Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
NMerino
New Member

Defender API data not populating in PowerBI

‎04-28-2025 02:15 PM

Hello,

 

My team is trying to create a PowerBI dashboard utilizing microsoft defender incident data (security.microsoft.com) .

 

We created an API connection through the OData feed source:  OData.Feed("https://api.security.microsoft.com/api/incidents", null, [Implementation="2.0"])

 

Most of the incidents I see on the defender portal are ingested into PowerBI, however, it is missing insidents from the Insider Risk Management source, and I am only able to see DLP incidents for some reason. We have tried numerous troubleshootings with no success, any help would be appreciated.

 

Below I have attached screenshots of what the power BI raw data that we're getting from defender looks like vs what the microsoft defender protal is showing.

 

Defender Portal:

DefenderPortal.png

 

PowerBI Source Data:

PowerBI Data.png

 

Message 1 of 5
655 Views
0
1 ACCEPTED SOLUTION
Anonymous
Not applicable

‎05-02-2025 05:12 AM

Hi @NMerino
Thank you for reaching out microsoft fabric community forum.

  • The Microsoft Defender API (https://api.security.microsoft.com/api/incidents) does not include Insider Risk Management (IRM) incidents.
  • IRM incidents are managed under Microsoft Purview and are separated due to privacy and compliance boundaries.
  • DLP incidents appear because they are shared between Microsoft Defender and Microsoft Purview.
  • To access IRM data, you need to use Microsoft Graph API under the Purview (compliance) umbrella, such as https://graph.microsoft.com/beta/security/insiderRiskCases.
  • Microsoft Graph API access requires appropriate Azure AD app registration and permissions like InsiderRiskManagement.Read.All.
  • Manual export from the Insider Risk Management portal (CSV) can be used as a workaround if API access isn't feasible.
  • Accessing IRM data requires Microsoft 365 E5 Compliance or E5 Security licensing.
  • The user accessing the data must have roles such as Insider Risk Management Admin or Compliance Admin.
  • Document this limitation in your Power BI dashboard so stakeholders are aware that IRM incidents are excluded due to API constraints.
  • Use a custom connector or a Graph API query to bring IRM data into Power BI if automation is required

If this solution helps, please consider giving us Kudos and accepting it as the solution so that it may assist other members in the community
Thank you.

 

View solution in original post

Message 2 of 5
562 Views
0
4 REPLIES 4
Anonymous
Not applicable

‎05-13-2025 05:24 AM

Hi @NMerino 

I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please Accept it as a solution and give it a 'Kudos' so others can find it easily.
Thank you.

 

Message 5 of 5
499 Views
0
Anonymous
Not applicable

‎05-09-2025 02:42 AM

Hi @NMerino 
I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.
Thank you.

Message 4 of 5
520 Views
0
Anonymous
Not applicable

‎05-04-2025 11:28 PM

Hi @NMerino 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 3 of 5
546 Views
0
Anonymous
Not applicable

‎05-02-2025 05:12 AM

Hi @NMerino
Thank you for reaching out microsoft fabric community forum.

  • The Microsoft Defender API (https://api.security.microsoft.com/api/incidents) does not include Insider Risk Management (IRM) incidents.
  • IRM incidents are managed under Microsoft Purview and are separated due to privacy and compliance boundaries.
  • DLP incidents appear because they are shared between Microsoft Defender and Microsoft Purview.
  • To access IRM data, you need to use Microsoft Graph API under the Purview (compliance) umbrella, such as https://graph.microsoft.com/beta/security/insiderRiskCases.
  • Microsoft Graph API access requires appropriate Azure AD app registration and permissions like InsiderRiskManagement.Read.All.
  • Manual export from the Insider Risk Management portal (CSV) can be used as a workaround if API access isn't feasible.
  • Accessing IRM data requires Microsoft 365 E5 Compliance or E5 Security licensing.
  • The user accessing the data must have roles such as Insider Risk Management Admin or Compliance Admin.
  • Document this limitation in your Power BI dashboard so stakeholders are aware that IRM incidents are excluded due to API constraints.
  • Use a custom connector or a Graph API query to bring IRM data into Power BI if automation is required

If this solution helps, please consider giving us Kudos and accepting it as the solution so that it may assist other members in the community
Thank you.

 

Message 2 of 5
563 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All