search
ProductBook a demoOpen app
linkedinyoutube

Microsoft O365

Onboard the Microsoft O365 data connector.

In this guide, you will set up a trusted relationship between Radiant and your Microsoft account to allow Radiant to retrieve user and group data related to your organization, including authentication activity and audit activity events.

At the end of this configuration, you will provide Radiant Security with these values:

  • Application (client) ID

  • Directory (tenant) ID

  • Client Secret Value

  • Azure Subscription ID (only needed for the Azure Activities feed)

chevron-rightbolt-lightning Available actionshashtag

The following actions are available after you set up the Microsoft O365 data connector. Keep in mind, additional permissions are required.

  • Find and hard delete emails

  • Block files

  • Block domains

  • Isolate device

  • Disable users and terminate active sessions

  • Terminate active sessions

  • Disable all forward rules

  • Delete external email forward rules

  • Enable User

  • Block IP address (Identity)

  • Block IP address (Endpoint)

  • Release devices from isolation

hashtag
Prerequisites

hashtag
Register the application with Microsoft Entra ID

In this step, you'll register a new application with Microsoft Entra ID. The application will pull user and group data on a semi-regular basis.

circle-info

Note: Make sure to save the Application (client) ID and Directory (tenant) ID values. You will need to provide them to Radiant Security at the end of the configuration.

  1. Log in to the Microsoft Azure Portalarrow-up-right.

  2. From the left side menu, navigate to Microsoft Entra ID.

  3. From the left menu, navigate to App Registrations.

  4. Click + New Registration.

  5. Update the application Name to radiantsecurity-connector and leave all default settings unchanged.

  6. Click Register to save the changes.

  7. On the newly registered application page, copy the following values:

    • Application (client) ID

    • Directory (tenant) ID

  8. On the same page, click the link for Add a certificate or secret.

  9. In the Add a client window, click + New Client Secret.

  10. Set the client secret as:

    • Description: Radiant Security Connector

    • Expires: 12 months

  1. Click Add.

  2. The client secrets page will automatically open.

  3. Copy the Value (not the Secret ID field).

circle-exclamation

Important note: Ensure you copy the Client secret value now as you won't be able to look it up again later. You will need to provide it to Radiant Security at the end of the configuration.

hashtag
Grant the newly registered application the appropriate permissions

  1. On the left sidebar menu, click API Permissions.

  2. Click + Add a permission.

  3. From the pop-out menu, select Microsoft Graph APIs.

  4. Then click Application permissions to open the permission list.

  5. Select the following permissions:

triangle-exclamation

Important Note: Before proceeding with the permissions below, if you plan on onboarding the Email use case, please follow this Microsoft documentationarrow-up-right to provision a service principal before granting the ExchangeMessageTrace.Read.All permission.

API / Service

Permission name

Required for Data Ingestion?

Use Case

Details

Microsoft Graph

Application.Read.All

Yes

Email, Identity, Endpoint

Task: Block IP Address

Microsoft Graph

AuditLog.Read.All

Yes

Email, Identity

Collect user authentication events for investigating abnormal authentication to applications

Microsoft Graph

Directory.Read.All

Yes

All

Permission to read users’ profiles

Microsoft Graph

IdentityRiskEvent.Read.All

Yes

Identity

Collect identity-based risks/alerts Entra ID Identity Protection

Microsoft Graph

IdentityRiskyUser.Read.All

Yes

Identity

Collect identity-based risks/alerts Entra ID Identity Protection

Microsoft Graph

Mail.ReadWrite

No

Email

Task: Find & Delete Emails

Microsoft Graph

MailboxSettings.Read

No

Identity

Collect the out-of-office status of the user from Microsoft to help influence identity alert triage outcomes

Microsoft Graph

MailboxSettings.ReadWrite

No

Email

Task: Disable all email forward rules, Delete external email forward rules

Microsoft Graph

Policy.Read.All

No

Identity, Endpoint

Task: Block IP Address

Microsoft Graph

Policy.ReadWrite.ConditionalAccess

No

Identity, Endpoint

Task: Block IP Address

Microsoft Graph

User.Read.All

Yes

All

Permissions to read users’ profiles

Microsoft Graph

SecurityAlert.Read.All

Yes

Microsoft Defender for Cloud feed

Permissions to read security alerts

Microsoft Graph

User.ManageIdentities.All

No

Email, Identity, Endpoint

Tasks: Reset User Password, Disable User

Microsoft Graph

User.EnableDisableAccount.All

No

Email, Identity, Endpoint

Tasks: Reset User Password, Disable User, Enable User

Microsoft Graph

Directory.AccessAsUser.All (delegated permission)

No

Email, Identity, Endpoint

Tasks: Reset User Password, Disable User

Microsoft Graph

ExchangeMessageTrace.Read.All

Yes

Email

Collect exchangeMessageTracearrow-up-right objects to triage email reports

Microsoft Cloud App Security

Investigation.Read

Yes

Microsoft Defender for Cloud Apps feed

Permissions to read the Cloud Apps alerts and the related events

  1. Click Add permissions to save the changes.

  2. Click + Add a permission and select the tab APIs my organization uses, then select the Office 365 Exchange Online option.

  3. Select Application permissions and add the permissions outlined in the table below:

    API / Service

    Permission name

    Required for Data Ingestion?

    Use Case

    Details

    Office 365 Exchange Online (APIs my organization uses)

    Exchange.ManageAsApp

    Yes

    Email

    Tasks: Block Sender, Block URL - required for actions that can only be done over PowerShell Data: Email traces.

    Office 365 Exchange Online

    User.RevokeSessions.All

    No

    Email and Identity

    Task: Terminate Active Sessions

    (APIs my organization uses)

    ReportingWebService.Read.All

    Yes

    Email

    Permission to enrich message trace events

  4. Click Add permissions to save the changes.

  5. Click on + Add a permission again, on the Microsoft APIs tab, select Office 365 Microsoft Management API.

  6. Select Application permissions and add the permissions outlined in the table below:

    API / Service

    Permission name

    Required for Data Ingestion?

    Use Case

    Details

    Office 365 Management APIs

    ActivityFeed.Read

    Yes

    Email, Identity

    Collect user authentication events for investigating abnormal authentication to applications

    Office 365 Management APIs

    ActivityFeed.ReadDlp

    Yes

    Email

    Permission to identify impacted users with inbox rules that were newly created or modified to exfiltrate emails

  7. Click Add permissions to save the changes.

hashtag
Add permissions in Azure

Follow these instructions only if you have Azure enabled in your environment.

hashtag
Add assigned role

In this step, you will assign the newly registered application with the necessary roles.

  1. On the left sidebar menu, click Roles and Administrators.

  2. On the roles and Administrators page, click here.

  3. From the search bar, search for global reader and select the row (do not select the checkbox).

  4. On the active assignments page, click + Add assignment.

  5. On the Add assignments page, under Select member(s), click on No member selected and add radiantsecurity-connector on the side panel.

  6. Click Next and under Enter justification type the justification in the text box: Grant Radiant Security access to message trace events

  7. Click Assign to save the changes.

  8. Repeat steps 1-7 for the Exchange Administrator role and for the Privileged Authentication Administrator role or Authentication Administrator role.

    1. The Privileged Authentication Administrator role allows the application to run actions such as reset user password on all user accounts in the environment, no matter their groups or roles.

    2. The Authentication Administrator role allows the application to run the same actions as the Privileged version, but it limits the scope of access so that the application can't run actions against user accounts with high privilege levels such as Global Admins, Group Admins or even users who own or are members of role-assignable group.

    For more information about the two roles, refer to https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0#who-can-reset-passwordsarrow-up-right

hashtag
Specific configurations

Some data feeds require additional configuration before adding the connector to Radiant Security. Please refer to the following articles if applicable:

  • Add Microsoft Defender Permissions

  • Microsoft Safe Links

  • Onboarding Hosts to Defender

hashtag
Add the data connector in Radiant Security

  1. Log in to Radiant Securityarrow-up-right.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Microsoft O365 option and then click Data Feeds.

  4. Add the following values you saved from the previous steps:

    • Application (client) ID

    • Directory (tenant) ID

    • Client Secret Value

circle-exclamation

Important Note: For the Azure Activites data connector, add a comma-separated list of the subscription IDs that must be monitored.

  1. Click Add Connector to save the connector configuration.

PreviousLinux Server LogsNextMicrosoft O365 Expired Client Secret Key

Last updated

Was this helpful?