The Microsoft Defender Vulnerability Management (MS Defender VMS) integration enables security and compliance teams to continuously monitor vulnerabilities and remediation timelines. It connects Drata to Microsoft Defender so your team can track vulnerability SLA due dates and collect evidence required for compliance monitoring.
Key Capabilities
Vulnerability monitoring: Sync vulnerability findings from Microsoft Defender Vulnerability Management
Severity-based tracking: Prioritize vulnerabilities based on severity levels
Automated evidence collection: Maintain vulnerability data in Drata for compliance reports
This integration automates evidence collection for the Vulnerability Scanning test, which is mapped to DCF-18 by default.
After connecting, you can review vulnerability findings by selecting View Findings on the connection card or navigating to the Vulnerabilities page from the left-side navigation menu.
Prerequisites & Data Access
Access to your Microsoft Defender Vulnerability Management environment
Ability to authorize OAuth authentication during the connection process
Required Drata Role with Write access: Admin, Workspace Managers, DevOps Engineer
Access Reviewers (Access Reviewers can only Read the connection page they can’t make changes)
Permissions & Data Table
Permission/Scope | Why It’s Needed |
OAuth authorization | Allows Drata to securely authenticate and retrieve vulnerability data |
Microsoft Defender vulnerability data access | Allows Drata to sync vulnerability findings for compliance monitoring |
Step-by-Step Setup
Step 1: Configure Vulnerability Sync Settings
During setup, you will choose which vulnerabilities should sync into Drata.
Important behavior:
Drata syncs up to 1,000 new or updated vulnerabilities per connection per day.
Vulnerabilities are prioritized from Critical to Low severity.
Available configuration options:
Severity of vulnerabilities: Select the severity levels that Drata should sync for compliance monitoring. Critical and High are selected by default.
First seen on: Select the date when vulnerabilities were first detected. Drata will sync vulnerabilities detected on or after the selected date.
Expected outcome: You know which vulnerability findings will be imported into Drata.
Step 2: Connect Microsoft Defender Vulnerability Management in Drata
Log in to Drata → go to the Connections page.
Navigate to your Available Connections.
Search for and start the Microsoft Defender Vulnerability Management connection process. Alternatively, you can locate it under the Vulnerability Scanning connection type.
Configure the following sync settings:
Severity of vulnerabilities
First seen on date
Select Connect.
Complete the OAuth authentication process when prompted.
Drata uses Leen as an API integration partner to integrate with Microsoft Defender Vulnerability Management.
Expected outcome:
Microsoft Defender Vulnerability Management is successfully connected and vulnerability findings begin syncing into Drata.
Important Notes
Microsoft Defender Vulnerability Management has a 15-day data retention limit for this integration.
Drata will only display vulnerability findings from the previous 15 days.
Keep this retention window in mind when configuring or troubleshooting the integration to avoid unexpected gaps in historical vulnerability data.
After connecting, you can review vulnerability findings by selecting View Findings on the connection card or by navigating to the Vulnerabilities page in Drata.