Microsoft Defender for Identity supports health issues through the Microsoft Graph API. Unfortunately, at the time of writing, only health issues are supported. When you want to perform a bulk operation, there is no way to do this using the Microsoft Graph API. Using PowerShell in this blog post, I will describe how to add multiple IP addresses to the “Global Excluded Entities” list as a bulk operation.
WARNING: When adding multiple IP addresses to the “Global Excluded Entities” list, it is good to understand Microsoft Defender for Identity will ignore ALL detection from that IP address. This blog post showcases performing a bulk operation, such as adding multiple IP addresses to the “Global Excluded Entities” list.
Automate request with PowerShell
The first thing we need to do is copy the request using a browser to replay it. Open the Defender portal and go to the section where you want to perform a bulk operation. In my example, I am opening the IP addresses section for “Global Excluded Entities.” Add any IP address in the text field and click “Add.” Open the developer’s tools and open the “Network” section. Clear the network log to start with a clean sheet.
Once you click “Add IP addresses (0),” check for the request named “Global” and where you see the added IP address. Right-click the request and select “Copy / Copy as PowerShell.”
Now copy the PowerShell command in PowerShell and change the IP address to something else.
Now, you see the new IP address in the portal using a PowerShell command.
Now, we create a text file with all the IP addresses we want to add with every IP address on a new line.
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.9Before the “Invoke-WebRequest,” we need to add a new body and a for loop.
foreach($IPAddress in [System.IO.File]::ReadLines("C:\Users\thalpius\Downloads\IPAddresses.txt")) {
$body = @{
ExclusionType = @("Subnet")
ExcludedEntityIdentifiers = @($IPAddress)
} | ConvertTo-JsonFor the body, we use the body variable as input.
-Body $bodyHere is an example of the complete script.
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0"
$session.Cookies.Add((New-Object System.Net.Cookie("s.SessID", "e0826123-5b02-43ea-a531-031ad1104817", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("X-PortalEndpoint-RouteKey", "weuprod_westeurope", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("sccauth", "UB2-m0wz3Ws58SPzNbefq9e9WE9EOv2lmLaPw7kKo9kh2PMxFotm7jIah1GdqZrw8VBrpU1Kgm26DgaLSZ6A5ywC-5J8iqlrv6ik0TTeCUiZuVcpwP6eZ19-7yTfR81oQwvYyTtDpuoG2_vBnBpp9q_LHYmLQFQL0PaSuuYUFZWLJvQumgHU-4Ec8kcsUM025w4aDO-CBzP9DzPLkDN2F2EeEREjRAPffqvrf64cg41javXDp52O-D0ZWqpoZYcAVvBPOYYZZPLKulZurWytpwk3y2KDdsL_TUDIwNujgDej7g_sKad5nHv6NTkiEAnXKyueozReEfo_EixVcs_MwhGKkZHPDhVJOnybkYnoDSOuU_SlrlOM7IcITNcc2h6wOqti-oHyB5Zpm0kHGxJXVZeL2A02XCy_0FFmI5GyZ0miFTu2OnoC4LLxAh4zD1mohPnbP2EzBv8X05QiyLYbl_H81LnWrKeCjJ-ZHp01pY9P6CtVJFRKJIuFFtN1lKGwcsX644y4xHAxLvikJOmzyEDSSFo2IdSFfQqo_TCgA_5PwHQ-N0Jvw4CzOyvxbe-4OaloZPgpYqoKJ6SGo3uIxG4-YjJOaXbbaLUsI4GuGqwCRfdZ2frUBqxyv3UPTtMkelKMjHS5CaxKgFjvRP3DSI0PTF_HXe6nRNAfUJ45hNBrRFKM1LY4E3_duPOfSEL1BXlylvSc5JYE2OfMZvZfeFqURlY7tb84tok6vwMnNb-dNKA2ERgAVCnv96hoges_HRLOSGybRAMCnzxV8VeGyZepKUEVqQcachQMIJXcStNbjFFl5K5oysQ2rfzI_p6vTkYSf6n-MC5gTjH5LDPF4LUBIPPx4FjiqKhpQSE9MdsTARNbFn6mWZb3cuK2vVi6emlBic9UQlVfh_IbuD9AolrrT3l4THawS1fZZvsCZoE7nRKNe06KOfj82ierTO9_bJ9N2Ea_mx27WGfAcE9t4KYxu8g1dQQMp2bmfHkUD0g4rOhlvzz5SKFevUwN7hJscZ_24R9O0SlssA3RXWL-nMLMqx6dLsNo5f7CLM66kv9_94CV8c7zg6ZigYho6fxTqC2WctxJJ0q-7bnTRInnZR_bUvACie6jQvtpnAjDOnPFR19_xb0oaT-yYnDdHhyC1pWX8H9Vl7zDGvjDM9pdx07FbK-IswgUhEelvh1GUyEbt78Z-_CeoGmcIO6aVTGxVmfGDX28o9c3-0_ply1ZMj8Hfh3d2issz-cE8bgQCcU-SAQTtwnmAd_PL7ua4ss2M-aw6TQ1P-sjTRg1UqUTT5CJ7V9ahyAQvhTgSKCHMhIlYx-GoFa3WalcW0mCOSxT-gKHuKzTal9CdmX4KS65002uCuU_0A1Rz3W0ke1ki8PpfzTDItqpi-EYG6ajGcIxjLfLPMUU31ArcSDYaATUUBJEw8p5_wDBR1B7wUUUeSNrfDQxXvkLaiagS-U7tE7WC5P5gmSba3NPNY_wj_F6DhSq3ms_ytCPsHy1aKZUDgtoTvc1-_bVEAdmR8S3GZ7VnN0lOmK7hk0dvPexn7qVqdLoLa0w2gOfseeZytTlN4KHbiZicVWxlOdQ_Mae3qGYSmGKxkWltq3kctEOyF5Jjh7NK19rw_XgDmsGal7QnD_TutPLKXDGmAhCNwoJkJ0BBz9uyuiGNowSKI-gxFxr30Dcp29qG6tUL8DKWgmnZjPcQ9Mjegdim4m7rAxO8oZvdgiFQbrz8DpF2avtiRHAPSBMpILo6fp5ZhBXRKjUG4_7ClE_YWTA391VntnQwoVzfJHxXflnSp4A4lRNTNVbpW-2wi2CjrJWZPoNwJmxUrKhnEHGYMoKPFjZ5wThpFeP87vhJ7axY_V7Dc9k2Q9IdYXlbVZU9_AnEtX8iH77qu_9p2lUzAd3HAAPUKgt6xKZc1-ICDAuD7yB0JMGt-DpkcBU2WELxn9zUsHD9zb9RD2jfsDqHgHBqEZoX1Hlhy-cU9lfdo-3MiP_ld3mnpukREt7Zn-Y84b34Zx8EleAfDVyoJxfOhl2eLglGMJW6oaQ-zy2YdLmHG8Thj76FbTwL4jYeU76wsgsd0Y2mey6tQYaeCEVxffbUoPdvW8EFZYFkX-SQBt-PsBf2I2Trz24o7-wc-9L602J6cTGeX2czaBhJ8VIWE8-orkdfj43Ih-rUZasq8O_uuRVk0YWkwQ", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("s.Flight", "", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("ai_user", "pLdacxhAs64+rre2OP2jWq|2024-11-13T07:27:09.559Z", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MicrosoftApplicationsTelemetryDeviceId", "4a003a38-4e78-463e-a6cd-9c216518c0c6", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("SSR", "1731482842137", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("XSRF-TOKEN", "yPxQoy4EzwoI_1T3KL-ceaL3A37Qwa_YpYipGReBSKhx8BromY2IzOk69YSR59Hy2oVt1T4Uls4_t_Fepgh-7uk-ED6zV_QfxUEYUFfmDVgWWUE-972C5JdGu0v55LgyX-pxTIQkf1QLLmitQ2%3AF5NtYsmk3iMXBbn8_ejAAgLsf5r45wD8hhR0PiFg41hO4kzw0MetHytNEUflPOKZy9YNpW2WOC-6Um0-Dex564PLDA23vBV_rfjGruTi3wlIfBDprITy_yy1TQcMacdYFFkfNqf8aBEYNGjCoz49eXES6TRcypXelVBmOLyhhFgeOqOKmFY8Ym0iMXp50", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("ai_session", "RD4lfgBFP1nJP6terAqmgj|1731485369809|173146039530", "/", "security.microsoft.com")))
