AgileBlue can monitor and respond across your Microsoft365 environment by leveraging a single application's API permissions. The full setup instructions and requirements of the various datasets can be found below.
Please note: Auditing must be enabled for your organization in order to ensure data collection. For more information, click here.
Configure Your Azure Application
- Log in to the Azure Portal using your Global Administrator credentials. (E.g. an account that is marked as Global Administrator.)
- Navigate to the Microsoft Entra ID under Azure services
- Select App Registrations in the left-hand menu
- Click New registration
- Name: AgileBlue M365 Security
- Supported account types: Accounts in this organizational directory only (Your tenant only - Single tenant)
- Redirect URI: No value/not neededConfigure the options for this App Registration as shown below:
Add Required Permissions
Within the application created in the previous section, you will need to add specific permissions sets in order for AgileBlue to monitor various portions of your environment. These permission sets are detailed by integration below:
- Select View API permissions
- Click Add a permission
- Select all permissions detailed below for desired integration points
- After permissions have been selected, click Add permissions
- Select Grant admin consent for [your tenant name]
Office365
- Permission Set: Office365 Management APIs (Application Permissions)
- ActivityFeed.Read
- ActivityFeed.ReadDlp
- Permission Set: Microsoft Graph (Required for account disablement actions)
- AuditLog.Read.All
- User.Read (typically added by default)
- Directory.ReadWrite.All
- User.EnableDisableAccount.All
- User.ReadWrite.All
- User.RevokeSessions.All
M365 Defender
- Permission Set: Microsoft Threat Protection
- Incident.Read.All
Microsoft Defender for Endpoint
- Permission Set: WindowsDefenderATP
- Alert.Read.All
- Alert.ReadWrite.All
- Machine.Isolate
- Machine.ReadWrite.All
Microsoft Entra ID Entity Analytics
- Permission Set: Microsoft Graph
- GroupMember.Read.All
- User.Read.All
- Device.Read.All
Microsoft Exchange Online Message Trace
- Permission Set: Office365 Exchange Online
- ReportingWebService.Read.All
Create Client Secret Key & Collect Account Details
- Select Certificates & secrets from the left-hand menu
- Once the page loads, click New client secret
- On the pop out that appears, provide a Description of AgileBlue Collection Service and select your desired timeframe for expiration
- Please note this expiration date of the secret value
- Click Add
CAUTION! Depending on your version of Azure/Office365 and/or your security configurations, you may only have ONE CHANCE to grab this value. Be sure to copy this value and store it somewhere safe immediately. - Copy the Secret Value to a secure location
- NOTE: The Secret Value is different than the Secret ID. The required value may have numbers, letters, and special characters. The Secret ID will only include numbers, letters, and hyphens. Please ensure the Secret Value is collected, not the Secret ID.
- Navigate back to the Overview page and copy the following values:
-
Application (client) ID
- Directory (tenant) ID
-
Submitting Sensitive Data
The final step is to submit these sensitive details to AgileBlue. Once ready, please email support@agileblue.com and a specialist will send back an encrypted message. You will be able to respond to that message with the following values:
-
- Secret Value
- Application (client) ID
- Directory (tenant) ID
- Secret Value expiration date
Need Help?
AgileBlue is always here to support you and ensure you are 100% successful. If there are any issues with the installation or if you have any questions, please reach out to AgileBlue Support.
Email: support@agileblue.com
Phone: (216) 606-9400🚨