TD Website

MS365 Graph API

This guide walks you through enabling Microsoft Graph API access in ThreatDefence SIEM, including onboarding the "User Isolator" functionality.

Requirements:

  • Access to Microsoft 365 services (Microsoft 365 Compliance Center, Azure Active Directory)

  • E5 or P1/P2 Licensing (ThreatDefence will automatically extract available security events based on your license).

Step 1: Grant API Permissions in Azure Portal

1. Register an Application

Create Application

2. Assign Microsoft Graph API Permissions

  • In your app registration, go to API permissions.

  • Select Microsoft Graph.

API Selection Menu

3. Add Required Permissions

  • Click Application permissions.

  • Add the following permissions:

Permissions

Data

Requirement

Application.Read.All

Application details and registrations

Required

ConsentRequest.Read.All

Allows the app to read consent requests and approvals without a signed-in user.

Required

Directory.Read.All

Read directory data (users, groups, apps)

Required

deviceAppManagement DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All

Access Intune device configuration, compliance policies, assignments, and the properties of Intune-managed devices.

Optional

SecurityAlert.Read.All

Access all security alerts without needing a signed-in user.

Required

SecurityIncident.Read.All

Access all security incidents without needing a signed-in user.

Required

IdentityRiskyUser.Read.All

Access your organisation's risky user data without a signed-in user.

Required

IdentityRiskyServicePrincipal.Read.All

Access your organisation's risky service principal information without a signed-in user.

Required

IdentityRiskEvent.Read.All

Access identity risk event information for the organisation.

Required

User.EnableDisableAccount.All User.RevokeSessions.All

Allows the app to revoke all sign-in sessions for a user and enable or disable user accounts, without requiring a signed-in user.

Optional

User.Read.All

Allows the app to read user profiles without a signed in user.

Required

Device.Read.All

Read your organisation’s device configuration information without a signed-in user.

Required

Reports.Read.All

Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.

Required

User Isolator Permissions

To enable User Isolation (Threat Containment by ThreatDefence 24/7 SOC) features, also add:

Add Permissions

4. Grant Admin Consent

  • Click Grant admin consent and confirm.

Grant Consent

Step 2: Configure ThreatDefence SIEM

  1. Log in to your ThreatDefence SIEM Portal.

  2. Navigate to Deployments > Integrations.

  3. Click Add and select Microsoft Graph.

Need Help?

If you have any questions or need further assistance, please contact: support [at] threatdefence.com

PreviousMicrosoft 365 IntegrationNextMicrosoft Defender XDR

Last updated