# Microsoft O365 In this guide, you will set up a trusted relationship between Radiant and your Microsoft account to allow Radiant to retrieve user and group data related to your organization, including authentication activity and audit activity events. At the end of this configuration, you will provide Radiant Security with these values: * **Application (client) ID** * **Directory (tenant) ID** * **Client Secret Value** * **Azure Subscription ID (only needed for the Azure Activities feed)**

Available actions

The following actions are available after you set up the Microsoft O365 data connector. Keep in mind, additional permissions are required. * Find and hard delete emails * Block files * Block domains * Isolate device * Disable users and terminate active sessions * Terminate active sessions * Disable all forward rules * Delete external email forward rules * Enable User * Block IP address (Identity) * Block IP address (Endpoint) * Release devices from isolation

### Prerequisites * [ ] **Administrator** of the O365 account ### Register the application with Microsoft Entra ID In this step, you'll register a new application with Microsoft Entra ID. The application will pull user and group data on a semi-regular basis. {% hint style="info" %} **Note**: Make sure to save the **Application (client) ID** and **Directory (tenant) ID** values. You will need to provide them to Radiant Security at the end of the configuration. {% endhint %} 1. Log in to the [Microsoft Azure Portal](https://portal.azure.com/#home). 2. From the left side menu, navigate to **Microsoft Entra ID**. 3. From the left menu, navigate to **App Registrations**. 4. Click **+** **New Registration**.\

5. Update the application **Name** to `radiantsecurity-connector` and leave all default settings unchanged.\

6. Click **Register** to save the changes. 7. On the newly registered application page, copy the following values: * **Application (client) ID** * **Directory (tenant) ID**

8. On the same page, click the link for **Add a certificate or secret**.

9. In the **Add a client** window, click **+ New Client Secret**. 10. Set the client secret as: * **Description**: `Radiant Security Connector` * **Expires**: `12 months`

11. Click **Add**. 12. The client secrets page will automatically open. 13. Copy the **Value** (not the **Secret ID** field).\

{% hint style="warning" %} **Important note**: Ensure you copy the **Client secret** value now as you won't be able to look it up again later. You will need to provide it to Radiant Security at the end of the configuration. {% endhint %} ### Grant the newly registered application the appropriate permissions 1. On the left sidebar menu, click **API Permissions**. 2. Click + **Add a permission**. 3. From the pop-out menu, select **Microsoft Graph APIs**.\

4. Then click **Application permissions** to open the permission list.

5. Select the following permissions: {% hint style="danger" %} **Important Note:** Before proceeding with the permissions below, if you plan on onboarding the Email use case, please follow [this Microsoft documentation](https://learn.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/graph-api-message-trace) to provision a service principal before granting the **ExchangeMessageTrace.Read.All** permission. {% endhint %} | **API / Service** | **Permission name** | **Required for Data Ingestion?** | **Use Case** | **Details** | | ---------------------------- | ------------------------------------------------- | -------------------------------- | -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Microsoft Graph | Application.Read.All | Yes | Email, Identity, Endpoint | **Task**: Block IP Address | | Microsoft Graph | AuditLog.Read.All | Yes | Email, Identity | Collect user authentication events for investigating abnormal authentication to applications | | Microsoft Graph | Directory.Read.All | Yes | All | Permission to read users’ profiles | | Microsoft Graph | IdentityRiskEvent.Read.All | Yes | Identity | Collect identity-based risks/alerts Entra ID Identity Protection | | Microsoft Graph | IdentityRiskyUser.Read.All | Yes | Identity | Collect identity-based risks/alerts Entra ID Identity Protection | | Microsoft Graph | Mail.ReadWrite | No | Email | **Task**: Find & Delete Emails | | Microsoft Graph | MailboxSettings.Read | No | Identity | Collect the out-of-office status of the user from Microsoft to help influence identity alert triage outcomes | | Microsoft Graph | MailboxSettings.ReadWrite | No | Email | **Task**: Disable all email forward rules, Delete external email forward rules | | Microsoft Graph | Policy.Read.All | No | Identity, Endpoint | **Task**: Block IP Address | | Microsoft Graph | Policy.ReadWrite.ConditionalAccess | No | Identity, Endpoint | **Task**: Block IP Address | | Microsoft Graph | User.Read.All | Yes | All | Permissions to read users’ profiles | | Microsoft Graph | SecurityAlert.Read.All | Yes | Microsoft Defender for Cloud feed | Permissions to read security alerts | | Microsoft Graph | User.ManageIdentities.All | No | Email, Identity, Endpoint | **Tasks**: Reset User Password, Disable User | | Microsoft Graph | User.EnableDisableAccount.All | No | Email, Identity, Endpoint | **Tasks**: Reset User Password, Disable User, Enable User | | Microsoft Graph | Directory.AccessAsUser.All (delegated permission) | No | Email, Identity, Endpoint | **Tasks**: Reset User Password, Disable User | | Microsoft Graph | ExchangeMessageTrace.Read.All | Yes | Email | Collect [exchangeMessageTrace](https://learn.microsoft.com/en-us/graph/api/resources/exchangemessagetrace?view=graph-rest-1.0) objects to triage email reports | | Microsoft Cloud App Security | Investigation.Read | Yes | Microsoft Defender for Cloud Apps feed | Permissions to read the Cloud Apps alerts and the related events | 1. Click **Add permissions** to save the changes. 2. Click **+ Add a permission** and select the tab **APIs my organization uses,** then select the **Office 365 Exchange Online** option.\

