Skip to main content

Integrating with Defender For Endpoint – Full Guide

Learn how to integrate Microsoft Defender for Endpoint with Hyver and manage findings effectively.

Updated over 2 weeks ago
Join the Microsoft Defender Endpoint beta - TestFlight - Apple

1. Introduction

Microsoft Defender for Endpoint is Microsoft’s enterprise-grade security platform that helps organizations prevent, detect, investigate, and respond to advanced threats across their network. Endpoints can include anything from laptops, desktops, and mobile devices to routers, access points, and firewalls.

By integrating Microsoft Defender for Endpoint with Hyver, you enable seamless ingestion of host and cloud resource data, including assets and vulnerabilities discovered by Defender. Once inside Hyver, this data is evaluated in your unique business context—measured for exposure, tied to maturity levels, and prioritized for remediation—so you know exactly where to focus your efforts.

2. Prerequisites

Before setting up the integration, make sure you have:

  • A valid Microsoft Defender for Endpoint license

  • Hyver administrator permissions to add and manage the integration

  • Azure tenant credentials for authentication

Required IP Addresses

For the integration to work smoothly, you may need to allow traffic from Hyver’s servers in your firewall or network configuration. This ensures that Hyver can securely connect to your environment and perform scans without being blocked.

Depending on your region and the type of scan, add the following IP addresses:

  • General IPs:

    • Europe18.198.79.197

    • America52.1.10.176, 35.171.70.87

  • IPs for Azure and AWS Scans:

    • Europe18.158.77.90

    • America34.206.252.13

In most cases, you only need to add the IPs relevant to your region and use case.

Multi-Company Dashboard and Integrations

If your organization includes multiple subsidiaries, Hyver supports a Multi-Company structure for viewing and managing risk across business units.
Where supported, integrations should be created at the subsidiary level, using credentials relevant to each subsidiary’s data.

In some integrations (such as Azure), certain findings exist only at the tenant level — in these cases, a dedicated “parent” company may be needed to connect to the root tenant.
Findings stay within each subsidiary, while the parent company sees aggregated metrics.
For such a case we need to create Hyver companies per subsidiary + Hyver company for the global (tenant level) parent company for which all these companies are connected to.

For full details, see the Multi-Company Dashboard Guide.

Integration Process

Integrating Azure with Hyver follows a simple three-part flow. Understanding the framework upfront will make the step-by-step setup much easier:

  1. Provide tenant details
    Begin by entering your integration name and the Azure tenant ID (available in your Azure portal).

  2. Choose an authentication method:

    1. OAuth Authentication - this is a tenant level integration that provides the Hyver instance access to the entire Azure tenant, allowing it to scan tenant level items such as users and access privileges related findings are only available through tenant level (OAuth) authentication.

    2. Client ID and Secret Authentication - This type of authentication allows more flexibility and is more useful when you have different business units configured as subscriptions on your Azure tenant, and you want to manage findings for each business unit on a separate Hyver account.
      With this method, findings are limited to subscription level findings. Tenant level findings are excluded from the scan.

      If you are hosting multi business units on the same Azure tenant, you might consider creating:

      1. A cross business unit Hyver company that authenticates to the entire tenant through OAuth.

      2. Company accounts per business unit, that authenticate through Client ID and Secret, mimicking your business structure using the Hyver Multi Company setup.

      For additional guidance on integrating Hyver with Azure, you may reach out to your TCSM or Hyver support.

Permissions and Role Assignment

When you install the Azure application for this integration, it comes with a predefined set of permissions.

Updated list starting from November 09, 2025:

SecurityEvents.Read.All
SecurityAlert.Read.All
User.Read.All
ThreatIndicators.Read.All
ThreatHunting.Read.All

List relevant until November 08, 2025: 

