Microsoft O365

Onboard the Microsoft O365 data connector.

In this guide, you will set up a trusted relationship between Radiant and your Microsoft account to allow Radiant to retrieve user and group data related to your organization, including authentication activity and audit activity events.

At the end of this configuration, you will provide Radiant Security with these values:

  • Application (client) ID

  • Directory (tenant) ID

  • Client Secret Value

  • Azure Subscription ID (only needed for the Azure Activities feed)

Available actions

The following actions are available after you set up the Microsoft O365 data connector. Keep in mind, additional permissions are required.

  • Find and hard delete emails

  • Block files

  • Block domains

  • Isolate device

  • Disable users and terminate active sessions

  • Terminate active sessions

  • Disable all forward rules

  • Delete external email forward rules

  • Enable User

  • Block IP address (Identity)

  • Block IP address (Endpoint)

  • Release devices from isolation

Prerequisites

Register the application with Microsoft Entra ID

In this step, you'll register a new application with Microsoft Entra ID. The application will pull user and group data on a semi-regular basis.

Note: Make sure to save the Application (client) ID and Directory (tenant) ID values. You will need to provide them to Radiant Security at the end of the configuration.

  1. Log in to the Microsoft Azure Portal.

  2. From the left side menu, navigate to Microsoft Entra ID.

  3. From the left menu, navigate to App Registrations.

  4. Click + New Registration.

  5. Update the application Name to radiantsecurity-connector and leave all default settings unchanged.

  6. Click Register to save the changes.

  7. On the newly registered application page, copy the following values:

    • Application (client) ID

    • Directory (tenant) ID

  8. On the same page, click the link for Add a certificate or secret.

  9. In the Add a client window, click + New Client Secret.

  10. Set the client secret as:

    • Description: Radiant Security Connector

    • Expires: 12 months

  1. Click Add.

  2. The client secrets page will automatically open.

  3. Copy the Value (not the Secret ID field).

Important note: Ensure you copy the Client secret value now as you won't be able to look it up again later. You will need to provide it to Radiant Security at the end of the configuration.

Grant the newly registered application the appropriate permissions

  1. On the left sidebar menu, click API Permissions.

  2. Click + Add a permission.

  3. From the pop-out menu, select Microsoft Graph APIs.

  4. Then click Application permissions to open the permission list.

  5. Select the following permissions:

    API / Service

    Permission name

    Required for Data Ingestion?

    Use Case

    Details

    Microsoft Graph

    Application.Read.All

    Yes

    Email, Identity, Endpoint

    Task: Block IP Address

    Microsoft Graph

    AuditLog.Read.All

    Yes

    Email, Identity

    Collect user authentication events for investigating abnormal authentication to applications

    Microsoft Graph

    Directory.Read.All

    Yes

    All

    Permission to read users’ profiles

    Microsoft Graph

    IdentityRiskEvent.Read.All

    Yes

    Identity

    Collect identity-based risks/alerts Entra ID Identity Protection

    Microsoft Graph

    IdentityRiskyUser.Read.All

    Yes

    Identity

    Collect identity-based risks/alerts Entra ID Identity Protection

    Microsoft Graph

    Mail.ReadWrite

    No

    Email

    Task: Find & Delete Emails

    Microsoft Graph

    MailboxSettings.Read

    No

    Identity

    Collect the out-of-office status of the user from Microsoft to help influence identity alert triage outcomes

    Microsoft Graph

    MailboxSettings.ReadWrite

    No

    Email

    Task: Disable all email forward rules, Delete external email forward rules

    Microsoft Graph

    Policy.Read.All

    No

    Identity, Endpoint

    Task: Block IP Address

    Microsoft Graph

    Policy.ReadWrite.ConditionalAccess

    No

    Identity, Endpoint

    Task: Block IP Address

    Microsoft Graph

    User.Read.All

    Yes

    All

    Permissions to read users’ profiles

    Microsoft Graph

    SecurityAlert.Read.All

    Yes

    Microsoft Defender for Cloud feed

    Permissions to read security alerts

    Microsoft Graph

    User.ManageIdentities.All

    No

    Email, Identity, Endpoint

    Tasks: Reset User Password, Disable User

    Microsoft Graph

    User.EnableDisableAccount.All

    No

    Email, Identity, Endpoint

    Tasks: Reset User Password, Disable User, Enable User

    Microsoft Graph

    Directory.AccessAsUser.All (delegated permission)

