Microsoft integrations (Graph and Azure) in Cortex XSOAR use Azure Active Directory applications to authenticate with Microsoft APIs. These integrations use OAuth 2.0 and OpenID Connect standard-compliant authentication services, which use an Application to sign-in or delegate authentication. For more information, see the Microsoft identity platform overview.
There are 2 application authentication methods available:
- Cortex XSOAR Application
- Self-Deployed Application
Cortex XSOAR Application
In this method, you give consent to the Cortex XSOAR application to access your data. Depending on the integration, this requires either admin consent to get access without a user or user consent to get access on behalf of a user. Note: This method requires that you give consent to all permissions requested by the application.
To start the authentication process, go to the integration's detailed instructions:
Navigate to Settings > Integration > Servers & Services.
Search for wanted Microsoft integration, e.g.
Microsoft Defender Advanced Threat Protection.
Click Add instance.
Click on the question mark on the top right.
Follow the link to our authentication service to initiate the authorization flow.
Self Deployed Application
To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.
The application must have the required permissions for the relevant APIs, which are documented in the integration documentation, for example see Microsoft Defender Advanced Threat Protection required permissions.
To add the registration, refer to the Microsoft documentation
The Tenant ID, Client ID, and Client secret are required for the integration.
When you configure the integration in Cortex XSOAR, enter those parameters in the appropriate fields:
- ID - Client ID
- Token - Tenant ID
- Key - Client Secret
In addition, make sure to select the Use a self-deployed Azure Application checkbox in the integration instance configuration.
Authorize on behalf of a user
Some of the Cortex XSOAR-Microsoft integrations (e.g., Azure Sentinel) require authorization on behalf of a user (not admin consent). For more information about this authorization flow, refer to the Microsoft documentation.
To configure a Microsoft integration that uses this authorization flow with a self-deployed Azure application:
- Make sure the needed permissions are granted for the app registration, e.g for Microsoft Graph User: API/Permission name
- Copy the following URL and replace the TENANT_ID, CLIENT_ID, REDIRECT_URI, SCOPE with your own client ID and redirect URI, accordingly.
https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access%20SCOPE&client_id=CLIENT_ID&redirect_uri=REDIRECT_URIFor example, for Microsoft Graph User, replace the SCOPE with
- Enter the link and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure:
- Copy the AUTH_CODE (without the "code=" prefix) and paste it in your instance configuration under the Authorization code parameter.
- Enter your client ID in the ID parameter field.
- Enter your client secret in the Key parameter field.
- Enter your tenant ID in the Token parameter field.
- Enter your redirect URI in the Redirect URI parameter field.
In order to revoke consent to a Cortex XSOAR Microsoft application, refer to the Microsoft documentation.