Microsoft integrations (Graph and Azure) in Cortex XSOAR use Azure Active Directory applications to authenticate with Microsoft APIs. These integrations use OAuth 2.0 and OpenID Connect standard-compliant authentication services, which use an Application to sign-in or delegate authentication. For more information, see the Microsoft identity platform overview.
There are 2 application authentication methods available:
- Cortex XSOAR Application
- Self-Deployed Application
Cortex XSOAR Application
In this method, you give consent to the Cortex XSOAR application to access your data. Depending on the integration, this requires either admin consent to get access without a user or user consent to get access on behalf of a user. Note: This method requires that you give consent to all permissions requested by the application.
To start the authentication process, go to the integration's detailed instructions:
Navigate to Settings > Integration > Servers & Services.
Search for wanted Microsoft integration, e.g.
Microsoft Defender Advanced Threat Protection.
Click Add instance.
Click on the question mark on the top right.
Follow the link to our authentication service to initiate the authorization flow.
Self Deployed Application
To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.
The application must have the required permissions for the relevant APIs, which are documented in the integration documentation, for example see Microsoft Defender Advanced Threat Protection required permissions.
To add the registration, refer to the Microsoft documentation
The Tenant ID, Client ID, and Client secret are required for the integration.
When you configure the integration in Cortex XSOAR, enter those parameters in the appropriate fields:
- ID - Client ID
- Token - Tenant ID
- Key - Client Secret
In addition, make sure to select the Use a self-deployed Azure Application checkbox in the integration instance configuration.
Authorize on behalf of a user
Some of the Cortex XSOAR-Microsoft integrations (e.g., Azure Sentinel) require authorization on behalf of a user (not admin consent). For more information about this authorization flow, refer to the Microsoft documentation.
To configure a Microsoft integration that uses this authorization flow with a self-deployed Azure application:
- Make sure the needed permissions are granted for the app registration, e.g for Microsoft Graph User: API/Permission name
- Copy the following URL and replace the TENANT_ID, CLIENT_ID, REDIRECT_URI, SCOPE with your own client ID and redirect URI, accordingly.
https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access%20SCOPE&client_id=CLIENT_ID&redirect_uri=REDIRECT_URIFor example, for Microsoft Graph User, replace the SCOPE with
- Enter the link and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure:
- Copy the AUTH_CODE (without the "code=" prefix) and paste it in your instance configuration under the Authorization code parameter.
- Enter your client ID in the ID parameter field.
- Enter your client secret in the Key parameter field.
- Enter your tenant ID in the Token parameter field.
- Enter your redirect URI in the Redirect URI parameter field.
In order to revoke consent to a Cortex XSOAR Microsoft application, refer to the Microsoft documentation.
Azure Integrations Parameters
In order to use the Cortex XSOAR Azure application, you need to fill in your subscription ID and resource group name, which you can find in the Azure Portal.
Log in to the Azure Portal Home Page using your Azure credentials.
Search for your Azure product, for example SQL Servers:
- Click on your resource:
After you a redirected to the next page, in the Overview tab you will find your Resource group and Subscription ID: