This chapter covers Microsoft Defender for APIs, a cloud-native security solution for discovering, monitoring, and protecting APIs in Azure. For the AZ-500 exam, this topic appears under Security Operations (Objective 4.1) and typically accounts for 5-10% of questions. You will be tested on its capabilities, configuration, integration with Defender for Cloud, and how it differs from other API security tools like API Management and Application Gateway WAF. Mastering this chapter ensures you can answer questions about API threat detection, security posture management, and the Defender for APIs pricing model.
Jump to a section
Imagine a VIP club with a strict bouncer at the entrance. The club has a list of approved guests (known APIs), a set of rules about what each guest can do (permissions), and a camera recording every interaction (logging). The bouncer checks IDs (authentication), verifies guest status against the list (authorization), and ensures no one brings in banned items (request validation). If a guest acts suspiciously—like trying to enter multiple times with different IDs—the bouncer flags them (threat detection). The bouncer also keeps a log of who entered, when, and what they did (audit trail). In the same way, Microsoft Defender for APIs acts as a bouncer for your APIs: it validates every request, checks permissions, logs activity, and detects anomalies. It uses OpenAPI specifications as the guest list, Azure AD for authentication, and machine learning to spot suspicious patterns. Just as a club might have multiple entrances (different API endpoints), Defender for APIs monitors all of them centrally, ensuring no unauthorized access or malicious activity goes unnoticed.
What is Defender for APIs?
Microsoft Defender for APIs is a cloud-native security solution within Microsoft Defender for Cloud that provides full lifecycle protection for APIs. It was announced at Microsoft Ignite 2022 and became generally available in early 2023. Unlike traditional web application firewalls (WAFs) that inspect traffic at the network layer, Defender for APIs operates at the API layer, understanding the semantics of API requests and responses. It uses machine learning models trained on Microsoft's threat intelligence to detect malicious patterns specific to APIs, such as parameter tampering, broken object level authorization (BOLA), and excessive data exposure. Defender for APIs is designed to work with APIs hosted on Azure App Service, Azure Functions, Azure API Management, and Azure Kubernetes Service (AKS).
How It Works Internally
Defender for APIs works by integrating with Azure API Management (APIM) or by using a lightweight agent (currently in preview) that can be deployed alongside APIs. When an API request comes in, Defender for APIs performs the following steps:
Traffic Mirroring: For APIM-managed APIs, Defender for APIs receives a copy of the request and response traffic via an out-of-band monitoring pipeline. This ensures no latency is added to the live traffic.
Protocol Parsing: Defender for APIs parses the HTTP request and response, extracting method, path, headers, query parameters, and body. It then maps the request to the API's OpenAPI specification (if available) to understand the intended structure.
Anomaly Detection: Using machine learning models, Defender for APIs compares the request against a baseline of normal API traffic. It looks for deviations such as unusual parameter values, unexpected HTTP methods, or abnormal payload sizes.
Threat Intelligence Matching: The request is checked against known threat intelligence feeds, including indicators of compromise (IOCs) for API-specific attacks like credential stuffing, DDoS, and injection attacks.
Behavioral Analysis: Defender for APIs tracks user sessions and API key usage over time to detect suspicious patterns, such as a single key making requests from multiple geographic locations or a sudden spike in data exfiltration attempts.
Alerting and Response: If a threat is detected, Defender for APIs generates a security alert in Defender for Cloud. The alert includes details such as the affected API endpoint, the malicious request, and recommended remediation steps. Alerts can trigger automated responses via Azure Logic Apps or Security Orchestration Automated Response (SOAR) tools.
Key Components, Values, Defaults, and Timers
Pricing: Defender for APIs is billed per API request, with a cost of $0.00125 per request (as of 2025). The first 1 million requests per month are free. There is no additional cost for the first 100 API endpoints.
Supported Regions: All Azure regions where Defender for Cloud is available, except government clouds (though GCC and GCCH are in preview).
Data Retention: Security alerts are retained for 90 days in Defender for Cloud. Raw request logs are not stored by Defender for APIs; only metadata and alerts are retained.
OpenAPI Specification: Defender for APIs can import OpenAPI 2.0 and 3.0 specifications to understand the API structure. If no specification is provided, it uses machine learning to infer the structure.
Integration with API Management: Defender for APIs requires API Management at the Premium or Standard tier. Consumption tier is not supported because it lacks the necessary monitoring capabilities.