foreach($IPAddress in [System.IO.File]::ReadLines("C:\Users\thalpius\Downloads\IPAddresses.txt")) {
$body = @{
ExclusionType = @("Subnet")
ExcludedEntityIdentifiers = @($IPAddress)
} | ConvertTo-Json
Invoke-WebRequest -UseBasicParsing -Uri "https://security.microsoft.com/apiproxy/aatp/api/workspace/configuration/exclusion/Global" `
-Method "POST" `
-WebSession $session `
-Headers @{
"authority"="security.microsoft.com"
"method"="POST"
"path"="/apiproxy/aatp/api/workspace/configuration/exclusion/Global"
"scheme"="https"
"accept"="application/json, text/plain, */*"
"accept-encoding"="gzip, deflate, br, zstd"
"accept-language"="en-us"
"m-componentname"="SettingsPage"
"m-connection"="4g"
"m-name"="SettingsPage[aatp]"
"m-package"="aatp"
"m-type"="Page"
"m-viewid"="globalExclude"
"origin"="https://security.microsoft.com"
"priority"="u=1, i"
"referer"="https://security.microsoft.com/securitysettings/identities?tid=df29849b-6a64-481b-97662-8da3fafcb33b&tabid=globalExclude"
"request-context"="appId=cid-v1:9f356be5-73bf-45f7-9a98-a86fc98ec84f"
"request-id"="|4a1abe2879fe44ab8cf1c4fa75a70169.5e69152ec0884513"
"sec-ch-ua"="`"Chromium`";v=`"130`", `"Microsoft Edge`";v=`"130`", `"Not?A_Brand`";v=`"99`""
"sec-ch-ua-mobile"="?0"
"sec-ch-ua-platform"="`"Windows`""
"sec-fetch-dest"="empty"
"sec-fetch-mode"="cors"
"sec-fetch-site"="same-origin"
"tenant-id"="df29849b-6a67-381b-9162-8da3fafcb33b"
"x-accepted-statuscode"="3..|4..|50."
"x-clientpage"="securitysettings.identities@aatp"
"x-clientpkgversion"="20241112.1"
"x-edge-shopping-flag"="1"
"x-tabvisible"="visible"
"x-tid"="df29849b-6a67-481e-9162-8da3fafcb33b"
"x-xsrf-token"="yPxQoy4EzwoI_1T3KL-ceaL3A37Qwa_YpYipGROreBSXxJBromY2IzOk69YSR59Hy2oVt1T4Uls4_t_Fepgh-7Guk-ED6zV_QfxUEYfmDVgWWUE-972C5J1Gu0v55dwwX-pxTIQkf1QLLmitQ2:F5NtYsmk3iMXBbn8_ejAAgLsf5r45wD8hhR0PiFg41hO4kzw0MBetHwNEUflPOKZy9YNpW2WOC-6Um0-Dex564PLDA23vBV_rfjGruTi3wfBDprITy_yy1TQcMacdYFFkfNqf8aBEYNGjCfoz49eXEFS6TRcypXelVBmOLewe33hFgeOqOKmFY8Ym0iMXp350"
} `
-ContentType "application/json" `
-Body $body
}Refreshing the portal will allow you to see all the IP addresses added to the “Global Excluded Entities” list.
Conclusion
There are better ways to perform bulk operations than this method using PowerShell, but it does work. I do not see a lot of companies needing to use a bulk operation for Microsoft Defender for Identity, but when you do, automation is beneficial.
Microsoft Security Blog 