Microsoft 365 Defender: Microsoft Graph security API

This demo explains how Microsoft 365 Defender APIs are moving to the Microsoft Graph Security API—and how you can use Graph to automate workflows and integrate your own apps with Microsoft 365 Defender. It breaks down the mechanics: apps authenticate to Microsoft Graph with OAuth 2.0, receive an access token, then call REST endpoints and exchange data as JSON. The walkthrough shows registering an app in Azure AD (App registrations), choosing delegated vs application permissions (daemon/background service vs signed-in user), and applying least-privilege access—using “Read all incidents” as the example—plus the critical step of granting admin consent. It then creates a client secret, grabs the application (client) ID and directory (tenant) ID, and uses a PowerShell example to query incidents updated in the last 48 hours via the Graph endpoint (security/incidents), noting API versioning (v1.0 for production, beta for prerelease). Finally, it submits the request with headers, parses the JSON response, and exports the incident results to a uniquely named JSON file.

We produced this as a clean, developer-friendly demo built to remove friction from a workflow that’s usually…let’s call it “documentation-adjacent.” In preproduction we mapped the exact setup and the minimum set of steps that actually matter (permissions, consent, secret, IDs), then in production we captured crisp screens and recorded pro voiceover that keeps the pace steady without skipping the gotchas. In post, we shaped it into a tight, follow-along walkthrough—so viewers can implement the integration quickly, avoid common missteps, and walk away with a repeatable pattern they can expand beyond “read incidents” into real automation. Final delivery includes closed captions, audio description, and thumbnails.