Connect Microsoft Defender for Endpoint to Capsule Security for automatic discovery of AI coding agents running across your fleet.
This integration uses the Microsoft Defender for Endpoint API to discover coding agents installed on your organization's endpoints. By querying device inventory, installed software, and advanced hunting data, Capsule identifies AI coding assistants — such as Cursor, GitHub Copilot, Claude Code, and others — across your managed devices.
Capsule connects via an approved Microsoft Entra ID application with read-only API permissions. No agents or software are installed on endpoints.
Before you begin, ensure you have:
- Microsoft Defender for Endpoint Plan 1 or Plan 2 enabled in your tenant
- Devices onboarded to Microsoft Defender for Endpoint
- A Microsoft Entra ID account with Global Administrator or Application Administrator role (to grant admin consent)
- A Capsule Security account with admin access
- Log in to the Capsule Security portal
- Click Integrations in the left sidebar
- Find the Microsoft Defender for Endpoint card and click Set up Integration
- Click Connect with Microsoft
- You'll be redirected to Microsoft's sign-in page
Authorize the Capsule application to access your Microsoft Defender for Endpoint data.
- Sign in with your Microsoft Entra ID account that has the required administrator role (see Prerequisites)
- Review the permissions requested by the Capsule application
- Click Accept to grant admin consent for your organization
The Capsule application requests the following application-level permissions on the WindowsDefenderATP API. All permissions are read-only.
| Permission | Type | Description |
|---|---|---|
AdvancedQuery.Read.All | Application | Run advanced queries |
File.Read.All | Application | Read file profiles |
Machine.Read.All | Application | Read all machine profiles |
Score.Read.All | Application | Read Threat and Vulnerability Management score |
SecurityBaselinesAssessment.Read.All | Application | Read all security baselines assessment information |
SecurityConfiguration.Read.All | Application | Read all security configurations |
Software.Read.All | Application | Read Threat and Vulnerability Management software information |
Ti.Read.All | Application | Read all IOCs |
Url.Read.All | Application | Read URL profiles |
User.Read.All | Application | Read user profiles |
Vulnerability.Read.All | Application | Read Threat and Vulnerability Management vulnerability information |
Admin consent must be granted by a Global Administrator or Application Administrator. Once granted, the permissions apply tenant-wide.
After you grant consent, Capsule automatically begins discovering coding agents across your fleet.
- Capsule queries your Defender for Endpoint tenant for device and software inventory
- AI coding agents (Cursor, GitHub Copilot, Claude Code, and others) are identified from installed software data
- Advanced hunting queries detect agent activity and configurations
- Discovered agents are mapped to devices and users in your organization
No manual configuration is needed. Discovery runs on a recurring schedule to detect new installations and removals.
Once the integration is configured:
- Initial discovery begins automatically
- First sync may take several minutes depending on fleet size
- View discovered agents in Inventory > Agents
- View associated devices and users alongside each agent
Consent failed or permissions error
- Verify your account has Global Administrator or Application Administrator role in Microsoft Entra ID
- Ensure your tenant has Microsoft Defender for Endpoint enabled
No agents discovered
- Confirm devices are onboarded to Microsoft Defender for Endpoint
- Verify that AI coding assistants are installed on managed devices
- Allow several minutes for the initial discovery to complete
Incomplete device coverage
- Check that all target devices are reporting to Defender for Endpoint
- Devices that haven't checked in recently may not appear in discovery results
For help with this integration:
- Email: support@capsule.security
- Include: Your organization ID, Entra tenant ID, and any error messages