Integration with Defender for Cloud: Alerts appear in the Defender for Cloud dashboard under "Security Alerts" with severity levels (High, Medium, Low). The alert includes a MITRE ATT&CK mapping.
Configuration and Verification Commands
To enable Defender for APIs:
In the Azure portal, navigate to Microsoft Defender for Cloud.
Under "Environment settings," select your subscription.
In the "Defender plans" section, enable "Defender for APIs."
Select the API Management instances you want to protect.
Alternatively, you can use Azure CLI:
az security pricing create --name 'Api' --tier 'Standard' --sub <subscription-id>To check if Defender for APIs is enabled:
az security pricing show --name 'Api' --query 'properties.pricingTier' -o tsvExpected output: Standard
To list security alerts related to APIs:
az security alert list --filter "contains(properties.compromisedEntity, 'api')" -o tableInteraction with Related Technologies
Azure API Management (APIM): Defender for APIs integrates natively with APIM to monitor traffic. APIM policies can be used to block or rate-limit requests based on Defender's recommendations.
Azure Application Gateway WAF: While WAF protects against common web attacks (SQL injection, XSS), Defender for APIs focuses on API-specific threats like BOLA and mass assignment. They complement each other; WAF is layer 7, Defender for APIs is application-layer.
Azure Front Door WAF: Similar to Application Gateway, Front Door WAF can be used in front of APIs, but Defender for APIs provides deeper insight into API logic.
Azure Sentinel: Defender for APIs alerts can be forwarded to Sentinel for advanced SIEM capabilities and incident response.
Azure Policy: You can enforce the use of Defender for APIs on all API Management instances via Azure Policy.
Key Capabilities
Discovery: Automatically discovers all APIs in your Azure environment, including those in App Service, Functions, and AKS.
Security Posture Management: Provides a security posture score for each API, highlighting misconfigurations like missing authentication, excessive data exposure, and lack of rate limiting.
Threat Detection: Detects attacks such as:
- Broken Object Level Authorization (BOLA) - Excessive data exposure - Mass assignment - Injection attacks (SQL, NoSQL, command) - Authentication bypass - DDoS and brute force - Audit Trail: Logs all API requests and responses (metadata only) for forensic analysis. - Integration with DevOps: Supports CI/CD pipelines by providing security feedback during development.
Default Values and Limits
Maximum API endpoints per plan: 100 endpoints are included; additional endpoints cost $0.00125 per request.
Maximum requests per second: No hard limit, but requests beyond 10,000 per second may be throttled.
Alert generation latency: Typically within 2-5 minutes of the malicious request.
Exam-Specific Details
Defender for APIs is NOT a WAF replacement; it is an API-specific security solution.
It does NOT inspect traffic in real-time; it uses traffic mirroring for out-of-band analysis.
It requires API Management Premium or Standard tier (not Consumption).
It can be used without API Management for App Service and Functions via agent (preview).
The pricing is per API request, not per endpoint or per month.
Enable Defender for APIs
Navigate to Microsoft Defender for Cloud in the Azure portal. Under 'Environment settings,' select your subscription. In the 'Defender plans' section, find 'Defender for APIs' and toggle it to 'On.' You can also choose specific API Management instances to protect. This enables the monitoring pipeline. The default pricing tier is 'Standard,' which incurs costs per API request. After enabling, it may take up to 24 hours for the service to fully onboard and begin analyzing traffic.
Connect API Management Instance
In the Defender for APIs dashboard, select 'Connect API Management instance.' Choose the API Management instance you want to protect. The instance must be in the same subscription and region. Defender for APIs will automatically start mirroring traffic from the API Management gateway. The mirroring is done out-of-band, meaning it does not affect the latency or availability of the live API. Ensure that the API Management instance is at Standard or Premium tier.
Configure OpenAPI Specification
Optionally, upload an OpenAPI specification (Swagger) for each API. Defender for APIs uses this specification to understand the intended structure of the API, such as expected parameters, request bodies, and response schemas. This allows for more accurate anomaly detection. If no specification is provided, Defender for APIs uses machine learning to infer the structure over time. To upload, go to the API Management instance, select the API, and under 'Defender for APIs,' upload the specification file.
Monitor Security Alerts
Once configured, Defender for APIs starts analyzing traffic. When a threat is detected, a security alert is generated in Defender for Cloud. Alerts appear in the 'Security Alerts' page with severity levels. Each alert includes details like the affected API endpoint, the malicious request, the MITRE ATT&CK technique, and recommended remediation steps. You can also view the alert in the Defender for APIs dashboard, which provides a timeline of events and related alerts.
