Email Infrastructure, IAM and Audit Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Email Infrastructure, IAM and Audit Logs

      Microsoft O365

      Onboard the Microsoft O365 data connector.

      Overview

      Radiant Security needs to establish a trusted relationship with your Microsoft account in order to retrieve user and group data related to your organization, including authentication activity and audit activity events.

      To do this, you’ll need to onboard O365 by completing the following steps:


      At the end of this configuration, you will provide Radiant Security with these values:
      • Application (client) ID
      • Directory (tenant) ID
      • Client Secret Value

      Prerequisites

      This configuration requires that you are an administrator of the O365 account.

      Register the application with Microsoft Entra ID

      In this step, you will register a new application with Azure AD. The application will pull user and group data on a semi-regular basis.

      Note: Make sure to save the Application (client) ID and Directory (tenant) ID values. You will need to provide them to Radiant Security at the end of the configuration.

      1. Log in to the Microsoft Azure Portal.
      2. From the left side menu, navigate to Microsoft Entra ID.
      3. From the left menu, navigate to App Registrations.
      4. Click + New Registration.
        Screen Shot 2021-11-05 at 11.39.43 AM

      5. Update the application Name to radiantsecurity-connector and leave all default settings unchanged.Screen Shot 2022-03-16 at 1.42.16 PM (1)

      6. Click Register to save the changes.

      7. On the newly registered application page, copy the following values:
        • Application (client) ID
        • Directory (tenant) ID

          Captura de Tela 2024-01-25 às 11.40.36
      8. On the same page, click the link for Add a certificate or secret.
        Captura de Tela 2024-01-25 às 11.54.28
      9. In the Add a client window, click + New Client Secret.
      10. Set the client secret as:
        • Description: Radiant Security Connector
        • Expires: 12 monthsCaptura de Tela 2024-01-25 às 11.52.14
      11. Click Add.
      12. The client secrets page will automatically open.
      13. Copy the Value (not the Secret ID field).Captura de Tela 2024-01-25 às 12.28.16

      Important note: Ensure you copy the Client secret value now as you won't be able to look it up again later. You will need to provide it to Radiant Security at the end of the configuration.

      Grant the newly registered application the appropriate permissions

      Important note: Follow the steps 13 to 16 only if you have Azure enabled in your environment.

      1. On the left sidebar menu, click API Permissions.
      2. Click + Add a permission.
      3. From the pop-out menu, select Microsoft Graph APIs.
        Screen Shot 2021-11-05 at 12.22.10 PM
      4. Then click Application permissions to open the permission list.Screen Shot 2022-03-16 at 2.21.55 PM-1
      5. Select the following permissions:
        API/Service Permission name Required for Data Ingestion? Details
        Microsoft Graph Application.Read.All Yes Task: Block IP Address
        Microsoft Graph AuditLog.Read.All Yes Collect user authentication events for investigating abnormal authentication to applications
        Microsoft Graph Directory.Read.All Yes Permission to read users’ profiles
        Microsoft Graph IdentityRiskEvent.Read.All Yes Collect identity-based risks/alerts Entra AD Identity Protection
        Microsoft Graph IdentityRiskyUser.Read.All Yes Collect identity-based risks/alerts Entra AD Identity Protection
        Microsoft Graph Mail.ReadWrite No Task: Find & Delete Emails
        Microsoft Graph MailboxSettings.Read No Collect the out-of-office status of the user from Microsoft to help influence identity alert triage outcomes
        Microsoft Graph MailboxSettings.ReadWrite No Task: Disable all email forward rules, Delete external email forward rules
        Microsoft Graph Policy.Read.All No Task: Block IP Address
        Microsoft Graph Policy.ReadWrite.ConditionalAccess No Task: Block IP Address
        Microsoft Graph User.Read.All Yes Permissions to read users’ profiles
        Microsoft Graph SecurityAlert.Read.All Yes Permissions to read security alerts
        Microsoft Graph User.ManageIdentities.All No Tasks: Reset User Password, Disable User
        Microsoft Graph User.EnableDisableAccount.All No Tasks: Reset User Password, Disable User, Enable User
        Microsoft Graph Directory.AccessAsUser.All (delegated permission) No Tasks: Reset User Password, Disable User
        Microsoft Cloud App Security Investigation.Read Yes Permissions to read the Cloud Apps alerts and the related events
      6. Click Add permissions to save the changes.
      7. Click + Add a permission and select the tab APIs my organization uses, then select the Office 365 Exchange Online option.Captura de Tela 2024-01-26 às 13.30.06
      8. Select Application permissions and add the permissions outlined in the table below:

