This integration is not yet generally available. It appears in the Coming Soon tab of the Integrations page. Configuration will be enabled in a future release.
Microsoft Defender for Cloud Integration Guide
If your team runs workloads on Azure, this integration brings Defender for Cloud findings (security alerts, vulnerability assessments, and recommendations) into Openlane so you can track remediation timelines and SLA compliance in one place (SOC 2: CC7, CC8; ISO 27001: A.12.6).
Key Capabilities
- Security Findings Ingestion: Collects security alerts, vulnerability assessments, and recommendations from Defender workload protection plans, giving you a single view for remediation tracking and SLA compliance (SOC 2: CC7, CC8).
- Compliance Assessment Context: Reads regulatory compliance assessment results and secure score data, so when an auditor asks how you're tracking control effectiveness, you have an answer (ISO 27001: A.18.2).
- Read-Only Subscription Access: Authenticates with a service principal and reads security data without modifying subscription settings or Defender configuration.
Prerequisites
- An Entra app registration with a client secret.
- A service principal with Security Reader (or equivalent read) role assigned at subscription scope.
- Microsoft Defender for Cloud enabled on the target subscription with the relevant workload protection plans active (e.g., Defender for Servers, Defender for Containers, Defender for SQL).
Step-by-Step Setup
Step 1: Configure Azure App and Permissions
- In the Azure portal, create or select an app registration and generate a client secret.
- Navigate to the target subscription's Access control (IAM) blade and assign the Security Reader role to the service principal.
- Record the following values for use in Openlane:
- Tenant ID: from the app registration's overview page.
- Client ID: the application (client) ID of the app registration.
- Client Secret: the secret value (shown only at creation time).
- Subscription ID: from the subscription's overview page.
Step 2: Connect in Openlane
- Navigate to Organization Settings > Integrations and find Microsoft Defender for Cloud.
- Click Configure and enter the required fields:
| Field | Required | Purpose |
|---|---|---|
tenantId | Yes | Azure AD tenant that owns the subscription |
clientId | Yes | Application (client) ID of the service principal |
clientSecret | Yes | Client secret for the service principal |
subscriptionId | Yes | Azure subscription with Defender for Cloud enabled |
resourceGroup | No | Restrict scope to a specific resource group |
workspaceId | No | Log Analytics Workspace ID for workspace-scoped alert queries |
- Click Save.
Validate Connection
After saving, Openlane runs a health check that verifies the service principal can authenticate and access Defender for Cloud APIs on the configured subscription. The result appears on the Installed tab of the Integrations page. A Healthy badge confirms connectivity. If the badge shows Needs Attention, review the troubleshooting section below.
What Openlane Syncs
Openlane reads security data from Microsoft Defender for Cloud. This feeds directly into your vulnerability management program (SOC 2: CC7) and technical vulnerability handling controls (ISO 27001: A.12.6):
- Defender plan coverage: which workload protection plans are active on the subscription and their configuration status.
- Security findings and alerts: alerts generated by Defender workload protection (e.g., suspicious activity, malware detection, anomalous access patterns).
- Vulnerability assessment results: findings from Defender vulnerability scanning across VMs, containers, SQL databases, and other supported resource types.
- Recommendations: security recommendations produced by Defender, including severity, affected resources, and remediation guidance.
- Compliance and secure score context: regulatory compliance assessment status and secure score metrics for audit reporting.
Disconnect
To remove this integration, navigate to Organization Settings > Integrations and select the Installed tab. Open the menu on the integration card and select Disconnect. This removes stored credentials and stops all collection activity. You can reconnect later by configuring the integration again.
Troubleshooting
- Permission denied: verify the service principal has the Security Reader role (or equivalent) assigned at subscription scope.
- No data returned: confirm Defender for Cloud is enabled and at least one workload protection plan is active on the subscription.
- Authentication failures: verify the tenant ID, client ID, and client secret are correct and that the secret has not expired.