This module is for interacting with the Defender for Endpoint Graph API using delegated permissions. The primary goal of this project was to create a cross-platform module that works on Windows, macOS, and Linux. To keep it simple for cross-platform use, the authentication mechanism is using the device code flow in the Microsoft Authentication Library.
Install-Module -Name "mdatp-pwsh"- .NET Core 3.0 SDK
- Launch a PowerShell prompt.
- Set the current directory to the project directory.
- Run
./BuildModule.ps1in the directory. - The module is then built in the
mdatp-pwshfolder. Copy that folder to your PowerShell modules folder.
- Log into your Azure AD portal and navigate to App Registrations.
- Click on New registration.
- On the Register an application page...
- Name the app whatever you want to name it.
- Leave the Supported account types as Accounts in this organizational directory only (Your Tenant Name only - Single tenant).
- Set Platform configuration (Optional) to Client Application (Web, iOS, Android, Desktop+Devices).
- Click Register when finished.
- When redirected to the app's page, navigate to the Authentication page for the app.
- Click Add a platform.
- Choose Mobile and desktop applications.
- And add the suggested redirect URI
https://login.microsoftonline.com/common/oauth2/nativeclient. - Click Configure.
- Under Advanced settings change the option for Treat application as a public client to Yes.
- Click Save at the top of the page.
- On the left side, click on API permissions.
- Click on Add a permission and then click on the APIs my organization uses tab.
- Search for
WindowsDefenderAtpand choose the first option. - Click on Delegated permissions and then choose the following:
- AdvancedQuery.Read
- Alert.Read
- Alert.ReadWrite
- File.Read.All
- Ip.Read.All
- Machine.Isolate
- Machine.Read
- Machine.ReadWrite
- Machine.RestrictExecution
- Machine.Scan
- Machine.ScanAndQuarantine
- Score.Read
- SecurityConfiguration.Read
- SecurityRecommendation.Read
- Software.Read
- Ti.ReadWrite
- Url.Read.All
- User.Read.All
- Vulnerability.Read
- Click the Add permissions button.
- Scroll to the bottom of the screen and click on the Grant admin consent for Your Tenant Name button. Click on Yes when prompted.
- Click on the Overview link on the left side of the screen of the app page and note the following for later:
- Application (client) ID
- Directory (tenant) ID
After importing the mdatp-pwsh module, run the following command:
Set-DatpModuleConfig -PublicClientAppId "95155854-bb54-4533-a3e0-14af326e997f" -TenantId "5b6a210c-711e-476a-a99c-2460df178748"-PublicClientAppIdis associated with the app registration's Application (client) ID.-TenantIdis associated with your Azure AD's Directory (tenant) ID.
* Module config is saved to the user profile directory under .mdatp-pwsh.
To connect to Microsoft Graph, run the cmdlet:
Connect-DatpGraphThis will prompt the Device Code Flow with a code you must enter on the Microsoft Device Logon page through a web browser. After authenticating, it will return the authentication token back to the prompt.
* The authentication token is saved to the current session, so there's no need to save the return to a variable.
Connect-DatpGraphGet-DatpSessionClientSet-DatpModuleConfig
Get-DatpAlertUpdate-DatpAlert
Get-DatpDomainStatsGet-DatpDomainRelated
Get-DatpFileGet-DatpFileAlertsGet-DatpFileMachinesGet-DatpFileStats
Add-DatpMachineTagGet-DatpMachineGet-DatpMachineActionGet-DatpMachineAlertsGet-DatpMachineUsersOut-DatpInvestigationPkgRemove-DatpMachineTagSet-DatpMachineIsolationStart-DatpMachineScanStart-DatpInvestigationPkgCollection
Get-DatpUserAlertsGet-DatpUserMachines