TEAM: Huntress Managed Identity Threat Detection and Response (ITDR)
ENVIRONMENT: ITDR
SUMMARY: In order to integrate with the Huntress Managed ITDR tool, several qualifying steps must be met.
Enterprise Application API Permissions
Azure Active Directory Roles
| ROLE | PURPOSE |
| Application Administrator | Read and (future) remediate rogue Azure AD applications. |
| Authentication Policy Administrator | Read auth policy configs and (future) remediate or apply policies. |
| Cloud Application Administrator | (Future Use) Read and remediate rogue applications installed in Azure AD. |
| Conditional Access Administrator | Read and correct CA policy configuration that may prevent onboarding/continued use. (Future) Remediate rogue changes to CA policies such as an attacker excluding themselves or their country. |
| Exchange Administrator | Read and remediate Exchange configuration changes such as Transport Rules and Spam policies. Note: Huntress will add the Service Principal of the application to this role during onboarding. If you utilize Privileged Identity Management (PIM) admins of the integrated tenant will receive alerts from Microsoft. |
| Intune Administrator | (Future) Enumerate device information and apply changes or remediation. |
| Organizational Branding Administrator |
Used for active Adversary in The Middle (AiTM) detection, which requires modification of the login page CSS Note: Huntress will add the Service Principal of the application to this role during onboarding. If you utilize Privileged Identity Management (PIM) admins of the integrated tenant will receive alerts from Microsoft. |
| Privileged Authentication Administrator | Remediate and perform changes to Global Admin accounts when required. |
| Security Administrator | Read security information and reports, (future) apply policies for posture management, remediate rogue configuration changes |
| Teams Administrator | (Future Use) |
| User Administrator | Read and remediate user entity actions such as revoking sign-ins and disabling accounts. |
Enterprise Application API Permissions
Graph API
| PERMISSION REQUESTED | PURPOSE |
| AiEnterpriseInteraction.Read.All | (Future Use) Enumeration of Copilot Interaction events for enterprise Copilot events and detections |
| Application.ReadWrite.All | Enumeration and remediation of Azure app registrations and enterprise applications. |
| NEW! AppRoleAssignment.ReadWrite.All | For enhanced onboarding experience and dynamic management of the Huntress Identity Security application. |
|
AuditLog.Read.All AuditLogsQuery.Read.All |
Log/event ingest. |
| CloudApp-Discovery.Read.All | (Future Use) Ingest Cloud App Discovery data. |
| DelegatedAdminRelationship.Read.All | (Future Use) (CPV Integrations Only) Retrieve GDAP relationship information for troubleshooting/self-healing |
| Device.Read.All | (Future Use) Retrieve Device information from Intune |
| NEW! DeviceManagementApps.ReadWrite.All | (Future Use) ISPM |
| NEW! DeviceManagementConfiguration.ReadWrite.All | (Future Use) ISPM |
| NEW! DeviceManagementManagedDevices.PrivilegedOperations.All | (Future Use) ISPM |
| NEW! DeviceManagementManagedDevices.ReadWrite.All | (Future Use) ISPM |
| NEW! DeviceManagementRBAC.ReadWrite.All | (Future Use) ISPM |
| NEW! DeviceManagementServiceConfig.ReadWrite.All | (Future Use) ISPM |
| Directory.AccessAsUser.All | (CPV Integrations Only) Enumerate active directory entities. |
| Directory.ReadWrite.All | Enumerate user entities. Perform revoke sign-ins and disable user remediation. |
| NEW! DirectoryRecommendations.ReadWrite.All | (Future Use) ISPM |
| Domain.Read.All | Enumerate domains assigned to the tenant. |
