EDR Integrations
      Back to home
      1. Knowledge Base
      2. Control Monitor
      3. EDR Integrations

      Microsoft combined integration

      As prelude supports multiple uses of Microsoft's stack you can configure a single "app registration" to cover all uses, instead of one for EDR, one for Endpoint Management, one for Email etc. We do this by combining the IAM Roles and API permissions 

       

      To attach Prelude to a Microsoft App registration, you will need:

      • The Prelude Dashboard / UI (US1 | EU1) or Prelude CLI
      • An Azure user with Global Administrator role

      In Azure

       Create an App Registration
      1. Navigate to the App registrations section in the Azure Portal.
      2. Select "+ New registration" toward the top of the page.
      3. Enter a name for your application
      4. Choose Single tenant as the supported account type (Accounts in this organizational directory only). Click Register.
      5. Leave Redirect URI (optional) as it is.
      6. After registration:
        1. Note down the Application (client) ID and Directory (tenant) ID from the app's Overview page.
      7. In the left menu, expand the Manage section and select Certificates & secrets and create a new Client Secret:
        1. Click New client secret, enter a description, and set an expiration period.
        2. Note down the generated Client Secret Value (you won’t be able to view it later).

      we now have:

      • APP ID (Application (client) ID) from step 6
      • TENANT ID (Directory (tenant) ID) from step 6
      • APP SECRET (Client Secret Value) from step 7
       

      Roles and API Permissions Summary

      While step by step guidance is provided in the next section, here we provide a quick summary table of all API Permissions and IAM Role Assignments required

       
      API Permissions
      Use-Case API Permission Type Permission
      Defender Microsoft APIs /
      Microsoft Graph      		 Delegated User.Read
      Defender Microsoft APIs /
      Microsoft Graph      		 Application ThreatHunting.Read.All
      CustomDetection.ReadWrite.All(*)
      DeviceManagementConfiguration.Read.All
      Defender APIs my organization uses /
      WindowsDefenderATP      		 Application Machine.Read.All
      Alert.Read.All
      Ti.Read.All
      Intune Microsoft APIs /
      Microsoft Graph      		 Delegated User.Read
      Intune Microsoft APIs /
      Microsoft Graph      		 Application Device.Read.All
      DeviceManagementConfiguration.Read.All
      DeviceManagementManagedDevices.Read.All
      M365 (Email) APIs my organization uses /
      Office 365 Exchange Online      		 Application Exchange.ManageAsApp
      EntraID Microsoft APIs /
      Microsoft Graph      		 Application AuditLog.Read.All
      IdentityRiskyUser.Read.All
      Policy.Read.All
      UserAuthenticationMethod.Read.All
      User.Read.All
      DeviceManagementConfiguration.Read.All

      (*) Only required if sending detections to Defender. Not required for Security Control Monitoring

       
       
      IAM Roles
      Use-Case Role
      Defender N/A
      Intune N/A
      M365 (Email)* Security Reader
      EntraID N/A

      (*) If your M365 configuration does not provide sufficient permission to Security Reader for reading the M365 policies then a higher, or custom role can be used.

      the next section provides a step by step guide to configure the API Permissions and Roles

       

       Granting API Permissions

      1. In the left menu of the app you created, select API permissions and click Add a permission
       
      Defender
      1. Under "Microsoft APIs" select Microsoft Graph
      2. Select Application permissions (not Delegated) and add the following API Permissions.
        • User.Read
        • Machine.Read.All
        • ThreatHunting.Read.All
        • CustomDetection.ReadWrite.All
        • DeviceManagementConfiguration.Read.All
       
       
      Intune
      1. Under "Microsoft APIs" select Microsoft Graph
      2. Select Delegated Permissions and add the following API Permissions:
        1. User.Read
      3. Select Application permissions (not Delegated) and add the following API Permissions.
        1. Device.Read.All
        2. DeviceManagementConfiguration.Read.All
        3. DeviceManagementManagedDevices.Read.All
       
       
      M365 (Email)
      1. Under "APIs my organization uses" search for: "Office 365 Exchange Online" select Office 365 Exchange Online
      2. Select Application permissions (not Delegated) and add the following API Permissions.
      • Exchange.ManageAsApp
       
       
      EntraID
      1. Under "Microsoft APIs" select Microsoft Graph
      2. Select Application permissions (not Delegated) and add the following API Permissions.
        • User.Read
        • Machine.Read.All
        • ThreatHunting.Read.All
        • CustomDetection.ReadWrite.All
        • DeviceManagementConfiguration.Read.All

      Note: After adding the above permissions ensure you select "Grant admin consent for " as show in the screenshot below:

       
       
      Granting IAM Roles
       Entra ID: Granting Security Reader role
      1. Navigate to Entra ID in the Azure portal
      2. Expand Manage and select "Roles and Administrators" on the left hand side
      3. Search for the "Security Reader" role and click on it
      4. On the next screen, select Add Assignment
      5. In the "Search" field, enter the whole App ID that you created in the above steps and assign it to the Security Reader role:

       

       
       
      In Prelude

      Follow the instructions to attach the relevant technology: