Microsoft Defender XDR
ThreatDefence supports integration with Microsoft Defender XDR to provide advanced incident and alert visibility across Microsoft 365 workloads. This integration builds on top of the standard Microsoft 365 integration and requires additional API permissions.
Requirements
A Microsoft account with administrator permissions.
A Microsoft licensing plan that includes Defender XDR. See: Microsoft Defender XDR prerequisites.
Step 1: Register Application (Microsoft 365 Integration)
Before enabling Defender XDR, ensure the standard Microsoft 365 integration is completed:
The ThreatDefence application must be registered in Microsoft Entra ID.
Defender XDR uses the same application, with additional permissions configured.
Step 2: Configure API Permissions
Sign in to the Microsoft Entra admin center.
In the navigation menu, go to Manage > API permissions.
Locate the User.Read permission, select it, then choose:
Menu > Remove permission
Confirm with Yes, remove.
Click + Add a permission.
In the Request API permissions pane:
Select the Microsoft APIs tab.
Choose Microsoft Graph.
Select Application permissions.
Enable the following permissions:
SecurityAlert.Read.AllSecurityIncident.Read.AllIdentityRiskEvent.Read.AllIdentityRiskyUser.Read.AllSecurityEvents.Read.All
Click Add permissions.
Return to the Configured permissions section, and click:
Grant admin consent for
Confirm with Yes.
Step 3: Enable App Governance (Optional)
As part of Defender XDR ingestion, ThreatDefence can also collect logs from App Governance, which tracks and enforces policies for OAuth-enabled applications in Entra ID.
Prerequisites
Microsoft Defender for Cloud Apps (standalone or bundled in your plan).
Appropriate administrator role in Microsoft 365.
See Microsoft docs: Turn on app governance for Defender for Cloud Apps.
Steps
Sign in to the Microsoft Defender portal.
Go to System > Settings > Cloud apps > App governance.
Click Turn on app governance.
Last updated