| EduRoster.Read.All | Enumeration of organization structure in educational tenants |
| Files.ReadWrite.All | (Future Use) Enumeration and remediation of SharePoint stile collection file objects |
| NEW! Group.Read.All | (Future Use) ISPM |
| NEW! Group.ReadWrite.All | (Future Use) ISPM |
| IdentityProvider.Read.All | (Future Use) Enumerate third party Identity Providers present in Entra ID |
|
IdentityRiskEvent.ReadWrite.All IdentityRiskyServicePrincipal.ReadWrite.All IdentityRiskyUser.Read.All |
Ingest of Microsoft risk-based alerts. (Entra ID P2 Licenses only) |
| Mail.ReadBasic.All | (Future Use) For inbound/outbound phishing/spam camping detection |
| Mail.ReadWrite | (Future Use) For inbound/outbound phishing/spam camping detection and remediation |
| MailboxSettings.ReadWrite | Enumerate mailbox settings, such as Inbox Rules and forwarding. Perform remediation. |
| NEW! OnPremDirectorySynchronization.Read.All | (Future Use) ISPM |
| NEW! Organization.ReadWrite.All | (Future Use) ISPM |
| OrganizationalBranding.ReadWrite.All | For session-token theft capabilities. |
| PartnerSecurity.ReadWrite.All | (Future Use) (CPV Integrations Only) |
| Policy.Read.All | Enumerate organization policies. |
| NEW! Policy.ReadWrite.AccessReview | (Future Use) ISPM |
| NEW! Policy.ReadWrite.ApplicationConfiguration | (Future Use) ISPM |
| NEW! Policy.ReadWrite.AuthenticationFlows | (Future Use) ISPM |
| NEW! Policy.ReadWrite.AuthenticationMethod | (Future Use) ISPM |
| NEW! Policy.ReadWrite.Authorization | (Future Use) ISPM |
| Policy.ReadWrite.ConditionalAccess | Enumerate/modify/remediate conditional access policies and their settings. |
| NEW! Policy.ReadWrite.ConsentRequest | (Future Use) ISPM |
| NEW! Policy.ReadWrite.CrossTenantAccess | (Future Use) ISPM |
| NEW! Policy.ReadWrite.DeviceConfiguration | (Future Use) ISPM |
| NEW! Policy.ReadWrite.ExternalIdentities | (Future Use) ISPM |
| NEW! Policy.ReadWrite.FeatureRollout | (Future Use) ISPM |
| NEW! Policy.ReadWrite.IdentityProtection | (Future Use) ISPM |
| NEW! Policy.ReadWrite.PermissionGrant | (Future Use) ISPM |
| NEW! Policy.ReadWrite.SecurityDefaults | (Future Use) ISPM |
| NEW! Policy.ReadWrite.TrustFramework | (Future Use) ISPM |
| Presence.Read.All | (Future Use) Enumeration of extended identity presence data |
| Reports.Read.All | Read usage reports. Used for billing reconciliation and MFA status. |
| NEW! ReportSettings.ReadWrite.All | (Future Use) ISPM |
| NEW! RoleManagement.Read.All | (Future Use) ISPM |
| RoleManagement.ReadWrite.Directory | Enumeration of and self-healing of roles for ITDR integration |
| NEW! SecurityActions.ReadWrite.All | (Future Use) ISPM |
| NEW! SecurityAlert.ReadWrite.All | (Future Use) ISPM |
| NEW! SecurityEvents.ReadWrite.All | (Future Use) ISPM |
| SecurityIncident.Read.All | Log/event ingest. |
| ServiceHealth.Read.All | (Future Use) Retrieve Microsoft 365 Service Health info |
| NEW! SharePointTenantSettings.ReadWrite.All | (Future Use) ISPM |
| Sites.ReadWrite.All | (Future Use) Enumeration and remediation of SharePoint site collection objects |
| TeamsAppInstallation.Read.All TeamsAppInstallation.ReadWriteForChat.All TeamsAppInstallation.ReadWriteForTeam.All TeamsAppInstallation.ReadWriteForUser.All |
(Future Use) Enumeration and remediation of Microsoft Teams applications. |
| NEW! TeamSettings.ReadWrite.All | (Future Use) ISPM |
| NEW! User.Export.All | (Future Use) ISPM |
| NEW! User.Invite.All | (Future Use) ISPM |
| NEW! User.ManageIdentities.All | (Future Use) ISPM |
| User.EnableDisableAccount.All | Allows disable/containment of admin accounts when compromised. |
