Skip to main content
Sign in

Creating an extended integration for Microsoft Defender assets

  • May 28, 2026 16:20
  • Updated

Sync Microsoft Defender with Oomnitza to gain visibility and insights into assets.

Before you start

The Microsoft Defender Asset Load uses the List Machines API. This asset load requires Machine.Read or Machine.ReadWrite permissions. To retrieve software information when you sync Microsoft Defender with Oomnitza, you need Software.Readpermissions. You must have the View Data role permission to run the API. See Microsoft Defender Protect API Documentation: List machines API.

Before you create the integration with Oomnitza, complete the following actions:

small_blue_link.svg Generate OAuth2.0 credentials in Azure.  See Generating the client secret section.

small_blue_link.svg Add OAuth 2.0 credentials to Oomnitza.

Adding the Microsoft Defender domain as a global variable

global_setting.svg Adding global variables

Save time when you create integrations and run workflows by adding connection information as global variables.

  1. Click Configuration > General > Global Settings.
  2. Click Add new variable.
  3. Add the key value, which is the name of the variable.
  4. Enter the value.
  5. Save your changes.

The name of the global variable is Microsoft Defender.Domain.  Instead of using api.security.microsoft.com as the domain, you can select a domain closer to your geolocation such as us.api.security.microsoft.com or eu.api.security.microsoft.com. See Use Microsoft Defender for Endpoint APIs.

Adding the credentials to Oomnitza

You must retrieve the following information to add the credentials:

  • Client ID and secret. See Generating the client secret section in Generate OAuth2.0 credentials in Azure
  • Scope. The scope or scopes for Microsoft Defender such as https://api.securitycenter.microsoft.com/.default.  If you enter other scopes, you must enter the fully qualified URL with the scope such as https://api.securitycenter.microsoft.com/Machine.Read in a space separated list.
  • Tenant. The tenant is the tenant you want to request permission from. This can be in GUID or friendly name format. If you don't know which tenant the user belongs to and you want to let them sign in with any tenant, use common.

Make life easier and add your credentials to Oomnitza before you create the integration.  

  1. In Oomnitza, click Configuration > Security > Credentials.
  2. Click Add new credential (+).
  3. Search for the integration, and then click the forward arrow > to select the integration.
  4. Enter your client credentials and any other additional information.
  5. Click Authenticate. You are prompted to log in to authorize your request.
  6. Click CREATE.

Creating the asset integration

  1. In Oomnitza, click Configuration> Integrations> Overview.
  2. Click Block view block_view.PNG
  3. Scroll down to the Extended section for asset integrations.
  4. Click NEW INTEGRATION.
  5. Select the integration in the sidebar.
  6. Click ADD.

Integration details overview

More information is provided about the following fields to help you complete the integration:

Software data

Depending on the asset integration, an option might be available to ingest desktop software information such as the name and version of the software installed on an asset. To view the software information in Oomnitza, you must have the software module. 

Installation types

  • Cloud. Store credentials in the Oomnitza cloud.
  • Local. Store credentials locally. If you want to sync Oomnitza with vendor applications that require AWS or OAUTH authentication, select cloud as the type of installation. Local installations don't support AWS and OAuth authentication. 

Integration preferences

  • Create & Update. Add and update records.
  • Create only. Add records.
  • Update only. Update records.

Integration details

To review or update the integrations details, click Edit edit_black_pencil_icon.svg.

TipBulb_Icon_small.svg When you edit the Integration details section, you can select the name or names of integration contacts.  Integration contacts will receive an in-app notification and an email, when the integration fails, when the integration fails to complete within 24 hours, or when the scheduled integration fails to run.

  1. Update the integration name.
  2. Select an installation type.
  3. For integration preferences, select an option.
  4. Enter the name of the integration user.  

Credential details

If you selected Cloud as the installation type, choose one of the following options:

  • Select the credentials that were created for the integration.
  • Edit the credentials that were created for the integration.
  • Create new credentials

Scheduling the integration

By default, data is synced once every day. Change the interval or the time so that the data is streamed when your system isn't busy.

  1. Click Edit edit_black_pencil_icon.svg.
  2. Make and save your changes.

Mapping fields to Oomnitza

To map the fields to Oomnitza, click Edit edit_black_pencil_icon.svg.

 cog_red_dot_small_icon.svg Select Edit integration to add rules for syncing data. small_blue_link.svg Filtering integration results.  

Click SMART MAPPING.

You can add new fields to your integration by selecting Add new field  add_grey_rectangel_icon.svg on the mapping page. 
small_blue_link.svg Creating custom API fields. 

Creating custom mappings

Map Microsoft Defender fields to Oomnitza fields to get the asset information that you need. For the field mapping, it is recommended to follow these steps:

  1. Click Smart Mapping to automatically detect appropriate mapping fields. Values from the integration can also be dragged to the appropriate field on the Oomnitza side, or selected from the integration field dropdown.
  2. Create a custom mapping for the Microsoft Defender Device ID.
    1. Click the down arrow on the Microsoft Defender Device ID.
    2. Select Add new Oomnitza assets field.
    3. Update the Name field to Microsoft Defender Device ID.
    4. Click CREATE
  3. Assign a sync key. We recommend that you map the AAD Device ID to the Serial Number field, and use this as a sync key.

Tracking information for asset loads 

When the integration is run, you can track the name of the credentials that were used and the source of the data. To do this, you map the following fields to Oomnitza:   

  • Connect: Credentials

Custom mappings

AAD Device ID*
Computer DNS Name
Connect: Credentials
Connect: Microsoft Defender Domain
Connector Sync Time
Exposure Level
First Seen
Health Status
Is AAD Joined?
Last External IP Address
Last IP Address
Last Seen
Machine Tags
Microsoft Defender Device ID**
OS Build
OS Platform
OS Processor
RBAC Group ID
RBAC Group Name
Risk Score
Version

*Suggested sync key

** Also known as the Machine ID, the ID that is returned in the List Machines API response.

Launching the integration

Your integration is in Draft mode until the required mandatory fields are added. When added, click Launch to activate your integration. 

small_blue_link.svg If you selected Cloud as the installation type when creating the integration, see Running an extended integration

small_blue_link.svg If you selected Local as the installation type when creating the integration, see Running an extended integration locally.

Viewing data ingested by Oomnitza

Viewing ingested asset data

For asset integrations, click Hardware. If the asset integration also ingests software data, click Software.

Viewing ingested user data

For user integrations, click People. If you chose the option to ingest User and SaaS user data, click Software > SaaS, click the SaaS app, and then click the Users tab. 

Related Links

Unleash the power of Oomnitza

To get valuable actionable insights that help you manage your assets, learn how to:

  • Configure dashboards for your users and software
  • Configure custom reports about your users and software
  • Create workflows to automate tasks

See Getting started for more information.

Related articles

Comments

0 comments

Please sign in to leave a comment.