Team: Huntress Managed Identity Threat Detection and Response (ITDR)
Product: Microsoft 365
Environment: Huntress Platform
Summary: This article covers the steps necessary to begin using the Microsoft 365 Integration inside of the Huntress ITDR platform, as well as adding new tenants as needed.
STOP AND READ: Directions in this article have been updated to reflect our new Identity Provider Integration dashboard. Please review our new guide for more details on this setup process as this will replace the separate guides we have used for Microsoft 365 and Google Workspace.
In this article
Prerequisites
Huntress
- You can sign in to the Huntress Platform with an admin-level account.
- You have an active Managed ITDR trial or subscription.
Microsoft 365
- The tenant has an Exchange license.
- You have a Microsoft 365 user account in the tenant with Global Administrator privileges.
- Audit Logs are enabled in the tenant.
Exchange permissions and role groups
In Exchange, confirm the Organization Management role group includes:
- Audit Logs
- Mail Recipients
- Organization Configuration
- Transport Rules
- Role Management
If any of these roles are missing, Huntress attempts to add them to Organization Management during onboarding. Huntress also adds the “Huntress Security Platform (Direct)” service principal to the Exchange Administrator and Organization Branding Administrator Entra built‑in roles. If you use PIM, you’ll see alerts for these changes.
Add the Microsoft 365 Integration and Map Tenants
To start a new tenant integration, select the Add option for a Microsoft 365 integration from the Integration tab (if you have not done so already). Once added, use the +New Integration option to select Microsoft 365 as your new tenant choice for a Huntress organization.
Follow the specific steps from our Identity Provider Integration guide to setup a new Microsoft 365 integration.
We suggest completing the mapping using Incognito/Private browsing with no extensions to reduce cache related issues. Due to ongoing browser changes, we recommend using a web browser container (for example, Firefox).
When complete, the status will change to Healthy
Back at the main Integrations page, your Microsoft 365 integration will show a green tick under Status to indicate the integration is intact.
Troubleshooting
AADSTS650051 after Global Administrator sign-in
Run the tenant mapping flow one more time. In some cases, the error clears on a second attempt.
If the error returns, follow the steps in this guide: Troubleshoot AADSTS650051.
Data isn’t appearing in Huntress after integration
Data may take up to 24 hours to appear, and longer for legacy tenants.
- Confirm audit logging is enabled in Microsoft 365.
- Confirm all prerequisites in this guide are met.
If data still doesn’t appear after 24 hours, contact Huntress Support at support@huntress.com.
Can’t sign in with a Microsoft Global Administrator account
- Confirm the account you’re using has Global Administrator permissions.
- Try again in an Incognito/Private browsing session with extensions disabled.
Relevant Articles
- Microsoft 365 Audit Logging
- Huntress Managed ITDR Permissions Breakdown
- Reauthorize Huntress Managed ITDR Integration
- Unmapping a Direct Mapped Tenant
- What is ITDR?
- Huntress Managed ITDR Frequently Asked Questions
- Huntress Managed ITDR Identity Isolation
- Billable Identities (Users)
- MFA Status for Managed ITDR
- AADSTS Errors