Create Active Directory permissions for configuring Microsoft Account¶
Create Active Directory permissions for configuring Microsoft Account¶
To collect data for Microsoft Security sourcetypes, you must configure an Active Directory Application Account with appropriate permissions in Azure Active Directory Portal. Permissions required for different sourcetypes:
| Purpose | Sourcetype | Permission/Role | Input type |
|---|---|---|---|
| Read Incidents and its associated Alerts | ms365:defender:incident / ms365:defender:incident:alert | Incident.Read.All, SecurityIncident.Read.All* | Modular Input |
| Read Alerts | ms:defender:atp:alerts | Alert.Read.All, SecurityAlert.Read.All* | Modular Input |
| Update Incidents | ms365:defender:incident / ms365:defender:incident:alert | Incident.ReadWrite.All, SecurityIncident.ReadWrite.All* | Alert Action |
| Fetch Advance Hunt query results | m365:defender:incident: advanced_hunting |
AdvancedHunting.Read.All, ThreatHunting.Read.All* | Alert Action |
| Read Simulation reports data | ms:defender:simulations | AttackSimulation.Read.All | Modular Input |
| Read Microsoft Defender generated Advanced Hunting events from Azure Event Hub using streaming API | ms:defender:eventhub | Azure Active Directory account with Role “Azure Event Hubs Data Receiver”** | Modular Input |
| Read Microsoft Defender Threat Intelligence datasets | ms:defender:articles / ms:defender:ti:article_indicators / ms:defender:ti:certificates / ms:defender:ti:components / ms:defender:ti:cookies / ms:defender:ti:hostpairs / ms:defender:ti:passivedns / ms:defender:ti:subdomains / ms:defender:ti:trackers / ms:defender:ti:whois | ThreatIntelligence.Read.All | Modular Input |
Permissions with an (*) are required if you are pulling or pushing data via the Microsoft Graph REST APIs.
Role with an (**) is required for getting events from eventhub. You can refer to Microsoft docs for configuring streaming API to stream data from Microsoft 365 Defender Portal to Azure Event Hubs. After the streaming API has been configured, Advanced Hunting data will be streamed to Azure Event Hub in real time and add-on will collect the data from Azure Event Hub.
After creating the Active Directory Application, login to the Azure Portal and refer to the Azure documentation and:
- Ensure that Alert permissions are set to
- “Alert.Read.All” or “Alert.ReadWrite.All” when using Microsoft 365 APIs
- “SecurityAlert.Read.All” or “SecurityAlert.ReadWrite.All” when using Microsoft Graph REST APIs
- Ensure that Incidents permissions are set to
- “Incident.ReadWrite.All” or “Incident.Read.All” or “AdvancedHunting.Read.All” when using Microsoft 365 APIs
- “SecurityIncident.Read.All” or “SecurityIncident.ReadWrite.All” or “ThreatHunting.Read.All” when using Microsoft Graph REST APIs