Microsoft Defender vs Am I Being Pwned
Triaging Browser Extensions with Microsoft Defender
Defender Vulnerability Management rates extensions by permission on Windows only, and says 'risk is subjective'. Here's how to triage extensions with an evidence-backed verdict.
Does Microsoft Defender triage browser extensions?
Microsoft Defender Vulnerability Management (MDVM) has a Browser extensions inventory page that lists extensions across Edge, Chrome and Firefox and shows each one's requested permissions and a 'Permissions risk' level. But that risk level is generated purely from the type of access each permission requests - not from what the extension's code actually does.
Microsoft is explicit that this is not a verdict. Their documentation says the information is there to 'help make an informed decision on whether you want to allow or block this extension', and that 'risk is subjective - each organization should determine the types of risk they're willing to take on'. There are also hard limits: extension assessment is Windows-only, and MDVM can't block anything itself - enforcement happens separately in Microsoft Intune.
Am I Being Pwned picks up where MDVM stops. It unpacks the extension's code, runs it, and watches what it does - then hands you a keep-or-remove decision backed by that behaviour, on macOS and Linux as well as Windows. Instead of a permission-risk level you have to weigh yourself, you get the call and the evidence for it.
What Defender gives you
- A Browser extensions inventory page covering Edge, Chrome and Firefox
- Per-extension detail: install counts, enabled state per device, versions, and requested permissions
- A 'Permissions risk' level derived from the type of access each permission requests
- APIs and advanced-hunting tables (DeviceTvmBrowserExtensions) for querying the inventory
Where it stops
- The risk level comes from declared permissions only; the code isn't analysed
- There's no malicious-or-safe verdict - Microsoft states 'risk is subjective' and leaves the decision to you
- MDVM can't block anything itself - enforcement needs a separate Intune configuration
- Assessment is Windows-only; macOS and Linux endpoints get no extension coverage at all
- A silent update doesn't trigger any re-analysis of behaviour
Defender vs Am I Being Pwned
How to triage browser extensions when you use Microsoft Defender
MDVM shows you a permission-risk level per extension. Here's how to turn that into an allow-or-block decision Microsoft deliberately leaves to you.
- 1
Pull the Browser extensions inventory
In Defender Vulnerability Management, open Inventories, then Browser extensions, and sort by Permissions risk. Remember this only covers Windows devices - Mac and Linux extensions won't appear.
- 2
Read the permission-risk level for what it is
Microsoft generates that level from the access an extension's permissions request, and explicitly calls risk 'subjective'. It's a prioritisation cue, not a statement that the extension is dangerous.
- 3
Analyse the code behind the high-risk extensions
For each high-permission-risk extension, find out what it actually does. Enter the extension ID into Am I Being Pwned for a behavioural report, or scan your Workspace to also cover the extensions Defender's Windows-only view misses.
- 4
Decide, then enforce in Intune
MDVM can't block extensions - you'll build allow, block, or force-install policies in Microsoft Intune's Edge and Chrome management. Base those policies on evidence, not permission counts.
- 5
Watch for post-update drift
A permission-risk level doesn't change when an extension's behaviour does. Continuous behavioural re-scanning catches extensions that go bad in a later version.
From our published research
“Spin AI scored Stylish as 33 (low risk). We scored it critical.”
Why Permission Scoring Fails
A permission-derived risk level rated a 2M-user data harvester as low.
“Their median risk score for CRITICAL extensions (46) is actually lower than for CLEAN ones (49). The scores showed no meaningful correlation with actual risk across our sample of 2,534 extensions.”
Spin AI vs Am I Being Pwned
What a permission-based risk level systematically misranks.
“Any site with the same Country Code eTLD could exfiltrate usernames, passwords, URLs and TOTP codes from any other login on the same eTLD. No user interaction. The manifest was totally fine.”
MultiPassword - CVSS 8.3
The permission view was clean; the code was not.
Frequently asked questions
Does Microsoft Defender show browser extension risk?
Yes. Defender Vulnerability Management's Browser extensions page shows a 'Permissions risk' level for each extension, generated from the type of access its permissions request. It's permission-based, not code-based, and Microsoft states the risk level is subjective and the allow-or-block decision is yours.
Can Microsoft Defender block a browser extension?
Not from MDVM, which is visibility and assessment only. Blocking, allowlisting, or force-installing extensions is done separately in Microsoft Intune's Edge and Chrome management. The documented pattern is find in Defender, enforce in Intune.
Does Defender analyse what an extension's code does?
No. The Permissions risk level is derived from declared permissions, not from analysing or running the extension's code. Defender's extension assessment is also Windows-only. Behavioural analysis of the code is what Am I Being Pwned adds.
Is Defender's browser extension assessment available on Mac?
No. Microsoft documents that browser extension assessment is only available on Windows devices. macOS and Linux endpoints are not covered, so extensions installed there won't appear in the inventory.
Do I still need a dedicated extension scanner with Defender?
If you need to know whether a flagged extension is actually malicious - not just that it requested risky permissions on a Windows device - yes. Am I Being Pwned reads and runs the code across every platform and tells you what it actually does, then enforcement can flow through the same Intune policies you already use.
Triage every extension in your fleet, with evidence.
Free scan of your Google Workspace in under 48 hours.