Skip to main content

How to Integrate Microsoft 365

Monitor for and respond to threats found in your Microsoft 365 environment using our easy-to-set-up integration.

Alan Butcher avatar
Written by Alan Butcher
Updated this week

Defense.com's Microsoft 365 integration enables you to detect and respond to threats found in your Microsoft 365 environment, directly from your Defense.com account using four modules.

  • Users - Which syncs your Azure users into your Defense.com account, allowing you to respond to threats using our 'disable user' feature

  • Logs - Pulls in your Azure user activity data and security alerts so that you can simplify your threat management processes

  • Security Score - Helps you understand how secure your Microsoft 365 configuration is and delivers prioritised security actions to help you increase your Secure Score over time

  • User Devices - Automatically identifies the devices used by your users and links them in the Defense.com asset profile so that you can quickly and easily identify who's impacted by new and existing threats

To complete this integration, youโ€™ll need access to your Azure administration account via portal.azure.com and appropriate permissions (such as Global Administrator or Application Developer) to create and manage app registrations.

Azure Audit logging also needs to be enabled. You can learn how to do this here: Enable or disable audit log.

Creating the application

  1. Under the Manage menu, click App Registrations

  2. Click New Registration

  3. Name the application Defense.com. Leave other options as default and click Register

  4. Make a note of the Application (client) ID and the Directory (tenant) ID, as we'll require these later when enabling the integration in Defense.com

Granting API permissions

  1. From the Manage menu on the left-hand side, select API permissions

  2. Next, select Add a permission and then choose the API you wish to add permissions for from the side drawer

  3. Once an API has been selected, click Application permissions

  4. Use the search box to find the permissions you wish to add (a full breakdown of the permissions used by each module can be found here.)

  5. Once you've selected all the permissions you need, click Add permissions towards the bottom of the page

  6. Finally, you need to grant the application the permissions you've enabled by clicking Grant admin consent for [Tenant Name]

Permissions overview

Each module requires permissions to be granted within the various Microsoft APIs - a full breakdown has been provided below.

API

Permission

Module

Microsoft Graph API

User.ReadWrite.All

Users

Microsoft Graph API

User.RevokeSessions.All

Users

Microsoft Graph API

SecurityEvents.ReadWrite.All

Security Score

Microsoft Graph API

Directory.Read.All

User Devices

Microsoft Graph API

SecurityAlert.Read.All

Logs

Office 365 Management API

ActivityFeed.Read

Logs

Office 365 Management API

ActivityFeed.ReadDlp

Logs

Office 365 Management API

ServiceHealth.Read

Logs

Creating a Client Secret

  1. From the manage menu, open Certificates & Secrets.

  2. Under the Client Secrets section, click on the + New client secret button.

  3. Enter a description for the client secret to help you identify its purpose (e.g., Defense.com). Next, set the expiration duration to 24 months to ensure the integration remains active for a long as possible.

  4. After configuring the client secret, click the Add button. The client secret will be generated and displayed on the screen.

  5. Make a note of the following details as these will be required during the integration within Defense.com.

    Application (client) ID: This is your application's unique identifier in Azure AD. It's displayed at the top of the application's overview page.

    Directory (tenant) ID: This is the unique identifier for your Azure AD tenant. You can find it on the Azure AD overview page.

    Client Secret Value: The client secret you generated. Copy and save it securely because you won't be able to retrieve it again.

Enabling the integration

  1. Log in to my.defense.com

  2. Click Integrations in the navigation on the left-hand side

  3. Locate the Microsoft 365 integration and select Enable Microsoft 365

  4. This will launch the Microsoft 365 integration wizard. Begin by clicking Next

  5. First, you will need to enter the Application (Client) ID, Directory (Tenant) ID and Client Secret Value for the Azure application you're using for the integration

  6. Click Check Credentials to verify that the details entered are valid

  7. Once confirmed, you'll be asked to grant your application the permissions required by our 365 integration

  8. Once enabled, click Next to proceed, and the permissions granted will be checked

  9. Finally, once the permissions have been checked, click Complete to finish the integration setup.

Log and alert types

The following audit logs are supported from Office 365 and Azure AD:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • DLP.All

  • And many more

The following alert sources are supported:

  • Microsoft Defender for Endpoint

  • Microsoft Defender for Identity

  • Microsoft Defender for Cloud Apps

  • Microsoft Defender For Office365

  • Microsoft 365 Defender

  • Microsoft Entra ID Protection

  • Microsoft app governance

  • Microsoft Purview Data Loss Prevention

  • Microsoft Defender for Cloud

That's it! You've successfully integrated Microsoft 365 ๐ŸŽ‰

Did this answer your question?