TEAM: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
ENVIRONMENT: ITDR
SUMMARY: In order to integrate with the Huntress Managed ITDR tool, several qualifying steps must be met.
Azure Active Directory Roles
ROLE | PURPOSE |
Application Administrator | Read and (future) remediate rogue Azure AD applications. |
Authentication Policy Administrator | Read auth policy configs and (future) remediate or apply policies. |
Cloud Application Administrator | (Future Use) Read and remediate rogue applications installed in Azure AD. |
Conditional Access Administrator | Read and correct CA policy configuration that may prevent onboarding/continued use. (Future) Remediate rogue changes to CA policies such as an attacker excluding themselves or their country. |
Exchange Administrator |
Read and remediate Exchange configuration changes such as Transport Rules and Spam policies. |
Intune Administrator | (Future) Enumerate device information and apply changes or remediation. |
Organization Branding Administrator |
Used for active Adversary in The Middle (AiTM) detection, which requires modification of the login page CSS Note: Huntress will add the Service Principal of the application to this role during onboarding. If you utilize Privleged Identity Management (PIM) admins of the integrated tenant will receive alerts from Microsoft. |
Privileged Authentication Administrator | Remediate and perform changes to Global Admin accounts when required. |
Security Administrator | Read security information and reports, (future) apply policies for posture management, remediate rogue configuration changes |
Teams Administrator | (Future Use) |
User Administrator | Read and remediate user entity actions such as revoking sign-ins and disabling accounts. |
Enterprise Application API Permissions
Graph API
PERMISSION REQUESTED | PURPOSE |
Application.ReadWrite.All | Enumeration and remediation of Azure app registrations and enterprise applications. |
AuditLog.Read.All AuditLogsQuery.Read.All |
Log/event ingest. |
CloudApp-Discovery.Read.All | (Future use) Ingest Cloud App Discovery data. |
DelegatedAdminRelationship.Read.All | (Future use) (CPV Integrations Only) Retrieve GDAP relationship information for troubleshooting/self-healing |
Device.Read.All | (Future use) Retrieve Device information from Intune |
Directory.AccessAsUser.All | (CPV Integrations Only) Enumerate active directory entities. |
Directory.ReadWrite.All | Enumerate user entities. Perform revoke sign-ins and disable user remediation. |
Domain.Read.All | Enumerate domains assigned to the tenant. |
IdentityProvider.Read.All |
(Future use) Enumerate third party Identity Providers present in Entra ID |
IdentityRiskEvent.ReadWrite.All IdentityRiskyServicePrincipal.ReadWrite.All IdentityRiskyUser.Read.All |
Ingest of Microsoft risk-based alerts. (Entra ID P2 Licenses only) |
MailboxSettings.ReadWrite | Enumerate mailbox settings, such as Inbox Rules and forwarding. Perform remediation. |
OrganizationalBranding.ReadWrite.All | For session-token theft capabilities. |
PartnerSecurity.ReadWrite.All | (Future use) (CPV Integrations Only) |
Policy.Read.All | Enumerate organization policies. |
Policy.ReadWrite.ConditionalAccess | Enumerate/modify/remediate conditional access policies and their settings. |
Reports.Read.All | Read usage reports. Used for billing reconciliation and MFA status. |
SecurityAlert.Read.All | (Future use) Security Alerts ingest |
SecurityEvents.Read.All | Log/event ingest. |
SecurityIncident.Read.All | Log/event ingest. |
ServiceHealth.Read.All | (Future use) Retrieve Microsoft 365 Service Health info |
TeamsAppInstallation.Read.All |
(Future use) Enumeration and remediation of Microsoft Teams applications. |
User.Read.All | Enumerate user entities. |
UserAuthenticationMethod.ReadWrite.All | Enumerate and remediate authentication methods. Perform password resets. |
Partner Center API
PERMISSION REQUESTED | PURPOSE |
user_impersonation | (CPV Integrations Only) Access downstream tenant information |
Exchange API
PERMISSION REQUESTED | PURPOSE |
Exchange.Manage (CPV Only) Exchange.ManageAsApp |
Perform Microsoft Exchange enumerations and remediations |
O365 Management API
PERMISSION REQUESTED | PURPOSE |
ActivityFeed.Read | Log/event ingest. |
ActivityFeed.ReadDlp | (Future use) Log/event ingest. |
ServiceHealth.Read | (Future use) Ingest service health metrics. |
Exchange Admin Role Group - Organization Management
PERMISSION REQUESTED | PURPOSE |
Audit Logs | Determining Audit Log Status and Enablement of Audit Logs |
Mail Recipients | Enumeration of mailboxes and Inbox Rules; Remediation of Inbox Rules |
Organization Configuration |
Enumeration of tenant-wide configuration (e.g. Hydration status) and remediation of conflicting settings |
Transport Rules | Enumeration and remediation of tenant-wide Exchange Transport Rules |
Role Management | Used to restore missing roles in the Organization Management Role Group Note: Huntress will attempt to restore the missing roles above if it is detected they are not present within the Organization Management Role Group. |