        API/Service Permission name Required for Data Ingestion? Details
        Office 365 Exchange Online
        (APIs my organization uses)        		 Exchange.ManageAsApp No Tasks: Block Sender, Block URL - required for actions that can only be done over PowerShell
        Office 365 Exchange Online
        (APIs my organization uses)        		 ReportingWebService.Read.All Yes Permission to enrich message trace events
      9. Click Add permissions to save the changes.
      10. Click on + Add a permission again, on the Microsoft APIs tab, select Office 365 Microsoft Management API.
        Captura de Tela 2024-01-26 às 13.31.39
      11. Select Application permissions and add the permissions outlined in the table below:
        API/Service Permission name Required for Data Ingestion? Details
        Office 365 Management APIs ActivityFeed.Read Yes Collect user authentication events for investigating abnormal authentication to applications
        Office 365 Management APIs ActivityFeed.ReadDlp Yes Permission to identify impacted users with inbox rules that were newly created or modified to exfiltrate emails
      12. Click Add permissions to save the changes.

      Add permissions in Azure

      Follow these instructions only if you have Azure enabled in your environment.
      1. Click + Add a permission.
      2. From the pop-out menu, select Azure Service Management.Untitled (20)
      3. Select the permission user_impersonation.Untitled (21)
      4. Click the Add Permission button.
      5. You will see the new permissions have been added. However, there is a warning message that admin consent is missing.
        Screen Shot 2022-03-16 at 2.30.38 PM (1)
      6. To resolve this, click Grant admin consent for the API permissions.
        Screen Shot 2022-03-16 at 2.33.01 PM (1)
      7. Click Yes in the confirmation pop-up window. Now, the warnings have been resolved.
        Screen Shot 2022-03-16 at 2.37.29 PM (1)

      Add assigned role 

      In this step, you will assign the newly registered application with the necessary roles. 

      1. On the left sidebar menu, click Roles and Administrators.
      2. On the roles and Administrators page, click here.
        Captura de Tela 2024-01-26 às 11.52.33
      3. From the search bar, search for global reader and select the row (do not select the checkbox).
        Captura de Tela 2024-01-26 às 13.51.20
      4. On the active assignments page, click + Add assignment.
      5. On the Add assignments page, under Select member(s), click on No member selected and add radiantsecurity-connector on the side panel.
        Captura de Tela 2024-01-26 às 15.15.02
      6. Click Next and under Enter justification type the justification in the text box: Grant Radiant Security access to message trace events
      7. Click Assign to save the changes.
      8. Repeat steps 1-7 for the Exchange Administrator role and for the Privileged Authentication Administrator role or Authentication Administrator role.
        1. The Privileged Authentication Administrator role allows the application to run actions such as reset user password on all user accounts in the environment, no matter their groups or roles.
        2. The Authentication Administrator role allows the application to run the same actions as the Privileged version, but it limits the scope of access so that the application can't run actions against user accounts with high privilege levels such as Global Admins, Group Admins or even users who own or are members of role-assignable group.

          For more information about the two roles, refer to Microsoft's documentation.

      Specific configurations

      Some data feeds require additional configuration before adding the connector to Radiant Security. Please refer to the following articles if applicable:

      Add the connector in Radiant Security

      1. Log in to Radiant Security.
      2. From the navigation menu, click Settings > Data Connectors.
      3. Click + Add Connector.
      4. From the list of connectors, select Microsoft O365.
      5. Add the following values you saved from the previous steps:
        • Application (client) ID
        • Directory (tenant) ID
        • Client Secret Value
          O365_2


      6. Click Add Connector to save the connector configuration.

      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

       

      Last updated: 2024-08-23