Policy.Read.ConditionalAccess
AppCatalog.Read.All
CustomSecAttributeDefinition.Read.All
ExternalConnection.Read.All
ServicePrincipalEndpoint.Read.All
CloudPC.Read.All
DeviceManagementManagedDevices.Read.All
Device.Read.All
DelegatedAdminRelationship.Read.All
UserAuthenticationMethod.Read.All
Policy.Read.PermissionGrant
SharePointTenantSettings.Read.All
SecurityEvents.Read.All
IdentityRiskyServicePrincipal.Read.All
PrivilegedAccess.Read.AzureAD
RoleManagement.Read.Directory
SecurityAlert.Read.All
Group.Read.All
AdministrativeUnit.Read.All
MailboxSettings.Read
CrossTenantInformation.ReadBasic.All
Sites.Read.All
DeviceManagementServiceConfig.Read.All
DirectoryRecommendations.Read.All
EntitlementManagement.Read.All
IdentityUserFlow.Read.All
Directory.Read.All
ConsentRequest.Read.All
RoleManagement.Read.All
PrivilegedAccess.Read.AzureResources
User.Read.All
Domain.Read.All
SecurityIncident.Read.All
GroupMember.Read.All
DeviceManagementRBAC.Read.All
RoleManagement.Read.CloudPC
CustomSecAttributeAssignment.Read.All
DeviceManagementConfiguration.Read.All
APIConnectors.Read.All
ExternalItem.Read.All
SecurityActions.Read.All
ThreatAssessment.Read.All
IdentityProvider.Read.All
IdentityRiskyUser.Read.All
AccessReview.Read.All
PrivilegedAccess.Read.AzureADGroup
InformationProtectionPolicy.Read.All
Organization.Read.All
IdentityRiskEvent.Read.All
AuditLog.Read.All
Policy.Read.All
Member.Read.Hidden
Application.Read.All
ProgramControl.Read.All
DeviceManagementApps.Read.All
ThreatIndicators.Read.All
Reports.Read.All
ThreatHunting.Read.All
Microsoft Threat Protection
AdvancedHunting.Read.All
Policy.Read.All
Directory.Read.All
Application.Read.All
Member.Read.Hidden

3. Configuring on the Defender for Endpoint Side

Setting up the integration is a straightforward process. In short, you’ll grant Hyver the right permissions and run a PowerShell script to assign roles. Let’s walk through the steps together:

Open the integration page

  • In Hyver, click the gear icon at the top left to access Settings.

  • Go to the Integrations and Workflows tab.

  • Scroll down and select the Defender for Endpoint card.

  • Click Add:

Enter connection details

  • Provide your Azure tenant ID (required).

    • Finding Your Tenant ID:

      You’ll need to copy your Tenant ID from the Azure portal:

      1. Log in to your Azure portal.

      2. On the Overview page, under Basic Information, locate the field labeled Tenant ID:

      3. Click the copy icon next to the value.

      4. Paste the Tenant ID into the corresponding field in Hyver.

  • Enter a name for the integration.

4. Configuring in Hyver

Authenticate and save

  1. Enter the Integration Name and Microsoft Azure Tenant ID:

  2. In case of OAuth Authentication - Check the required steps needed and click Authenticate to Microsoft:

    1. Select a Microsoft account (must be an Azure admin account):

    2. Click "Accept" to grant the application access to the specified resources.
      The app name is defined by Hyver (for example, Cloud-Test), though it may vary. Note: The screenshot below is only an example of what the permissions screen looks like. In practice, you’ll see a longer list of permissions when setting up the integration. For the full list, scroll up to the “Azure Application Permissions” section.

    3. Upon successful authentication, you will see confirmation:

  3. In case of Client ID and Secret Authentication, fill in the Client and Secret for the relevant Azure subscription and click 'Validate'.

    1. After the connection was validated, you will be able to save it by clicking on 'Save' button in the bottom right of the page.

  4. Full guide for Azure configuration details to support the authentication can be found here.

To complete the setup, you’ll run a PowerShell script that assigns roles. This script tells Hyver which roles are available within the integration.

Running the PowerShell Script

Sign in to Azure

Open Cloud Shell

  • Launch a Cloud Shell session with permissions to manage the Azure account.

  • If this is your first time, you’ll be prompted to create a storage account and select a subscription. This step is required in order to open the terminal.

Copy and run the script

  • Copy the provided PowerShell script:

$roleName = "CYE Defender for Endpoint Reader"

$roleDescription = "Allows CYE to view resources within the Azure Tenant."

$actions = @(

"*/read",

"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action"

)

$appId = "55acf5ed-cc88-4d70-96f3-dbff93013913"

$mgList = az account management-group list --query "[].id" -o tsv

$rootMgName = az account show --query tenantId -o tsv

if ($mgList) {

$rootMgId = az account management-group show --name $rootMgName --query "id" -o tsv

if ($rootMgId) {

# Create the role definition JSON

$roleDefinition = @{

"Name" = $roleName

"Description" = $roleDescription

"Actions" = $actions

"AssignableScopes" = @($rootMgId)

}

$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5

az role definition create --role-definition $roleDefinitionJson

az role assignment create --role $roleName --assignee $appId --scope $rootMgId

}

} else {

$subs = az account list --query "[?name!='N/A(tenant level account)'].id" -o tsv

if ($subs) {

foreach ($subId in $subs) {

$roleDefinition = @{

"Name" = "$roleName $subId"

"Description" = $roleDescription

"Actions" = $actions

"AssignableScopes" = @("/subscriptions/$subId")

}

$roleDefinitionJson = $roleDefinition | ConvertTo-Json -Depth 5

az role definition create --role-definition $roleDefinitionJson

az role assignment create --role "$roleName $subId" --assignee $appId --scope "/subscriptions/$subId"

}

}

}

  • Run the script in Cloud Shell.

What the Script Does?

When executed, the script will:

  • Query all subscriptions under the parent management group.

  • Grant read access to the CYE app for each subscription.

  • Automatically include newly added subscriptions.

Important: If you are not using management groups, you’ll need to run the script separately for each new subscription.

Final Step

Once the script has run successfully, click Save to finalize the integration. Then, verify that the integration is active.

5. Viewing Results

Viewing Findings from Defender for Endpoint

That’s it — you’ve successfully installed the integration.

Now let’s look at the findings that Microsoft Defender for Endpoint brings into Hyver.

How to Search for Findings

  • Go to the Findings page in Hyver.

  • Use the Findings filter to search by source.

  • The Source field shows which integration each finding originated from (e.g., Defender for Endpoint).

  • You can also combine filters — for example, select Defender for Endpoint as the source and add a creation date filter to narrow the results.

In the example below, we’ve filtered the findings list by source to show only those from Defender for Endpoint:

Collected Endpoints

What are collected endpoints?

Collected endpoints are the specific data sources that Hyver pulls from an external platform through an integration. They represent the types of information available for analysis in Hyver, such as system activity, device details, or vulnerability records.

Collected endpoints for Microsoft Defender for Endpoint

With this integration, Hyver collects the following endpoints:

  • Port usage – Tracks which network ports are being used on devices.

  • SharePoint processes – Monitors activity within Microsoft SharePoint.

  • Software events – Captures logs of software-related actions or changes.

  • Software evidence – Provides supporting data about installed or executed software.

  • Software network events – Records how software communicates across the network.

  • Machines – Lists devices managed by Defender for Endpoint.

  • Sessions – Shows user login sessions on endpoints.

  • SMB events – Monitors file-sharing activity over the SMB protocol.

  • Weblook server events – Collects logs from web servers (e.g., traffic or activity).

  • Web server info – Provides details about web server configuration and status.

  • Latest login – Identifies the most recent user login per device.

  • IP info – Captures IP address details for endpoints.

  • Internet-facing interfaces – Lists device interfaces exposed to the internet.

  • All connections – Maps all network connections observed on endpoints.

  • Vulnerabilities – Reports known security vulnerabilities found on devices.

These collected endpoints feed into Hyver’s analysis, enabling more accurate assessment of exposure, remediation priorities, and business impact.

6. Types of Fetched Entities

Types of Findings from Defender for Endpoint

When Defender for Endpoint scans are ingested into Hyver, you may see findings such as:

  • Devices excluded from Defender for Endpoint
    Some devices are connected to the network but excluded from Defender, which means their data does not appear in vulnerability management pages or reports.

  • Devices not part of a device group
    Certain devices are not assigned to any group within Microsoft Defender for Endpoint, leaving them without centralized management or consistent security configuration.

  • Devices not onboarded with Defender
    Eligible devices on the network have not yet been onboarded with Defender, reducing visibility and protection.

  • Microsoft Defender sensors malfunctioning
    Some endpoints have misconfigured Defender sensors, which may result in events not being reported properly.

7. Deleting the Integration

Once the integration is set up, you can easily update or remove it at any time.

Deleting the Integration

  1. Click Delete Integration.

  2. Confirm that you want to remove it.

When deleting the integration, please note: In addition to removing it from Hyver, you'll also need to delete it from the cloud side. To do this, go to the Enterprise Applications section in your cloud environment, search for "Hyver", find the relevant Hyver entry, and delete it there as well.

What Happens When You Delete an Integration

  • The connection is terminated immediately.

  • No new data from that integration will be ingested or processed.

  • Existing data that was already pulled into Hyver remains available.

Editing the Integration

  1. Click Edit Integration.

  2. Make the necessary changes.

  3. Click Save to apply your updates.

Wrap-up

In this guide, we walked through the full process of integrating Microsoft Defender for Endpoint with Hyver — from prerequisites and setup, to role assignment, to viewing and managing findings. We also covered how to edit or delete the integration. With this connection in place, Defender data flows directly into Hyver, where it’s assessed for exposure, maturity, and remediation priority, giving you clear visibility and actionable insights for strengthening endpoint security.

Related Articles
Hyver Integrations Overview
Integrating with Microsoft Defender for Cloud – Full Guide
Integrating with Rapid7 InsightVM – Full Guide
Integrating with SentinelOne – Full Guide
Integrating with Azure – Full Guide
Did this answer your question?