    No

    Email, Identity, Endpoint

    Tasks: Reset User Password, Disable User

    Microsoft Cloud App Security

    Investigation.Read

    Yes

    Microsoft Defender for Cloud Apps feed

    Permissions to read the Cloud Apps alerts and the related events

  6. Click Add permissions to save the changes.

  7. Click + Add a permission and select the tab APIs my organization uses, then select the Office 365 Exchange Online option.

  8. Select Application permissions and add the permissions outlined in the table below:

    API / Service

    Permission name

    Required for Data Ingestion?

    Use Case

    Details

    Office 365 Exchange Online (APIs my organization uses)

    Exchange.ManageAsApp

    No

    Email

    Tasks: Block Sender, Block URL - required for actions that can only be done over PowerShell

    Office 365 Exchange Online

    (APIs my organization uses)

    ReportingWebService.Read.All

    Yes

    Email

    Permission to enrich message trace events

  9. Click Add permissions to save the changes.

  10. Click on + Add a permission again, on the Microsoft APIs tab, select Office 365 Microsoft Management API.

  11. Select Application permissions and add the permissions outlined in the table below:

    API / Service

    Permission name

    Required for Data Ingestion?

    Use Case

    Details

    Office 365 Management APIs

    ActivityFeed.Read

    Yes

    Email, Identity

    Collect user authentication events for investigating abnormal authentication to applications

    Office 365 Management APIs

    ActivityFeed.ReadDlp

    Yes

    Email

    Permission to identify impacted users with inbox rules that were newly created or modified to exfiltrate emails

  12. Click Add permissions to save the changes.

Add permissions in Azure

Follow these instructions only if you have Azure enabled in your environment.

  1. Click + Add a permission.

  2. From the pop-out menu, select Azure Service Management.

  3. Select the permission user_impersonation.

  4. Click the Add Permission button.

  5. You will see the new permissions have been added. However, there is a warning message that admin consent is missing.

  6. To resolve this, click Grant admin consent for the API permissions.

  7. Click Yes in the confirmation pop-up window. Now, the warnings have been resolved.

Add assigned role

In this step, you will assign the newly registered application with the necessary roles.

  1. On the left sidebar menu, click Roles and Administrators.

  2. On the roles and Administrators page, click here.

  3. From the search bar, search for global reader and select the row (do not select the checkbox).

  4. On the active assignments page, click + Add assignment.

  5. On the Add assignments page, under Select member(s), click on No member selected and add radiantsecurity-connector on the side panel.

  6. Click Next and under Enter justification type the justification in the text box: Grant Radiant Security access to message trace events

  7. Click Assign to save the changes.

  8. Repeat steps 1-7 for the Exchange Administrator role and for the Privileged Authentication Administrator role or Authentication Administrator role.

    1. The Privileged Authentication Administrator role allows the application to run actions such as reset user password on all user accounts in the environment, no matter their groups or roles.

    2. The Authentication Administrator role allows the application to run the same actions as the Privileged version, but it limits the scope of access so that the application can't run actions against user accounts with high privilege levels such as Global Admins, Group Admins or even users who own or are members of role-assignable group.

    For more information about the two roles, refer to https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0#who-can-reset-passwords

Specific configurations

Some data feeds require additional configuration before adding the connector to Radiant Security. Please refer to the following articles if applicable:

  • Add Microsoft Defender Permissions

  • Microsoft Safe Links

  • Onboarding Hosts to Defender

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Microsoft O365 option and then click Data Feeds.

  4. Add the following values you saved from the previous steps:

    • Application (client) ID

    • Directory (tenant) ID

    • Client Secret Value

Important Note: For the Azure Activites data connector, add a comma-separated list of the subscription IDs that must be monitored.

  1. Click Add Connector to save the connector configuration.

PreviousJiraNextMicrosoft Safe Links

Last updated