This integration collects logs and security alerts from your Microsoft 365 account and brings them into Defense.com, making your cyber security easier to manage.
To complete this integration you’ll need access to your Azure administration account via portal.azure.com and appropriate permissions (such as Global Administrator or Application Developer) to create and manage app registrations.
You should also ensure that Azure Audit logging is enabled according to the steps outlined in this article: Enable or disable audit log.
Creating the application
Under the Manage menu, click App Registrations.
Click New Registration.
Name the application Defense.com. Leave other options as default and click Register.
Take note of the Application (client) ID and the Directory (tenant) ID as we'll require these later when going through the Defense.com integration.
Setting permissions
From the manage menu, open API permissions and click Add a permission.
Select Microsoft Graph then Application permissions.
Select the following permissions.
Click Add permissions then Add a permission.
Select Office 365 Management APIs then Application permissions.
Select the following permissions.
Click Add permissions
Click Grant admin consent for to allow the application to access the Microsoft 365 API without having to ask for consent for users.
Creating Client Secret
From the manage menu, open Certificates & Secrets.
Under the Client Secrets section, click on the + New client secret button.
Enter a description for the client secret to help you identify its purpose (e.g., Defense.com). Next, set the expiration duration to 365 days (12 months) to ensure the secret remains valid for one year.
After configuring the client secret, click the Add button. The client secret will be generated and displayed on the screen.
Make a note of the following details as these will be required during the integration within Defense.com:
Application (client) ID: This is your application's unique identifier in Azure AD. It's displayed at the top of the application's overview page.
Directory (tenant) ID: This is your Azure AD tenant's unique identifier. You can find it on the Azure AD overview page.
Client Secret Value: The client secret you generated. Copy and save it securely because you won't be able to retrieve it again.
Integration steps
Log into my.defense.com
From your dashboard, click the Microsoft 365 Integration button.
This will launch the Microsoft 365 integration wizard.
Click Next.
You will need to enter the following credentials to continue:
Application (Client) ID
Directory (Tenant) ID
Client Secret Value
Click Check Credentials to verify the details entered are valid.
If the credentials are valid you'll be asked to set the following permission within Azure:
Microsoft Graph
User.ReadWrite.All
User.RevokeSessions.All.
SecurityEvents.ReadWrite.All
SecurityAlert.ReadWrite.All
SecurityAlert.Read.All
Office 365 Management APIs
ActivityFeed.Read
ActivityFeed.ReadDlp
ServicesHealth.Read
Click Next to proceed.
Click Complete.
That's it! 🎉The integration is now complete. You can now view your Microsoft 365 integration dashboard.
Log and alert types
The following audit logs are supported from Office 365 and Azure AD:
Audit.AzureActiveDirectory
Audit.Exchange
Audit.SharePoint
DLP.All
Any many more
The following alert sources are supported:
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Defender For Office365
Microsoft 365 Defender
Microsoft Entra ID Protection
Microsoft app governance
Microsoft Purview Data Loss Prevention
Microsoft Defender for Cloud
For more information about this Microsoft 365 integration please contact our support team via the chat in your Defense.com account.