[MSP] Integrating MDR for Microsoft 365

For Microsoft Cloud Solution Providers (CSP), Huntress MDR for Microsoft 365 utilizes APIs that allow integration with the CSP's Microsoft Partner tenant to access their customer's information. This is done via Microsoft's Secure Application Model along with the reseller and administrative relationships setup via Microsoft's Granular Delegated Access Permissions (GDAP). This type of integration necessitates a handful of prerequisites the CSP partner must complete before the integration can be successful which are detailed at the beginning of this article. 

If you are a MSP enrolled in Microsoft's CSP program and have access to your customer's environments via https://partner.microsoft.com, this is the recommended integration method for you.

Prerequisites

All items in this section need to be completed before successful onboarding can be accomplished. Please review before attempting onboarding. Individual items that have special instructions will have a link to relevant support information to guide you through the setup process. 

• Any Microsoft tenant you wish to protect must have Microsoft Entra ID P1 (formerly Azure Active Directory Premium P1) licensing present. These licenses can be purchased either standalone, or are included in bundles such as Microsoft 365 Business Premium.

The Entra ID/Azure AD P1 requirement is likely dropping soon. This may happen as soon as September 2023 as Microsoft is lowering the licensing requirements for audit logging features. However, the P1 licensing is still required for security features such as Conditional Access.

• Migration from Delegated Access Permissions (DAP) to Granular Delegated Access Permissions (GDAP) must be complete. If you've not yet completed this migration we have a blog available that will walk you through the transition to GDAP. We also held a webinar on this topic which can be viewed on-demand here. 
• All protected tenants must have at least one Exchange Mailbox license. If you are protecting tenants that do not subscribe to a mailbox license you will need to perform a direct tenant mapping.
• It is required your Microsoft CSP Partner tenant possesses at least one Exchange Mailbox license, regardless if you intend to protect it with the Huntress service or not. It is likely a very rare scenario where this tenant would not have a mailbox, but if you do not have any internal use rights you can leverage, purchasing an Exchange Online Kiosk (K1) license is the least expensive way to fulfill this requirement. 
• In order for Huntress to receive events from Microsoft 365, Audit Logging must be enabled. Click here for instructions on verifying and enabling audit logging in Microsoft 365. 
• This integration method is not compatible with Security Defaults. You must migrate from Security Defaults to Conditional Access policies. Click here for more information. If you wish to utilize Security Defaults (not recommended), you may use the direct tenant mapping integration method.
• Each active conditional access policy in downstream tenants must be configured with a Service Provider Exclusion. Instructions for performing these can be found here. 

Table of Contents

1. Create & Assigned Security Group to a GDAP Relationship
2. Create the Service Account
3. Integrating Microsoft 365 with Huntress
4. Mapping Microsoft 365 tenants to Huntress Organizations
5. Video Walkthrough

Create & Assign Security Group to a GDAP Relationship

As outlined in the prerequisites above, utilization of a GDAP relationship is required for the Huntress service account to access downstream tenants from the Microsoft CSP Partner tenant. The Huntress Service account created in the next step needs to be a member of a security group associated with downstream customer's GDAP relationships bearing the following Azure AD Roles: 

• Application administrator
• Authentication policy administrator
• Cloud application administrator
• Conditional access administrator
• Exchange administrator
• Intune administrator
• Privileged authentication administrator
• Security administrator
• Teams administrator
• User administrator

In Microsoft Entra ID (formerly Azure Active Directory), create a security group with an appropriate name, we recommend "Huntress Security Platform". Then, in the Microsoft Partner Center (https://partner.microsoft.com) perform the following steps:

1. Click on Customers from the home page
2. Click on Customer list in the left menu if it is not already selected
3. For each Customer (aka Downstream Tenant) you wish to protect:
   1. Click the Name of the Customer
   2. Click Admin Relationships in the left-hand menu
   3. Click the admin relationship name of the Active GDAP relationship that contains all of the above required Azure AD Roles. NOTE: You can click the downward arrow in the right most-column to see the Azure AD roles tied to the admin relationship. If there are multiple relationships, ensure you are using an Active one that has ALL of the required roles assigned. 
   4. Click Add security groups
   5. Select the security group you created at the beginning of this section, we recommend Huntress Security Platform, and click next. 
   6. Select the following Azure AD Roles:
      Shown in the order they appear in the pick list. Utilizing CTRL+F in your browser may be helpful.
      • • Exchange administrator
        • Teams administrator
        • Intune administrator
        • Conditional access administrator
        • Privileged authentication administrator
        • User administrator
        • Application administrator
        • Cloud application administrator
        • Security administrator
        • Authentication policy administrator

When using a tool to manage GDAP such as Cyberdrain Improved Partner Portal (CIPP) GDAP security groups may already be created. CIPP creates a separate security group for each role. If desired, you can place the Huntress service account in the appropriate security groups in lieu of its own security group. 

Creating the Service Account

It's best practice to utilize a dedicated service account for the Huntress Microsoft 365 integration. This ensures the Huntress service has the exact permissions required and interruption of service is less likely in the event a shared account is modified or disabled. 

Our support team will expect the integration to be setup using a dedicated service account and may not be able to provide advanced troubleshooting if a specific user or shared admin account is used to setup the integration. 