Respond and Remediate
For each alert, you can take immediate action such as blocking the offending IP address, updating API policies to require authentication, or adding rate limiting. Defender for APIs provides remediation steps in the alert. You can also automate responses using Azure Logic Apps or integrate with SIEM tools like Azure Sentinel. For example, you can create a Logic App that automatically blocks an IP in Azure Firewall when a high-severity alert is triggered. Regularly review the security posture score and address recommendations to improve API security.
Scenario 1: E-commerce Platform with Public APIs
A large e-commerce company exposes public APIs for product search, cart management, and checkout. They use Azure API Management to manage traffic. Before Defender for APIs, they relied on Application Gateway WAF for protection. However, they experienced a BOLA attack where an attacker manipulated order IDs to view other users' orders. After deploying Defender for APIs, the solution detected the anomalous pattern of sequential order ID requests and alerted the security team. The team then implemented a policy in API Management to validate that the order ID belongs to the authenticated user. The performance impact was negligible because traffic mirroring is out-of-band. Cost was manageable at approximately $500 per month for 5 million API requests.
Scenario 2: Financial Services with Internal APIs
A bank uses internal APIs for account management and transactions. They have strict compliance requirements (PCI DSS, SOX). They deployed Defender for APIs to monitor internal APIs for data exfiltration attempts. An attacker who gained access to an internal application started making API calls to retrieve customer data. Defender for APIs detected the unusual volume of responses containing sensitive data (excessive data exposure) and generated an alert. The security team was able to quickly revoke the compromised credentials and investigate the breach. The integration with Azure Sentinel allowed them to correlate the API alerts with other security events.
Common Misconfigurations
Not enabling Defender for APIs on all API Management instances: Often, only production instances are protected, leaving development and staging APIs vulnerable.
Not uploading OpenAPI specifications: Without a specification, Defender for APIs takes longer to establish a baseline and may miss anomalies.
Ignoring security posture recommendations: The security posture score provides actionable improvements, but teams often focus only on alerts.
Overlooking cost: For high-volume APIs, costs can escalate. It's important to set budgets and monitor usage.
Performance Considerations
Defender for APIs uses traffic mirroring, so it does not introduce latency to the live API. However, the mirrored traffic consumes bandwidth and storage in the monitoring pipeline. For APIs with high throughput (over 10,000 requests per second), consider using sampling or filtering to reduce the volume. The default retention period for alerts is 90 days; for longer retention, export alerts to Log Analytics or Sentinel.
What AZ-500 Tests on Defender for APIs
The exam objectives under Security Operations (4.1) include:
Describe the capabilities of Microsoft Defender for APIs.
Configure Microsoft Defender for APIs.
Interpret security alerts and recommendations from Defender for APIs.
Understand integration with API Management and other services.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong Answer: "Defender for APIs replaces Azure Application Gateway WAF." Why chosen: Candidates confuse API security with web security. They assume one solution covers all. Correction: WAF protects against web attacks (SQL injection, XSS) at layer 7, while Defender for APIs focuses on API-specific threats like BOLA. They complement each other.
2. Wrong Answer: "Defender for APIs is built into Azure API Management." Why chosen: Because it integrates with APIM, candidates think it's a built-in feature. Correction: Defender for APIs is a separate Defender for Cloud plan that can be enabled for APIM. It is not part of APIM's built-in capabilities.
3. Wrong Answer: "Defender for APIs requires an agent installed on each API host." Why chosen: Many security solutions require agents. Correction: For APIM-managed APIs, no agent is needed; it uses traffic mirroring. For App Service/Functions, an agent is in preview but not required for the exam.
4. Wrong Answer: "Defender for APIs blocks malicious requests in real-time." Why chosen: Candidates assume detection implies blocking. Correction: Defender for APIs is a detection and alerting solution. It does not block traffic; blocking must be configured separately (e.g., via APIM policies or WAF).
Specific Numbers and Terms on the Exam
Pricing: $0.00125 per request, first 1 million free.
Supported API Management tiers: Standard and Premium (not Consumption).
Alert severity: High, Medium, Low.
MITRE ATT&CK techniques: e.g., T1190 (Exploit Public-Facing Application), T1530 (Data from Cloud Storage).
OpenAPI versions: 2.0 and 3.0.