| User.Read.All | Enumerate user entities. |
| NEW! User.ReadWrite.All | (Future Use) ISPM |
| UserAuthenticationMethod.ReadWrite.All | Enumerate and remediate authentication methods. Perform password resets. |
Partner Center API
| PERMISSION REQUESTED | PURPOSE |
| user_impersonation | (CPV Integrations Only) Access downstream tenant information |
Exchange API
| PERMISSION REQUESTED | PURPOSE |
| Exchange.Manage (CPV Only) Exchange.ManageAsApp |
Perform Microsoft Exchange enumerations and remediations |
O365 Management API
| PERMISSION REQUESTED | PURPOSE |
| ActivityFeed.Read | Log/event ingest. |
| ActivityFeed.ReadDlp | (Future use) Log/event ingest. |
| ServiceHealth.Read | (Future use) Ingest service health metrics. |
Exchange Admin Role Group - Organization Management
| PERMISSION REQUESTED | PURPOSE |
| Audit Logs | Determining Audit Log Status and Enablement of Audit Logs |
| Mail Recipients | Enumeration of mailboxes and Inbox Rules; Remediation of Inbox Rules |
| Organization Configuration | Enumeration of tenant-wide configuration (e.g. Hydration status) and remediation of conflicting settings |
| Transport Rules | Enumeration and remediation of tenant-wide Exchange Transport Rules |
| Role Management | Used to restore missing roles in the Organization Management Role Group Note: Huntress will attempt to restore the missing roles above if it is detected they are not present within the Organization Management Role Group. |
Revision History
| 29-DEC-25 Revision (v6) - Preliminary Onboarding 2.0 Preparation | |
| Permissions Added | AppRoleAssignment.ReadWrite.All |
| 31-OCT-25 Revision (v5) - Outbound Phishing Detection & ISPM | |
| Permissions Added | DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All DirectoryRecommendations.ReadWrite.All Group.Read.All Group.ReadWrite.All OnPremDirectorySynchronization.Read.All Organization.ReadWrite.All Policy.ReadWrite.AccessReview Policy.ReadWrite.ApplicationConfiguration Policy.ReadWrite.AuthenticationFlows Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.Authorization Policy.ReadWrite.ConsentRequest Policy.ReadWrite.CrossTenantAccess Policy.ReadWrite.DeviceConfiguration Policy.ReadWrite.ExternalIdentities Policy.ReadWrite.FeatureRollout Policy.ReadWrite.IdentityProtection Policy.ReadWrite.PermissionGrant Policy.ReadWrite.SecurityDefaults Policy.ReadWrite.TrustFramework ReportSettings.ReadWrite.All RoleManagement.Read.All SecurityActions.ReadWrite.All SecurityAlert.ReadWrite.All SecurityEvents.ReadWrite.All SharePointTenantSettings.ReadWrite.All TeamSettings.ReadWrite.All User.Export.All User.Invite.All User.ManageIdentities.All User.ReadWrite.All |
| Permissions Removed | SecurityActions.Read.All SecurityAlert.Read.All SecurityEvents.Read.All |
| 02-OCT-25 Revision (v4) - Preliminary Phishing Detection & Timeline Visibility | |
| Permissions Added | AiEnterpriseInteraction.Read.All EduRoster.Read.All Files.ReadWrite.All Mail.ReadWrite Presence.Read.All Sites.ReadWrite.All |
| 14-NOV-24 Revision (v3) - Expanded Event Visibility | |
| Permissions Added | Device.Read.All IdentityProvider.Read.All AuditLogsQuery.Read.All CloudApp-Discovery.Read.All SecurityActions.Read.All SecurityAlert.Read.All SecurityEvents.Read.All ServiceHealth.Read.All TeamsAppInstallation.Read.All TeamsAppInstallation.ReadWriteForChat.All TeamsAppInstallation.ReadWriteForTeam.All TeamsAppInstallation.ReadWriteForUser.All |
| 09-MAY-24 Revision (v2) - Risk Based Event Visibility | |
| Permissions Added | IdentityRiskEvent.ReadWrite.All IdentityRiskyServicePrincipal.ReadWrite.All IdentityRiskyUser.ReadWrite.All |
| 29-FEB-24 Initial Release (v1) - Initial Multi-Tenant App Release | |