1. Create an unlicensed dedicated service account in Azure Active Directory (e.g. HuntressPlatform@domain.tld)
2. Assign the account to the Global Administrator role, at least for the duration of the integration process
3. Place this service account into the AdminAgents security group and as a member to the security group setup in the previous setup
4. Enforce multifactor authentication on this account utilizing the Microsoft Authenticator App push notification via Conditional Access
   1. In the Azure Portal access Azure Active Directory => Security => Conditional Access => Policies
   2. Click the +New Policy option at the top of the right-hand pane
   3. Provide a name for the policy (e.g. "Huntress Platform Service Account MFA" or similar)
   4. Under assignments click "0 users and groups selected", make sure the Include tab is selected, click the "Select users and groups" radio button, check "Users and groups", select the HuntressPlatform@domain.tld account from Step 1, click Select in the lower left. 
   5. Under Target resources click "No target resources selected", click the "All cloud apps" radio button
   6. Under Access Controls and Grant, click "0 controls selected", check "Require multifactor authentication", and click Select at the bottom of the right-hand pane.  
   7. At the bottom click "On" under "Enable policy" 
   8. Click the blue Create button in the bottom left-hand corner.

If you have already migrated to Authentication strengths, in step 4.f above select "Require authentication strength" instead of "Require multifactor authentication" and select a strength that includes push notification based MFA methods.

The use of a Microsoft first party push based MFA notification is required. Less secure methods such as SMS and TOTP are not supported nor are third-party MFA solutions such as Duo or Okta. See Microsoft's documentation on this topic here. 

5. Exclude the service account from existing Conditional Access policies by navigating in the Azure Portal to Azure Active Directory => Security => Conditional Access => Policies and for each policy with a State of "On":
   5. Click the policy name
   6. Under Assignments click the blue text under the Users heading
   7. Click the Exclude tab
   8. If "Users and groups" is not checked, check it
   9. Click the blue text under "Select excluded users and groups"
   10. Search for or select the HuntressPlatform@domain.tld service account from Step 1
   11. Click the blue Select button in the bottom left of the right-hand pane.
6. Login to the Azure portal using the account, verify a permanent password is chosen and multifactor is completely setup and operational

Integrating Microsoft 365 with Huntress

In this final section we'll integrate the Huntress MDR for Microsoft 365 with your CSP tenant, choose the downstream tenants (i.e. your customers) you wish to protect, and verify the integration is setup and working properly. 

It is highly recommended to use a sanitized browser session for this without any Microsoft cookies, cached sessions, or ad blocker extensions. For example, using an Incognito session in Chrome, InPrivate in Edge,  or container in Firefox are all acceptable methods to fulfill this recommendation. 

1. Sign into the Huntress portal as a user with admin rights
2. In the upper right-hand of the portal, click the "three lines menu" or "hamburger button", shown below:
   
3. Select "Integrations" from the menu that pops down.
4. Click the button in the upper right of the integrations shown
5. Choose the "Microsoft 365" option under the Cloud Platforms section. 
   
6. Click the button that appears on the next page. 
7. You will be presented with the standard Microsoft 365 login window that looks similar to the below:
   
8. Enter the username and password for the service account you created previously. 
9. Respond to the Microsoft Authenticator notification by entering the two digit code
10. You will be presented with a consent dialog like the one below, just longer. Click the blue button after scrolling to the bottom of the requested permissions list
    

Ensure the application publisher is shown as "Huntress Labs Inc" with the blue checkmark and our logo. This verifies you are using our official app. Do NOT proceed if the company name doesn't match or "Unverified" appears in this dialog. Click cancel and contact Huntress support immediately. 

11. After completing this you will be redirected to the standard Microsoft login screen again. Re-enter the service account credentials and complete steps 8-10 again. You will be redirected back to the Huntress portal when complete. 

If you did not have to provide credentials twice during this process, something such as an ad blocker extension or saved session cookie interfered with onboarding. To correct this issue the integration should be deleted and the onboarding process completed from a clean browser instance. 

Mapping Microsoft 365 tenants to Huntress Organizations

Note: Tenant mapping is a 1 to 1 relationship. This means that you can only have one tenant mapped to one organization and vice versa. If you attempt to map a tenant to more than one organization which ever organization the tenant was mapped to first will ingest data and the rest will not. 

1. Sign into the Huntress portal as a user with admin rights (if not already/still signed in)
2. In the upper right-hand of the portal, click the "three lines menu" or "hamburger button", shown below:
   
3. Select "Integrations" from the menu that pops down.
4. Click edit ( icon) for the Microsoft 365 integration
   
5. Select the Unmapped tab under Organization Mappings
   
6. For each tenant you wish to protect, select the appropriate Huntress organization from the pull down list and click with complete. 
   
   
   1. If you're trying to onboard a Microsoft tenant that you do not yet have a Huntress Organization for, click the button at the top of the mapping table. You'll be presented with a dialog that will allow you to choose a tenant and create an organization at the same time. Choosing the tenant will automatically populate the Organization Name and Key fields, or you may specify your own if desired. 
      
      
   2. If you're trying to onboard your MSP's CSP tenant, look for the designation of (MSP Tenant) in the list of organizations. This is always linked to your top level CSP tenant, which only one can exist within a Huntress account. 
      
      

7. After clicking Save Changes, Huntress will begin onboarding those tenants and data should begin flowing within 24 hours. 

Setup is now complete! If the tenants onboarded already had audit logging turned on you should see signs of life in the portal as soon as 20-30 minutes. This includes user accounts, event data, etc... If audit logging was not already enabled this can take up to 24 hours before seeing event data, although user accounts and other information may appear earlier. 

Video Walkthrough