[MSP] MDR for Microsoft 365 Appendix

Appendix Introduction

This document serves as an appendix to our main article, [MSP] Integrating MDR for Microsoft 365, which describes how to integrate the Huntress MDR for Microsoft 365 with your tenant. This article contains items linked from the primary article pertaining to prerequisites or other special considerations during onboarding and configuration. 

Table of Contents

1. Enabling and Verifying Audit Logging
2. Verifying Security Defaults is Disabled
3. Configuring Conditional Access Service Provider Exclusions

Enabling and Verifying Audit Logging

In many cases, Audit Logging is not enabled by default in Microsoft 365, especially in older tenants. Use the below steps to enable audit logging and verify it is fully activated:

1. Browse to https://compliance.microsoft.com
2. Scrolling down the left-hand menu under the "Solutions" section and click the "Audit" option
3. Observe the presence of a large blue button as shown below:
   

If this button is present, audit logging is NOT enabled. Click to enable. Audit logging may take up to 24 hours to fully enable after activation. If the button is NOT present, then audit logging is enabled for this tenant. 

You can verify the audit logging is enabled and active by clicking "Classic Search" at the top of the Audit menu and pressing the blue search button. If results appear, audit logging is active.

Verifying Security Defaults is Disabled

WARNING: Do not disable Security Defaults until Conditional Access is ready to be implemented. Disabling Security Defaults before implementing Conditional Access will leave your tenant in a vulnerable state. Please review this Microsoft article indicating what Security Defaults provide and ensure you maintain a similar security posture via Conditional Access. 

Microsoft Security Defaults is incompatible with the MDR for Microsoft 365 integration due to the lack of ability to define service provider exclusions in Conditional Access Policies. Partners will need to migrate from Security Defaults to Conditional Access Policies. This article from Microsoft explains the Enforced Policies that Security Defaults provide. At a minimum, you should use Conditional Access to implement a posture covering the policies defined in the article. 

To verify if your tenant is utilizing Security Defaults or not, log in to https://portal.azure.com, then:

• Access the Azure Active Directory blade by searching in the top bar or clicking the Azure Active Directory icon as shown:
   
• Click the Properties menu in the left-hand menu and choose "Manage security defaults" at the bottom of the right-hand pane:
  
• After clicking Properties, the right-hand blade will display the Security defaults menu, indicating if the setting is Enabled or Disabled. Examples of both are below:
  
  

Once you are ready to disable Security Defaults, change the option to Disabled and choose "My organization is using Conditional Access." Example below:

Click the Save button at the bottom () when complete.

Don't forget to enable your Conditional Access Policies after disabling Security Defaults. Here is a guide to follow from Microsoft to help you do so: Secure your resources with Conditional Access policy templates - Microsoft Entra 

Configuring Conditional Access Service Provider Exclusions

A service provider exclusion must be configured to prevent failures in each downstream customer tenant being protected by Huntress MDR for Microsoft 365. Conditional Access policies, especially those that enforce multifactor authentication or authentication strengths, can cause integration failure as they're not able to determine if the upstream service account has multifactor enabled. Typically when this is misconfigured, an AADSTS50076 error occurs. Creating the exclusion outlined below will exclude the service provider's (MSP) upstream accounts from the policy and rely on the upstream tenant to enforce the necessary security controls. 

In each downstream customer tenant being protected, perform the following steps:

1. Log in to the customer tenant https://portal.azure.com with an account that has either a Global Administrator or Conditional Access Administrator rights. NOTE: It is acceptable to use delegated access for this step as long as the above roles are present. 
2. Access the Azure Active Directory blade via this link, the Azure Active Directory icon in the portal, or by searching for Azure Active Directory in the top search bar. 
3. In the left-hand menu, select Security
4. In the left-hand menu, under Protect, select Conditional Access
5. In the left-hand menu, select Policies
6. For each conditional access policy with a state of "On" perform the following:
   
   1. Click the Policy Name to open the properties editor
   2. Click the blue text under the "Users" option in the Assignments section
   3. Click Exclude
   4. Check the box next to "Guest or external users"
   5. In the pulldown menu, check/select "Service provider users"
   6. Under "Specify external Azure AD organizations":
      1. Click the Select radio button
      2. Click on the blue text "0 Azure AD organizations selected"
      3. In the right-hand blade that pops out, type in any domain name of your CSP tenant. Alternatively, you can enter your tenant ID if known. After entering, verify the business name and tenant ID of your CSP tenant is displayed and check the box next to it.
      4. Click the "Select" button at the bottom of the right-hand blade pop-out. 
      5. Verify your CSP's name and tenant ID are now displayed under the exclusion list. 
      6. Click Save at the bottom left-hand side. 

It is important that Step 6's 6 steps above are completed for EACH conditional access policy within the protected tenants. This prevents various policies such as multi-factor enforcement, device compliance enforcement, or location restrictions from interfering with the integration.