Microsoft O365 and Azure are extensive platforms with many different products and functionality. Moreover, the APIs behind them (especially the Microsoft Graph API) are vast and do not fit under one integration.
Review this document to determine the Microsoft integrations you need for your use case.
- Create users and groups.
- Remove a member from a group.
- Remove a pre-approved application.
- Get Manager Details.
- Active Directory Investigation playbook.
Manage users in Azure Active Directory and O365.
- List, create, and update users.
- Terminate sessions.
- Block users, etc.
Manage groups in Azure Active Directory and O365.
- List, create, and update groups.
- List, add, and remove members.
Manage Active Directory roles and role members.
Manage applications and service principals.
- Download a file from OneDrive.
- Send a message via Microsoft Teams.
- Add a member to an existing team.
- Schedule an event in the calendar.
Manage files in O365 (OneDrive/SharePoint/Teams).
- Upload and download files.
- List drive and folder content.
- List SharePoint sites.
Enable communicating and mirroring via Microsoft Teams.
- Create and update channels.
- Add users to channel
- Message users.
- Ring user.
- Message mirroring.
Manage teams and team members.
- Create and update teams.
- Add and remove team members.
Manage calendar events.
This is a generic integration that supports running any endpoint of MS Graph API. Since the API is very vast and not all of the endpoints are implemented, this integration can be used.
- Find failed login events.
- Find publicly shared files events.
- Find security events.
- Office 365 and Azure Hunting.
- Office 365 and Azure Configuration Analysis.
Ingest events from O365 (Azure AD, SharePoint, EWS, etc) as incidents.
- Find an email message.
- Move an email message to a different folder.
- Send an email.
- Delete Email.
- Modify your Outlook recipient list.
- Process Emails.
|EWS Mail Sender||On-Prem||Notify user by mail in a playbook.|
Fetch emails as incidents.
|Supports basic authentication only||Basic Auth|
|EWS O365||Cloud/Hybrid||For O365 - Supports OAuth2.|
Only supports admin accounts that have access to all mailboxes.
|EWS v2||On-Prem + Cloud||Basic Auth + NTLM|
|EWS Extension||Manage junk rules and search the message trace.||Uses different APIs than EWSv2|
|Exchange Online Powershell V2 module||On-Prem||Manage mailboxes and permissions.|
|O365 Outlook Mail (Using Graph API)||Cloud||Manage and send email on behalf of a different user that was configured||client_credentials|
|O365 Outlook Mail Single User (Using Graph API)||Cloud||Can manage the mailbox of the configured user only||auth_code (on behalf of a user)|
|Exchange 2016 Compliance Search||On-Prem||The only module that enables searching messages across the entire organization.||Basic Auth|
|O365 Security and Compliance||Cloud||Search across mailboxes and execute actions on the results.||Known limitation in the README|
Restart authentication process on
|device-code (on behalf of a user).|
- Spin up a VM in Azure.
- Block traffic from Azure to a certain IP address.
- Search for Sentinel events in Log Analytics.
Create and manage Azure VMs.
Manage security groups to filter network traffic to and from Azure resource
Enable querying data generated from Azure resources.
- Ingest security alerts.
- Search files in Box.
- Isolate an endpoint.
- Wipe a mobile device that has suspicious activity.
- Run a critical Windows update on all the endpoints in the organization.
Unified Azure security management.
- Fetch alerts.
- Manage auto-provisioning.
Manage the SIEM by Microsoft.
- Fetch and manage incidents.
- List entities.
Manage the Azure web application firewall.
List, create, and update policies.
Microsoft CASB solution.
- Fetch and manage alerts.
- Search activity and files in cloud applications.
|Microsoft 365 Defender (Beta)||Fetch incidents on email, collaboration, identity, and device threats. |
Advanced hunting - querying 30 days of raw data
|Microsoft Defender for Endpoint (Defender ATP)||Microsoft’s endpoint, detection, and response (EDR). |
Fetch alerts, run a scan on an endpoint, remediate an endpoint, manage indicators, get machine action status.
|Microsoft Graph Security||Unified gateway to security insights.|
Fetch alerts from various Microsoft security sources: Azure ATP/Azure Security Center/Microsoft CAS/Azure Active Directory Identity Protection/Azure Sentinel/Microsoft Defender for Endpoint (ATP)
Enable execution of scripts on multiple endpoints.
- Lock a device.
- Wipe a device.
- Locate a device, etc.
Fetch Indicators from Microsoft Defender.
Office 365 IP Address and URL feed.
Indicator feed from Microsoft Intune (Defender for Endpoint).