Microsoft Azure Active Directory

📘

TL;DR

To integrate Microsoft Azure Active Directory with Query:

  • Setup the required connection parameters in Microsoft Graph API mentioned in the 'Prerequisites' section of this document.
  • Add a Microsoft Azure Active Directory connection source in Query with the connection parameters
  • Test the integration with Test connection link.
  • Perform searches for users, devices and authentication events.

Overview

Microsoft Azure AD is a cloud-based identity and access management service provided by Microsoft, offering secure authentication and authorization capabilities for applications and resources in the Azure ecosystem. By integrating with Query, you can:

  • Get context on users and devices and their authentication events.

Prerequisites

Configuring Microsoft Graph API to access Azure Directory data.

You must do the following steps to use the APIs and create the connection credentials. You can access Azure AD API with Application Context or User Context. Query will use the Application Context (Link) to access the API.

  • Create an Azure AD application Link
  • Get an access token for using this application.

Microsoft Graph API permissions

The following API permissions at a minimum are necessary for Query to search Azure AD to retrieve users, their devices, group information, and authentication events.

  • ThreatHunting.Read.All
  • AuditLog.Read.All
  • Device.Read.All
  • Directory.Read.All
  • Domain.Read.All
  • Group.Read.All
  • User.Read.All
Azure AD Application Connection Parameters

Make sure you have the following connection parameters from Microsoft Graph API to add it as a connection source in Query.

  • Server URL - The API access URL
  • Tenant ID - Azure Tenant ID
  • Client ID - Azure Client/Application ID
  • Client Secret - Azure Client Secret

Adding a connection source in Query

  1. Go to the Connections page, click Add Connections, and select Microsoft Azure Active Directory source from the Identity category.
  2. In the General tab, add the following details:
    • Server URL - The API access URL
    • Tenant ID - Azure Tenant ID
    • Client ID - Azure Client/Application ID
    • Client Secret - Azure Client Secret
  3. Click the Save button on the top right corner of the screen to save the connection source.
  4. To test the connection credentials, click on 'Test Connection.' You will see a successful connection message if the credentials are valid. If the test connection fails, then check if the connection parameters are correct. If necessary, change appropriately and retest.

Resources