Edge Cases and Exceptions
Defender for APIs does not support APIs behind Azure Front Door or Application Gateway directly; it must be used with APIM or the agent.
For AKS-hosted APIs, the agent is in preview; the exam focuses on APIM integration.
Defender for APIs does not provide real-time protection; it is a post-event detection tool.
How to Eliminate Wrong Answers
If an answer mentions "real-time blocking" or "inline inspection," it is likely wrong.
If an answer says "requires no additional cost," it is wrong because Defender for APIs has per-request pricing.
If an answer suggests it works with Consumption tier APIM, it is wrong.
Focus on the key differentiator: Defender for APIs is about API-specific threats, not generic web attacks.
Defender for APIs is a cloud-native API security solution within Microsoft Defender for Cloud.
It detects API-specific threats like Broken Object Level Authorization (BOLA), excessive data exposure, and injection attacks.
It integrates with Azure API Management (Standard/Premium tiers) via traffic mirroring, not inline inspection.
Pricing is $0.00125 per API request, with the first 1 million requests free per month.
Defender for APIs does not block traffic; it generates security alerts and recommendations.
It supports OpenAPI 2.0 and 3.0 specifications for accurate anomaly detection.
Alerts are retained for 90 days in Defender for Cloud and can be exported to Azure Sentinel.
Common exam trap: Confusing Defender for APIs with WAF or thinking it blocks traffic.
These come up on the exam all the time. Here's how to tell them apart.
Defender for APIs
Focuses on API-specific threats (BOLA, excessive data exposure).
Uses traffic mirroring (out-of-band) for analysis.
Requires API Management Premium/Standard or agent (preview).
Priced per API request ($0.00125/request).
Provides security posture management for APIs.
Azure Application Gateway WAF
Focuses on web attacks (SQL injection, XSS, OWASP Top 10).
Inspects traffic inline (real-time blocking).
Works with any HTTP/HTTPS traffic, not just APIs.
Priced per hour or per instance (fixed cost).
Does not provide API-specific security posture.
Mistake
Defender for APIs is a built-in feature of Azure API Management.
Correct
Defender for APIs is a separate Microsoft Defender for Cloud plan that can be enabled for API Management instances. It is not included in API Management pricing.
Mistake
Defender for APIs can block malicious requests automatically.
Correct
Defender for APIs is a detection-only solution. It generates alerts but does not block traffic. Blocking requires separate configuration, such as API Management policies or Azure Firewall rules.
Mistake
Defender for APIs replaces Azure Application Gateway WAF.
Correct
Defender for APIs and WAF serve different purposes. WAF protects against web attacks at the network layer, while Defender for APIs focuses on API-specific threats at the application layer. They are complementary.
Mistake
Defender for APIs works with any API Management tier.
Correct
Only Standard and Premium tiers are supported. The Consumption tier lacks the necessary monitoring capabilities for traffic mirroring.
Mistake
Defender for APIs stores all API request payloads for analysis.
Correct
Defender for APIs does not store raw request or response payloads. It only retains metadata and alerts for 90 days. Payload analysis is done in memory and discarded.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but with limitations. For APIs hosted on Azure App Service, Azure Functions, or AKS, you can use an agent (currently in preview) to monitor traffic. However, for the AZ-500 exam, focus on the integration with API Management, which is the generally available method.
Defender for APIs receives mirrored traffic from API Management, which has already decrypted the HTTPS traffic. Therefore, the analysis is performed on the plaintext HTTP request and response. The traffic mirroring channel itself is encrypted.
API Management analytics provide operational metrics like request counts, response times, and error rates. Defender for APIs provides security-specific insights, including threat detection, security posture recommendations, and anomaly detection. They serve different purposes.
Defender for APIs does not directly integrate with Azure Front Door. However, if you place API Management behind Front Door, Defender for APIs can monitor the traffic that passes through API Management. You would need to ensure that the traffic reaches API Management for monitoring.
It can take up to 24 hours for Defender for APIs to fully onboard and establish a baseline. Alerts may start appearing within a few hours, but full coverage is achieved after the initial learning period.
The first 100 API endpoints are included in the plan. For additional endpoints, you are charged $0.00125 per request. There is no per-endpoint fee; the cost is based on the number of requests to those endpoints.
Defender for APIs does not enforce rate limiting itself. However, it can detect rate limiting violations (e.g., brute force attacks) and generate alerts. To enforce rate limiting, you must configure it in API Management policies or Azure Front Door.
You've just covered Defender for APIs — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?