrict access to Oomnitza.
  6. Click NEXT.
  7. On the Schedule page, add a schedule to sync with Oomnitza.
  8. Click Finish.

test-icon-for-content-block-32px.svg Test

To test the integration, click the tile in the Saas Management Integration section and click RUN NOW. To check for errors, click Sync Sessions.

monitor-icon-for-content-blocks-32px.svg Monitor

To monitor the SaaS application records that are uploaded to Oomnitza, create a search. 

When you use the search that you created to review the records that were uploaded to Oomnitza on the Software page, the name of the SaaS application that was accessed is displayed, and the name of the user who created the integration. 

tip_bulb_yellow_icon.png

To review the users who accessed the SaaS apps, click a record, click an app, and then click the Users tab. Hover the mouse over the last activity info icon to get more details. To view the user’s Oomnitza record, hover the mouse over the user’s name and click the link.

Related articles

TipBulb_Icon_small.svg Tips

Generating a list of the applications that were accessed by users

  1. Click Software. By default the SaaS page is displayed.
  2. Add the field Created by = <name of the integration user>. You can refine the report by adding additional field filters. For example, to create a report for the most accessed applications, you can add the Total Active Users field filter and specify a value such as Total Active Users > 10.
  3. Click Export export_black_icon.svg.

Creating a search to monitor the domains of the websites that are being accessed

  1. Add the field Created by = <name of the integration user>.
  2. Add the Website field. For example, you can create a filter such as Website Contains .cn .ru.
  3. Click Export export_black_icon.svg.

Generating a list of the users who access an application.

You can hover the mouse over the help icon last_activity_icon.svg next to the Last activity field to view recent activities. Last activity is the latest timestamp of traffic for the user based on the ingestion of the log by Microsoft Defender Cloud. 

 

last-activity-threshold-60.svg

 

By default, the last activity threshold is set to 60 days. A user who accesses an application at any time in the 60 days before the current date is an active user. If the last time a user accessed an application is over 60 days, they are inactive users. The last activity threshold is configurable and can be changed for each SaaS Application.  

   

  1. Click Software. By default the SaaS page is displayed.
  2. Click an application and then click the Users tab.
  3. Optional. Click the SaaS user filter to apply a filter.
  4. Click Export to XSLX export_black_icon.svg..

 donut_chart_infographic_small.svg Don't forget that you can use the searches that you save to create dashboard charts and subscription reports. See Dashboards and reports and Scheduling subscription reports.

Related articles

Comments

0 comments

Please sign in to leave a comment.