Endpoint monitoring for vulnerability management: Vanta imports your Defender-enrolled endpoint machines and maintains them as monitored assets. This gives you a continuously updated view of which devices are active in your environment without manual tracking.

Vulnerability management: Vanta syncs CVE-based vulnerability findings from Defender and links each finding to the affected endpoint machine. This data powers four automated tests in Vanta, one for each severity level: critical, high, medium, and low. These tests run automatically and help demonstrate continuous vulnerability management to auditors.

Evidence collection: Vulnerability and endpoint data synced through this integration is available as continuous evidence in Vanta, reducing the need for manual screenshots or exports during audits.

Remediation acceleration: For each vulnerability finding, Vanta surfaces remediation guidance parsed from the CVE details returned by Defender. Teams can review what action is needed directly in Vanta without switching to the Defender portal to look up fix guidance per CVE.

Posture monitoring: Vanta imports device risk scores and exposure levels assigned by Defender for each enrolled endpoint. Teams can review which machines carry elevated risk or high exposure as part of their ongoing security posture review.

Compliance support: Vulnerability findings synced from Defender feed directly into Vanta's automated test results and evidence library. This reduces manual evidence gathering during audits and helps demonstrate that vulnerability management controls are operating continuously across your endpoint environment.

You have access to the Vanta Government instance

You have admin access in Vanta

You have a Microsoft Defender for Endpoint license (which includes Threat and Vulnerability Management) such as Microsoft Defender for Endpoint Plan 2 or Microsoft 365 E5 GCC High

Your organization is enrolled in the GCC High (Azure Government) environment (not standard commercial Microsoft 365)

Microsoft Defender for Endpoint is deployed and devices are actively onboarded

Threat and Vulnerability Management is enabled in your Defender tenant

The person completing setup holds a Global Administrator or equivalent admin role in the GCC High Microsoft 365 organization (which is required to grant tenant-wide consent during the OAuth flow)

Log in to your Vanta Government instance.

Navigate to Integrations in the left-hand navigation.

Search for Microsoft Defender under Available Integrations tab.

Click View Details, then click Connect.

Then click Connect Microsoft Defender for Endpoint (GCC High).

You will be redirected to Microsoft Azure’s Government sign-in page: (https://login.microsoftonline.us/). Sign in with your GCC High admin account. You must be a Global Administrator (or equivalent) to complete this step.

Review the permissions Vanta is requesting and click Accept to grant tenant-wide consent.

After consent is granted, Microsoft redirects back to Vanta. Vanta validates the connections and stores your tenant credentials.

Click Close. Vanta will begin syncing endpoint machine and vulnerability data on its standard recurring schedule.

Navigate to Vulnerability Management in Vanta. Your Defender endpoint machines should appear as vulnerable assets (monitored endpoints). In this same spot, CVE findings linked to your endpoint machines should be visible, organized by severity (Critical, High, Medium, Low).

Confirm that devices in Defender have Active health status and are not excluded.

Confirm that endpoint devices are onboarded in Microsoft Defender for Endpoint (Vanta only pulls vulnerability data for onboarded machines).

Confirm that Threat and Vulnerability Management is enabled in your Defender tenant.

Confirm that your Defender license supports vulnerability data access.

Check that the integration status in Vanta shows Connected (not an error state).

Read all machine profiles (imports endpoint device inventory)

Read all alerts (requested during setup; alerts not currently imported by this integration)

Read Threat and Vulnerability Management data (imports CVE vulnerability findings per machine)

Likely cause: No machines in your Defender tenant have an Active health status, or all machines are marked as excluded in Defender.

How to confirm: Log in to the Microsoft Defender portal for GCC High (security.microsoft.us) and verify that enrolled devices show a health status of Active and are not excluded.

Fix: Ensure devices are actively onboarded to Defender for Endpoint and are not excluded from the inventory. Then wait for the next sync cycle or contact Vanta support to trigger a manual sync.

Likely cause: Either Threat and Vulnerability Management is not enabled in your Defender tenant, or the initial machine sync has not yet completed (vulnerability data requires machines to be recorded first).

How to confirm: In the Defender portal, navigate to Threat and Vulnerability Management and verify it is active. Also confirm the integration has completed at least one full sync cycle in Vanta.

Fix: Enable Threat and Vulnerability Management in your Defender settings. If it is already enabled, wait for an additional sync cycle to complete. If the issue persists, verify your Defender license includes this feature.

Likely cause: The permissions granted during setup were revoked, or the admin account used during setup no longer has sufficient rights in the GCC High tenant.

How to confirm: Check the integration status in Vanta. A disconnected state following a previously successful connection typically indicates a permissions or authorization issue.

Fix: Reconnect the integration from the Vanta Integrations page. Ensure the account completing setup is a Global Administrator in the GCC High organization and can grant tenant-wide admin consent.