{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Microsoft Defender for Endpoint Integration","description":"Control the power of AI Agents in runtime.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"microsoft-defender-for-endpoint-integration","__idx":0},"children":["Microsoft Defender for Endpoint Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Connect Microsoft Defender for Endpoint to Capsule Security for automatic discovery of AI coding agents running across your fleet."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"overview","__idx":1},"children":["Overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This integration uses the Microsoft Defender for Endpoint API to discover coding agents installed on your organization's endpoints. By querying device inventory, installed software, and advanced hunting data, Capsule identifies AI coding assistants — such as Cursor, GitHub Copilot, Claude Code, and others — across your managed devices."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule connects via an approved Microsoft Entra ID application with read-only API permissions. No agents or software are installed on endpoints."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":2},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before you begin, ensure you have:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Defender for Endpoint"]}," Plan 1 or Plan 2 enabled in your tenant"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Devices onboarded to Microsoft Defender for Endpoint"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Entra ID"]}," account with ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Global Administrator"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application Administrator"]}," role (to grant admin consent)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," account with admin access"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-configure-the-integration-in-capsule","__idx":3},"children":["Step 1: Configure the Integration in Capsule"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Log in to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," portal"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Integrations"]}," in the left sidebar"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Find the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Defender for Endpoint"]}," card and click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Set up Integration"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Connect with Microsoft"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["You'll be redirected to Microsoft's sign-in page"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-grant-admin-consent","__idx":4},"children":["Step 2: Grant Admin Consent"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authorize the Capsule application to access your Microsoft Defender for Endpoint data."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"steps","__idx":5},"children":["Steps"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Sign in with your Microsoft Entra ID account that has the required administrator role (see Prerequisites)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Review the permissions requested by the Capsule application"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Accept"]}," to grant admin consent for your organization"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"permissions","__idx":6},"children":["Permissions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Capsule application requests the following ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["application-level"]}," permissions on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["WindowsDefenderATP"]}," API. All permissions are read-only."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Permission"},"children":["Permission"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Type"},"children":["Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["AdvancedQuery.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Run advanced queries"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["File.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read file profiles"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Machine.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read all machine profiles"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Score.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read Threat and Vulnerability Management score"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SecurityBaselinesAssessment.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read all security baselines assessment information"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SecurityConfiguration.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read all security configurations"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Software.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read Threat and Vulnerability Management software information"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Ti.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read all IOCs"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Url.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read URL profiles"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["User.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read user profiles"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Vulnerability.Read.All"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Read Threat and Vulnerability Management vulnerability information"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Admin consent must be granted by a Global Administrator or Application Administrator. Once granted, the permissions apply tenant-wide."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-3-automatic-discovery","__idx":7},"children":["Step 3: Automatic Discovery"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After you grant consent, Capsule automatically begins discovering coding agents across your fleet."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"what-happens","__idx":8},"children":["What happens"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Capsule queries your Defender for Endpoint tenant for device and software inventory"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["AI coding agents (Cursor, GitHub Copilot, Claude Code, and others) are identified from installed software data"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Advanced hunting queries detect agent activity and configurations"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Discovered agents are mapped to devices and users in your organization"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["No manual configuration is needed. Discovery runs on a recurring schedule to detect new installations and removals."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"after-setup","__idx":9},"children":["After Setup"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once the integration is configured:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Initial discovery begins automatically"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["First sync may take several minutes depending on fleet size"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["View discovered agents in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Inventory > Agents"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["View associated devices and users alongside each agent"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"troubleshooting","__idx":10},"children":["Troubleshooting"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"common-issues","__idx":11},"children":["Common Issues"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Consent failed or permissions error"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Verify your account has ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Global Administrator"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application Administrator"]}," role in Microsoft Entra ID"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Ensure your tenant has Microsoft Defender for Endpoint enabled"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No agents discovered"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Confirm devices are onboarded to Microsoft Defender for Endpoint"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Verify that AI coding assistants are installed on managed devices"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Allow several minutes for the initial discovery to complete"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Incomplete device coverage"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Check that all target devices are reporting to Defender for Endpoint"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Devices that haven't checked in recently may not appear in discovery results"]}]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"support","__idx":12},"children":["Support"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For help with this integration:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Email"]},": support@capsule.security"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Include"]},": Your organization ID, Entra tenant ID, and any error messages"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"references","__idx":13},"children":["References"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/defender-endpoint/api/apis-intro"},"children":["Microsoft Defender for Endpoint API"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent"},"children":["Microsoft Entra ID application permissions"]}]}]}]},"headings":[{"value":"Microsoft Defender for Endpoint Integration","id":"microsoft-defender-for-endpoint-integration","depth":1},{"value":"Overview","id":"overview","depth":2},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Step 1: Configure the Integration in Capsule","id":"step-1-configure-the-integration-in-capsule","depth":2},{"value":"Step 2: Grant Admin Consent","id":"step-2-grant-admin-consent","depth":2},{"value":"Steps","id":"steps","depth":3},{"value":"Permissions","id":"permissions","depth":3},{"value":"Step 3: Automatic Discovery","id":"step-3-automatic-discovery","depth":2},{"value":"What happens","id":"what-happens","depth":3},{"value":"After Setup","id":"after-setup","depth":2},{"value":"Troubleshooting","id":"troubleshooting","depth":2},{"value":"Common Issues","id":"common-issues","depth":3},{"value":"Support","id":"support","depth":2},{"value":"References","id":"references","depth":2}],"frontmatter":{"seo":{"title":"Microsoft Defender for Endpoint Integration"}},"lastModified":"2026-04-02T14:39:28.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/microsoft-defender","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}