Skip to main content

Huntress Platform - Integrate Microsoft Defender for Endpoint with GCC High

AJ
  • Updated

Team: Huntress Managed Endpoint Detection and Response(EDR)
Product: Microsoft Defender for Endpoint, Microsoft 365 GCC High
Environment: Windows
Summary: Integrate a Microsoft 365 GCC High tenant with Microsoft Defender for Endpoint on the Huntress Platform.

This integration method is for Government Community Cloud High (GCC High) tenants only. This tenant type is typically used by governments and government contractors dealing with Controlled Unclassified Information (CUI) and International Traffic in Arms Regulations (ITAR). If you are a commercial or GCC customer, use the standard direct integration method instead.

In this Article

Before You Begin
Task Steps
Result
Troubleshooting Script Versions
Downloads
 

Before You Begin

This functionality must be enabled by your Account Manager. