Microsoft integrations (Graph and Azure) in Cortex XSOAR use Azure Active Directory applications to authenticate with Microsoft APIs. These integrations use OAuth 2.0 and OpenID Connect standard-compliant authentication services, which use an Application to sign-in or delegate authentication. For more information, see the Microsoft identity platform overview.
There are 2 application authentication methods available:
- Cortex XSOAR Application
- Self-Deployed Application
Cortex XSOAR Application
In this method, you give consent to the Cortex XSOAR application to access your data. Depending on the integration, this requires either admin consent to get access without a user or user consent to get access on behalf of a user. Note: This method requires that you give consent to all permissions requested by the application.
To start the authentication process, go to the integration's detailed instructions:
Navigate to Settings > Integration > Servers & Services.
Search for wanted Microsoft integration, e.g.
Microsoft Defender Advanced Threat Protection.
Click Add instance.
Click on the question mark on the top right.
Follow the link to our authentication service to initiate the authorization flow.
Self Deployed Application
To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.
The application must have the required permissions for the relevant APIs, which are documented in the integration documentation, for example see Microsoft Defender Advanced Threat Protection required permissions.
To add the registration, refer to the Microsoft documentation
The Tenant ID, Client ID, and Client secret are required for the integration.
When you configure the integration in Cortex XSOAR, enter those parameters in the appropriate fields:
- ID - Client ID
- Token - Tenant ID
- Key - Client Secret
In addition, make sure to select the Use a self-deployed Azure Application checkbox in the integration instance configuration.