Using PowerShell to Retrieve Defender for Identity Health Issues with Microsoft Graph API

Introduction

In this blog post, we’ll explore the newly available API access for Microsoft Defender for Identity sensor issues. As of today, this API is available under the /beta endpoint of the Microsoft Graph API. This API allows you to programmatically retrieve health issues detected by Defender for Identity, providing detailed information that can enhance your security monitoring and response.

Permissions and API Endpoint

To access the Defender for Identity health issues API, you need the SecurityIdentitiesHealth.Read.All permission.

The full address for accessing the health issues is:

				
					https://graph.microsoft.com/beta/security/identities/healthIssues

Custom Workbook for Sentinel

Enhance your security monitoring with the custom Defender for Identity Workbook for Microsoft Sentinel Toolkit. This toolkit streamlines the integration and monitoring processes, significantly improving your security operations through automated alerts and comprehensive data visualization. Discover the full capabilities of this toolkit in our detailed guide, and optimize your security strategy today.

Prerequisites

The below function uses the Entra ID Service Principal for the Graph API connection.

Entra ID Application (Service Principal)
- This application will be used to authenticate with Microsoft Graph API.
Permissions
- The Entra ID app needs the following API permissions
  - SecurityIdentitiesHealth.Read.All
Microsoft Graph PowerShell Module

Important! There are different ways of connecting to the Microsoft Graph API, but for this post, we will be using a service principal.

Function to Fetch Health Issues

Here’s the PowerShell function to fetch Defender for Identity health issues using the Microsoft Graph API:

This section is reserved for our premium members only. Upgrade your membership to access this valuable content and unlock more benefits.

Script Output

After running the PowerShell function, the health issues will be retrieved. You can view the output through the GridView or simply through the PowerShell console.

Below is a Markmap representation and the JSON view of some sample issues.

JSON Output

This section is reserved for our premium members only. Upgrade your membership to access this valuable content and unlock more benefits.

Conclusion

In this post, we’ve explored how to use PowerShell to access the newly available Microsoft Graph API for Defender for Identity health issues. With the provided PowerShell function, you can automate the retrieval and handling of these issues, integrating them into your existing security workflows. As always, stay informed about any changes to the API, especially since it is currently in the /beta version.

Feel free to reach out with any questions or comments below!

Contact me

If you’re interested in learning about Using PowerShell to Retrieve Defender for Identity Health Issues with Microsoft Graph API. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.