Endpoint Security integration
Already included in M365 Business Premium — Vectis surfaces your Defender device health, active alerts, and risk scores next to every ticket and backup job.
In Beta
Vectis + Microsoft Defender for Business is in Beta. We built this connector against Microsoft Defender for Business’s published API documentation (verified endpoints in scripts/audit/known-endpoints/defender.json). It’s fully connectable today — credentials save and syncs run. Because Microsoft Defender for Business doesn’t offer a public sandbox for us to live-test against, the first paying customer who connects it is the de-facto live validator. If you’re considering Vectis with Microsoft Defender for Business and want to be the validator, talk to us.
What Vectis syncs
Vectis syncs every device enrolled in Microsoft Defender — health status, risk score, exposure level, and last check-in. Security alerts (Defender AV detections, behavioral detections, EDR findings) are pulled with their severity, MITRE techniques, and affected device. Vulnerability data is synced per device and feeds the customer posture score.
What you can do
Isolate a device directly from the Vectis alert card when a critical Defender alert fires — and release it once the threat is cleared. Mark Defender alerts as false positives, resolved, or in-progress. Assign alerts to team members. Vectis does not support triggering on-demand antivirus scans (not available via the API) or Advanced Hunting queries (requires Defender for Endpoint Plan 2).
Honest about the limits
The Defender connector requires a separate Entra app registration from the M365 connector — see the setup guide for the one-time registration steps. Defender for Business (M365 Business Premium) and Defender for Endpoint both work with Vectis; Advanced Hunting is a Defender for Endpoint Plan 2 feature and is not supported. Device data refreshes every 15 minutes; vulnerability data updates every 6 hours on Microsoft's side. Some write-back actions (isolation) require the target OS to be Windows 10 version 1703 or later, Windows 11, or Linux.
How it correlates
Microsoft Defender for Business on the customer account hub alongside every other system you run — not a standalone dashboard. A few of the most common shapes this takes:
If your customers have M365 Business Premium, Defender for Business is already active. Vectis surfaces that protection data in the same workspace as their tickets, backup status, and licensing without any additional vendor contract.
A device with a High or Critical Defender risk score appears on the same asset row as its RMM patch count and last check-in — the full endpoint risk picture in one row.
Devices with unpatched critical CVEs surface in the customer security posture strip alongside backup coverage and MFA findings — one consolidated view of exposure.
Setup snapshot
Step 1: In your Entra admin center (portal.azure.com), create a new multi-tenant app registration. Under API Permissions, add WindowsDefenderATP → Application permissions: Machine.Read.All, Alert.Read.All, Alert.ReadWrite.All, Machine.Isolate, Vulnerability.Read.All. Grant admin consent for your own tenant. Step 2: Create a client secret under Certificates & secrets — copy the value immediately. Step 3: For each customer, generate an admin consent link using your app's client ID and send it to the customer admin. Step 4: In Vectis Admin → Integrations → Microsoft Defender → Add connection, enter the customer's tenant ID, your app's client ID, and the client secret. Vectis syncs devices and alerts on the next scheduled run.
# In the Vectis hub, add the connector:
category Endpoint Security
vendor Microsoft Defender for Business
status Read + WriteOther Endpoint Security integrations
Pricing
Microsoft Defender for Business is available on every Vectis tier — $299/mo and up. See pricing
Also reachable over MCP — bring your own client → /mcp
