Manage Microsoft 365 Defender (XDR) via PowerShell

Manage Microsoft 365 Defender (XDR) via PowerShell

With a focus on Microsoft Defender Vulnerability Management


3 min read

In case you are using Microsoft Defender you are familiar with the portal. You also probably know that Microsoft also offers API for this security solution.

Today I will show you some of my PowerShell commands (M365DefenderStuff module) with a focus on the 'Microsoft Defender Vulnerability Management' part.

The main benefit of using my module instead of direct API calls is built-in support for pagination, throttling, time-outs, and other nasty things ๐Ÿ˜Ž.


  • In general license for using Microsoft Defender solution

  • Special license for using 'Microsoft Defender Vulnerability Management' in case you want to see found vulnerabilities on your clients

Before we begin

Install M365DefenderStuff module

To be able to use my PowerShell commands, you must first install the M365DefenderStuff module from the PowerShell Gallery.

Install-Module M365DefenderStuff
TIP: to get all available commands run the following command in your PowerShell console: Get-Command -module M365DefenderStuff

Control your M365 Defender via PowerShell

TIP: to be able to use specific API, you need to have correct permissions. What permissions are needed is stated in the NOTES section of each function (Get-Help <functionname> -Full).


Import-Module Az.Accounts


Get all/selected machine

# get all machines

# get just specific machine
Get-M365DefenderMachine -machineId 'fff5e5e26cb0848d66bbb0bc83de6bceb4a1b2e1'

Get the machine owner (the user who logs in)

Get-M365DefenderMachineUser -machineId 'fff5e5e26cb0848d66bbb0bc83de6bceb4a1b2e1'

Get detected software

# get all detected applications

# get just specific application
Get-M365DefenderSoftware -softwareId 'adobe-_-creative_cloud'

Get detected vulnerabilities

# get all found vulnerabilities (can take several minutes to complete!)

# get details of specific vulnerability
Get-M365DefenderVulnerability -vulnerabilityId 'CVE-2022-47926'

Generate vulnerability report

# get just software vulnerabilities of CTRITICAL type and group them by machine
Get-M365DefenderVulnerabilityReport -groupBy machine -skipOSVuln -severity Critical

Invoke KQL query

Invoke-M365DefenderAdvancedQuery -query "DeviceInfo | join kind = fullouter DeviceTvmSoftwareEvidenceBeta on DeviceId"

Get software evidence

# get all (100 000 at most) applications evidences

# get all (100 000 at most) applications evidences related to JRE software
Invoke-M365DefenderSoftwareEvidenceQuery -appName JRE

Get defender recommendations

# get all security recommendations

# get security recommendations just for Putty software.
Get-M365DefenderRecommendation -productName 'putty'

# get all security recommendations for given machine.
Get-M365DefenderRecommendation -machineId '43a802402664e76a021c8dda2e2aa7db6a09a5f1'

Get all vulnerabilities per machine and software

# retrieves a list of all the vulnerabilities affecting the organization per machine and software.

That is all for now, but more functions will be added in the future to the M365DefenderStuff module don't worry ๐Ÿ˜‰

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!