MS365 Graph API

This guide walks you through enabling Microsoft Graph API access in ThreatDefence SIEM, including onboarding the "User Isolator" functionality.

Requirements:
Access to Microsoft 365 services (Microsoft 365 Compliance Center, Azure Active Directory)
E5 or P1/P2 Licensing (ThreatDefence will automatically extract available security events based on your license).

Step 1: Grant API Permissions in Azure Portal

1. Register an Application

Create an Application ID and secret as described in the Microsoft 365 Integration Guide.

2. Assign Microsoft Graph API Permissions

In your app registration, go to API permissions.
Select Microsoft Graph.

3. Add Required Permissions

Click Application permissions.
Add the following permissions:

Permissions

Data

User.Read.All UserAuthenticationMethod.Read.All ConsentRequest.Read.All

User profiles, auth methods and consent grants

Device.Read.All

Device details from Entra ID

AuditLog.Read.All AuditLogsQuery.Read.All

Security logs / events

MailboxSettings.Read

User mailbox settings, user forwarding rules

Application.Read.All CloudApp-Discovery.Read.All IdentityProvider.Read.All

Applications details and authentication

IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All SecurityAlert.Read.All SecurityIncident.Read.All SecurityEvents.Read.All

Security events and risk-based alerts (MS Defender XDR)

Directory.Read.All Reports.Read.All Policy.Read.All

Organization and user-directory details

User Isolator Permissions

To enable User Isolation (Threat Containment by ThreatDefence 24/7 SOC) features, also add:

User.EnableDisableAccount.All
User.RevokeSessions.All

Click Grant admin consent and confirm.

Step 2: Configure ThreatDefence SIEM

Log in to your ThreatDefence SIEM Portal.
Navigate to Deployments > Integrations.
Click Add and select Microsoft Graph.

Need Help?

If you have any questions or need further assistance, please contact: support [at] threatdefence.com

PreviousMicrosoft 365 Integration NextMicrosoft Defender XDR

Last updated 27 days ago