# Add Microsoft Defender Permissions

In this guide, you will set up a trusted relationship between Radiant and your Microsoft Defender account to allow Radiant to collect endpoint events, alerts, actions, and activity.

### **Grant the registered application the appropriate permissions**

1. Log in to [Azure Admin](https://portal.azure.com/#home) portal.
2. From the left side menu, click **Microsoft Entra ID,** then click **App Registration**. 
3. Under **All applications**, search for `radiantsecurity-connector` and open the app.
4. On the left side menu, click **API Permissions**.
5. Click + **Add a permission**.
6. From the pop-out menu, select **APIs my organization uses**. 

   <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fn7qVJlZI0w52pcjsVpXu%2FAdd%20Microsoft%20Defender%20Permissions_01.png?alt=media&#x26;token=b63ed225-7310-4adf-a813-5cfe766e5ace" alt="" width="375"><figcaption></figcaption></figure></div>
7. Select **WindowsDefenderATP** and then select **Application permissions**.&#x20;

   <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FfnV6NPbHBbRJZeFZLrKU%2FAdd%20Microsoft%20Defender%20Permissions_02.png?alt=media&#x26;token=7461e62d-b96b-44e7-b6e6-ca9b68f1aa74" alt="" width="516"><figcaption></figcaption></figure></div>
8. Select the following permissions:

| **API**            | **Permission name**                      | **Required for Data Ingestion?** | **Use Case**                                                                                            |
| ------------------ | ---------------------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------- |
| WindowsDefenderATP | AdvancedQuery.Read.All                   | Yes                              | Collect endpoint events                                                                                 |
| WindowsDefenderATP | Alert.Read.All                           | Yes                              | Collect endpoint alerts                                                                                 |
| WindowsDefenderATP | File.Read.All                            | Yes                              | Collect additional info on files                                                                        |
| WindowsDefenderATP | Ip.Read.All                              | Yes                              | Endpoint activity—give the application permissions to collect additional info on IPs                    |
| WindowsDefenderATP | Machine.Isolate                          | No                               | Endpoint actions—allow the app to isolate compromised hosts (either automatically or through one-click) |
| WindowsDefenderATP | Machine.Read.All                         | Yes                              | Endpoint activity—give the application permissions to collect additional info on users involved         |
| WindowsDefenderATP | <p>Ti.ReadWrite,<br>Ti.ReadWrite.All</p> | No                               | Endpoint actions—allow the app to allow/deny IOCs (either automatically or through one-click)           |
| WindowsDefenderATP | URL.Read.All                             | Yes                              | Endpoint activity—give the application permissions to collect additional info on domains                |
| WindowsDefenderATP | User.Read.All                            | Yes                              | Endpoint activity—give the application permissions to collect additional info on users involved         |

9. Click **Add permissions** to save your changes.
10. Notice that the new permissions have been added. However, there is a warning message that admin consent is missing. <br>

    <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FP95TXb0DAQRcVEnchEx0%2FAdd%20Microsoft%20Defender%20Permissions_03.jpg?alt=media&#x26;token=9f73349e-19a3-4180-b095-9eae299b7320" alt=""><figcaption></figcaption></figure></div>
11. To resolve this, click **Grant admin consent** **for the Defender API.**&#x20;

    <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FNBvd9vYSLah8obyA3mIh%2FAdd%20Microsoft%20Defender%20Permissions_04.jpg?alt=media&#x26;token=5fb0a56e-e849-4ff8-8865-5254ffb2f75c" alt=""><figcaption></figcaption></figure></div>
12. Click **Yes** in the confirmation pop-up window. The warnings have now been resolved.&#x20;

    <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F4U7hxnQ6OGC0dwUBvyij%2FAdd%20Microsoft%20Defender%20Permissions_05.jpg?alt=media&#x26;token=487a4f0c-0a54-4b03-afca-840109ad13fb" alt=""><figcaption></figcaption></figure></div>

### Enable the data feed in Radiant Security

1. Log in to [Radiant Security.](https://app.radiantsecurity.ai/)
2. From the navigation menu, click **Settings** > **Data Connectors**.
3. Under the **Data Connectors** page, find **Microsoft O365**.
4. Hover over the connector and click **Enable** to enable data ingestion from Defender.&#x20;