Create permissions in Microsoft Entra ID for configuring Microsoft Account¶

To collect data for Microsoft Security sourcetypes, you must configure an application Account with appropriate permissions in Microsoft Entra ID Portal. Permissions required for different sourcetypes:

Purpose	Sourcetype	Permission/Role	Input type
Read Incidents and its associated Alerts	ms365:defender:incident / ms365:defender:incident:alert	Incident.Read.All, SecurityIncident.Read.All*	Modular Input
Read Alerts	ms:defender:atp:alerts	Alert.Read.All, SecurityAlert.Read.All*	Modular Input
Update Incidents	ms365:defender:incident / ms365:defender:incident:alert	Incident.ReadWrite.All, SecurityIncident.ReadWrite.All*	Alert Action
Fetch Advance Hunt query results	m365:defender:incident: advanced_hunting	AdvancedHunting.Read.All, ThreatHunting.Read.All*	Alert Action
Read Simulation reports data	ms:defender:simulations	AttackSimulation.Read.All	Modular Input
Read Microsoft Defender generated Advanced Hunting events from Azure Event Hub using streaming API	ms:defender:eventhub	Microsoft Entra ID account with Role “Azure Event Hubs Data Receiver”**	Modular Input
Read Microsoft Defender Threat Intelligence datasets	ms:defender:articles / ms:defender:ti:article_indicators / ms:defender:ti:certificates / ms:defender:ti:components / ms:defender:ti:cookies / ms:defender:ti:hostpairs / ms:defender:ti:passivedns / ms:defender:ti:subdomains / ms:defender:ti:trackers / ms:defender:ti:whois	ThreatIntelligence.Read.All	Modular Input

Permissions with an (*) are required if you are pulling or pushing data via the Microsoft Graph REST APIs.

Role with an (**) is required for getting events from eventhub. You can refer to Microsoft docs for configuring streaming API to stream data from Microsoft 365 Defender Portal to Azure Event Hubs. After the streaming API has been configured, Advanced Hunting data will be streamed to Azure Event Hub in real time and add-on will collect the data from Azure Event Hub.

After creating the application, login to the Microsoft Entra ID Portal and refer to the Azure documentation and:

Ensure that Alert permissions are set to
- “Alert.Read.All” or “Alert.ReadWrite.All” when using Microsoft 365 APIs
- “SecurityAlert.Read.All” or “SecurityAlert.ReadWrite.All” when using Microsoft Graph REST APIs
Ensure that Incidents permissions are set to
- “Incident.ReadWrite.All” or “Incident.Read.All” or “AdvancedHunting.Read.All” when using Microsoft 365 APIs
- “SecurityIncident.Read.All” or “SecurityIncident.ReadWrite.All” or “ThreatHunting.Read.All” when using Microsoft Graph REST APIs

Update app’s requested permissions in Microsoft Entra ID¶

Prerequisites¶

To update app’s requested permissions, you need the following: * A Microsoft Entra user account. * One of the following roles: Application Administrator, Cloud Application Administrator. An application owner who isn’t an administrator is able to update app’s requested permissions.

Option 1: Add permissions in the API permissions pane¶

Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator or application owner.
Browse to Identity > Applications > App registrations > All applications.
Find the app registration that you want to add permissions to and select it. You can add permissions in two different ways:
- Add permissions in API permissions pane.
- Select the API that you want to access and the permission that you want to request from the list of available options and select Add permissions.

Option 2: Add permissions to the application manifest¶

From the left navigation pane, under the Manage menu group, select Manifest. The selection opens an editor that allows you to directly edit the attributes of the app registration object.
Carefully edit the requiredResourceAccess property in the application’s manifest file.
Add the resourceAppId property and resourceAccess property and assign the required permissions.1.* Save your changes.