Skip to main content

[GCC High] Integrating with Huntress Managed Identity Threat Detection and Response

Dave Kleinatland
  • Updated

TEAM: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365) 
ENVIRONMENT: Huntress Portal
SUMMARY: Partners wishing to integrate a Microsoft 365 GCC High (Government Community Cloud High) tenant with the Huntress Managed ITDR need to utilize this method instead of over available methods. GCC High has specific and special requirements necessitating this integration method.

This method of integration is for GCC High tenants only. This type of tenant is typically utilized by governments and government contractors dealing with Controlled Unclassified Information (CUI), International Traffic in Arms Regulations (ITAR), and similar requirements. If you are a Commercial or GCC (sometimes called GCC Low) Microsoft 365 customer, please utilize our standard direct integration method here.

Prerequisites

This functionality must be enabled by your account manager. Reach out to them to have this activated prior to attempting integration.

  • An admin level account user in the Huntress.io portal
  • A Managed ITDR trial or Subscription
  • A Microsoft 365 GCC High Environment
  • A system capable of running an unsigned PowerShell 5.x script with the following requirements:
    • The AzureAD module is installed (the integration script will attempt to install it if it's missing)
    • The system used to run the script is able to connect to the GCC High environment being integrated (i.e. a registered/managed device (if required), from a location or network allowed by conditional access, etc...)
  • At least 1 active Exchange Online license in the Microsoft 365 tenant
  • A Microsoft 365 User with:
    • The Global Admin role
    • Audit Logs need to be enabled (Huntress will attempt to enable upon integration if disabled)
  • The Exchange Admin Role Group Organization Management must contain the following roles and have Exchange Administrator assigned as a member (this is the default Microsoft 365 configuration):
    • Audit Logs, Mail Recipients, Organization Configuration, Transport Rules
    • Role Management (this role is used to add missing roles from above)
    • Huntress will attempt to add the missing roles to the Organization Management role group if it's detected they are missing. 

During the on-boarding process, Huntress will add the Service Principal for the "Huntress Security Platform (gcchigh)" App Registration to the Exchange Administrator and Organization Branding Administrator Entra built-in roles. If you are utilizing Privileged Identity Management (PIM) you will receive alerts notifying you of these changes.

The integration process takes approximately 10 Minutes per Microsoft 365 tenant.
Data may take up to 24 Hours to flow. Longer for legacy Tenants.

  1. Download the PowerShell integration script from the bottom of this support article and place it in a known location. The screenshots in this article will depict the script located in %USERPROFILE%\Downloads.
  2. For best results, run this script via the command line and verify the output matches the below:
    NOTE: Compatibility when executing the script from within the PowerShell ISE or VSCode may be inconsistent.
  3. At this stage a Modern Authentication window will pop up. Keep an eye out for it as it may pop up behind existing windows. Login with Global Administrator credentials:
  4. At this phase open a web browser and paste the link output by the script into the address bar. The script will copy this to the clipboard automatically and it just needs to be pasted. If the paste fails for any reason, you can copy it from the terminal to paste it into the browser window.
  5. Login using the same Global Administrator credentials used in Step 3. A consent window will be presented. Review the requested permissions in the consent window, if you agree, click Accept in the lower right corner:

    NOTE: The permissions below may not be the most up to date manifest. Verify the permissions shown in the consent request window. A full breakdown of what permissions and why Huntress requests them can be found here.

  6. At this time you will be redirected to the Azure App Registrations page, return to the command prompt window and press any key to continue. The script will pause for 10 seconds and continue. During this phase it will verify if the app has been registered and all of the permissions are present and consented. If there are any errors in this phase, reach out to support for further assistance. Otherwise, continue to Step 7.
  7. The script should have successfully completed and it will output a base64 string between two lines as shown below. Copy this string (between the BEGIN and END lines, do not include the lines) to the clipboard and be prepared to enter it into the Huntress portal in the below steps:
    Treat the base64 encoded string in the same manner you would treat protected credentials. This contains credentials for the App Registration created during this integration process.
  8. Login to the Huntress portal with an Admin account, click the "three lines" menu in the upper right and select the Integrations option:
  9. Click the green button in the upper right of the Integrations menu and select Microsoft 365:
  10. Click the button in the upper right, assign (or create) an organization for the integration, check the GCC High box, paste the script output into the appropriate box, and click Submit:
  11. If all went well, a green banner will be displayed indicating that on-boarding is in progress. Huntress will begin the integration process int he background and the organization information will populate as the process completes. No further action is needed after this step.

Related articles