3. Select **Application permissions** and add the permissions outlined in the table below: | **API / Service** | **Permission name** | **Required for Data Ingestion?** | **Use Case** | **Details** | | ------------------------------------------------------ | ---------------------------- | -------------------------------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | Office 365 Exchange Online (APIs my organization uses) | Exchange.ManageAsApp | Yes | Email |

Tasks: Block Sender, Block URL - required for actions that can only be done over PowerShell
Data: Email traces.

6. Select **Application permissions** and add the permissions outlined in the table below: | **API / Service** | **Permission name** | **Required for Data Ingestion?** | **Use Case** | **Details** | | -------------------------- | -------------------- | -------------------------------- | --------------- | --------------------------------------------------------------------------------------------------------------- | | Office 365 Management APIs | ActivityFeed.Read | Yes | Email, Identity | Collect user authentication events for investigating abnormal authentication to applications | | Office 365 Management APIs | ActivityFeed.ReadDlp | Yes | Email | Permission to identify impacted users with inbox rules that were newly created or modified to exfiltrate emails | 7. Click **Add permissions** to save the changes. ### Add permissions in Azure Follow [these](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/azure-activities) instructions only if you have Azure enabled in your environment. ### Add assigned role In this step, you will assign the newly registered application with the necessary roles. 1. On the left sidebar menu, click **Roles and Administrators**. 2. On the roles and Administrators page, click **here**.\

3. From the search bar, search for `global reader` and select the row (do not select the checkbox).

4. On the active assignments page, click **+ Add assignment**. 5. On the **Add assignments** page, under **Select member(s)**, click on **No member selected** and add `radiantsecurity-connector` on the side panel.\

6. Click **Next** and under **Enter justification** type the justification in the text box: `Grant Radiant Security access to message trace events` 7. Click **Assign** to save the changes. 8. Repeat steps 1-7 for the **Exchange Administrator role** and for the **Privileged Authentication Administrator role** or **Authentication Administrator role.** 1. The **Privileged Authentication Administrator role** allows the application to run actions such as reset user password on all user accounts in the environment, no matter their groups or roles. 2. The **Authentication Administrator role** allows the application to run the same actions as the **Privileged** version, but it limits the scope of access so that the application can't run actions against user accounts with high privilege levels such as **Global Admins**, **Group Admins** or even users who own or are members of role-assignable group. For more information about the two roles, refer to ### Specific configurations Some data feeds require additional configuration before adding the connector to Radiant Security. Please refer to the following articles if applicable: * Add Microsoft Defender Permissions * Microsoft Safe Links * Onboarding Hosts to Defender ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select the **Microsoft O365** option and then click **Data Feeds**. 4. Add the following values you saved from the previous steps: * **Application (client) ID** * **Directory (tenant) ID** * **Client Secret Value** {% hint style="warning" %} **Important Note:** For the **Azure Activites data connector**, add a comma-separated list of the subscription IDs that must be monitored. {% endhint %} 5. Click **Add Connector** to save the connector configuration. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/microsoft-o365.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.