Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Next up in the FabCon + SQLCon recap series: The roadmap for Microsoft SQL and Maximizing Developer experiences in Fabric. All sessions are available on-demand after the live show. Register now

Reply
NMerino
New Member

Defender API data not populating in PowerBI

‎04-28-2025 02:15 PM

Hello,

 

My team is trying to create a PowerBI dashboard utilizing microsoft defender incident data (security.microsoft.com) .

 

We created an API connection through the OData feed source:  OData.Feed("https://api.security.microsoft.com/api/incidents", null, [Implementation="2.0"])

 

Most of the incidents I see on the defender portal are ingested into PowerBI, however, it is missing insidents from the Insider Risk Management source, and I am only able to see DLP incidents for some reason. We have tried numerous troubleshootings with no success, any help would be appreciated.

 

Below I have attached screenshots of what the power BI raw data that we're getting from defender looks like vs what the microsoft defender protal is showing.

 

Defender Portal:

DefenderPortal.png

 

PowerBI Source Data:

PowerBI Data.png

 

Message 1 of 5
836 Views
0
1 ACCEPTED SOLUTION
Anonymous
Not applicable

‎05-02-2025 05:12 AM

Hi @NMerino
Thank you for reaching out microsoft fabric community forum.

  • The Microsoft Defender API (https://api.security.microsoft.com/api/incidents) does not include Insider Risk Management (IRM) incidents.
  • IRM incidents are managed under Microsoft Purview and are separated due to privacy and compliance boundaries.
  • DLP incidents appear because they are shared between Microsoft Defender and Microsoft Purview.
  • To access IRM data, you need to use Microsoft Graph API under the Purview (compliance) umbrella, such as https://graph.microsoft.com/beta/security/insiderRiskCases.
  • Microsoft Graph API access requires appropriate Azure AD app registration and permissions like InsiderRiskManagement.Read.All.
  • Manual export from the Insider Risk Management portal (CSV) can be used as a workaround if API access isn't feasible.
  • Accessing IRM data requires Microsoft 365 E5 Compliance or E5 Security licensing.
  • The user accessing the data must have roles such as Insider Risk Management Admin or Compliance Admin.
  • Document this limitation in your Power BI dashboard so stakeholders are aware that IRM incidents are excluded due to API constraints.
  • Use a custom connector or a Graph API query to bring IRM data into Power BI if automation is required

If this solution helps, please consider giving us Kudos and accepting it as the solution so that it may assist other members in the community
Thank you.

 

View solution in original post

Message 2 of 5
743 Views
0
4 REPLIES 4
Anonymous
Not applicable

‎05-13-2025 05:24 AM

Hi @NMerino 

I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please Accept it as a solution and give it a 'Kudos' so others can find it easily.
Thank you.

 

Message 5 of 5
680 Views
0
Anonymous
Not applicable

‎05-09-2025 02:42 AM

Hi @NMerino 
I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.
Thank you.

Message 4 of 5
701 Views
0
Anonymous
Not applicable

‎05-04-2025 11:28 PM

Hi @NMerino 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 3 of 5
727 Views
0
Anonymous
Not applicable

‎05-02-2025 05:12 AM

Hi @NMerino
Thank you for reaching out microsoft fabric community forum.

  • The Microsoft Defender API (https://api.security.microsoft.com/api/incidents) does not include Insider Risk Management (IRM) incidents.
  • IRM incidents are managed under Microsoft Purview and are separated due to privacy and compliance boundaries.
  • DLP incidents appear because they are shared between Microsoft Defender and Microsoft Purview.
  • To access IRM data, you need to use Microsoft Graph API under the Purview (compliance) umbrella, such as https://graph.microsoft.com/beta/security/insiderRiskCases.
  • Microsoft Graph API access requires appropriate Azure AD app registration and permissions like InsiderRiskManagement.Read.All.
  • Manual export from the Insider Risk Management portal (CSV) can be used as a workaround if API access isn't feasible.
  • Accessing IRM data requires Microsoft 365 E5 Compliance or E5 Security licensing.
  • The user accessing the data must have roles such as Insider Risk Management Admin or Compliance Admin.
  • Document this limitation in your Power BI dashboard so stakeholders are aware that IRM incidents are excluded due to API constraints.
  • Use a custom connector or a Graph API query to bring IRM data into Power BI if automation is required

If this solution helps, please consider giving us Kudos and accepting it as the solution so that it may assist other members in the community
Thank you.

 

Message 2 of 5
744 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All