
Microsoft Defender for Identity is a cloud-based security solution to monitor your on-premises identities. Since it is a cloud-based security solution, it must communicate with the cloud. In this blog post, I will describe how Microsoft Defender for Identity communicates with the cloud during the installation of the sensor.
Introduction
I started monitoring the installer using Burp Suite. After intercepting the first request, I see that the body includes some jibberish. The body looks encrypted or compressed. Since the installer does not contain a certificate, the body is probably compressed and not encrypted.
Here is an example of an intercept in Burp.
POST /api/sensorDeployment/v1.0 HTTP/1.1
Authorization: Basic <WorkSpaceID>:<AccessKey>
Host: thalpius-onmicrosoft-comsensorapi.atp.azure.com
Content-Length: 41
Expect: 100-continue
Connection: close
«æåRPPR)©,HU²RP
I-.qI-ÈɯÌMÍ+ J-,
(ñrÕ
The body looks compressed, so the question is: What does the body look like after decompression?
Microsoft Defender for Identity API Fiddler
There are different ways to decompress the bytes, but I created a tool to add more features to test the API endpoints in the future.
The tool includes a compressor and a decompressor. When we copy the compressed bytes from Burp to see what the body looks like decompressed, we can see it is a JSON object.

Because I do not want to compress and decompress a JSON object all the time, I created a simple API requester that compresses and decompresses the body automatically. Using my tool, you can send a request in JSON format without compressing it, making it much simpler.

The installer does not contain a certificate, so how does it authenticate to the cloud?
Authentication
The Burp interception shows an authentication header which is basic authentication.
Authorization: Basic <WorkSpaceID>:<AccessKey>
There is a comment in the Microsoft 365 Defender portal which says, “Access key is only used during the sensor installation.”
The installer creates a certificate for all future communication to the cloud. For that reason, the access key is used only during the installation. I added a settings option in my tool to set the authorization needed to send a valid request.
API Endpoints
I identified three API endpoints during my research: sensorDeployment, protobuf, and json. The URI of the endpoints are:
- https://<WorkspaceName>sensorapi.atp.azure.com/api/sensorDeployment/v1.0
- https://<WorkspaceName>sensorapi.atp.azure.com/api/protobuf/v1.0
- https://<WorkspaceName>sensorapi.atp.azure.com/api/json/v1.0
Note: The installation only used the sensorDeployment API endpoint—more on the protobuf and json endpoints in a later blog post.
API Requests
Now that we know how the authentication takes place and we can decompress the body, let us see what the installer sends to the API endpoint during the installation.
Here are the API requests:
{
"$type": "TestDeploymentRequest"
}
{
"$type": "ValidateCreateSensorRequest",
"Version": "2.193.15824.20477"
}
{
"$type": "GetSensorMinorDeploymentPackageSensorApiDeploymentRequest",
"Version": "2.193.15824.20477"
}
{
"$type": "CreateSensorRequest",
"Certificate": {
"$type": "X509Certificate2",
"RawData": "MIIDbj<SNIP>rjjb88"
},
"DnsName": "THALPIUS.thalpius.local",
"NetbiosName": "THALPIUS",
"NetworkAdapters": [
{
"$type": "NetworkAdapter",
"Id": "{9846C447-1A36-4739-B469-E03769E013DE}",
"Name": "Ethernet",
"State": "EnabledConnected",
"IpAddresses": [
"10.211.55.83",
"[fdb2:2c26:f4e4:0:558b:329c:4fd7:477e]",
"[fe80::558b:329c:4fd7:477e%9]"
]
}
],
"ShouldEnableDelayedUpdate": false,
"Type": "DomainControllerIntegrated",
"Version": "2.193.15824.20477"
}
Download Sensor
For example, the GetSensorMinorDeploymentPackageSensorApiDeploymentRequest downloads a cabinet file of the latest sensor. You can see the response in my tool, which automatically decompresses the result.

If we take the base64 encoded string and decode it using certutil, we see we got the latest sensor.


Conclusion
My intention in researching the API is to understand better how the product works and see what I can do with it as an attacker. I will soon add more functionality to my tool, such as the JSON API endpoint, and post my findings testing that API in a future blog post.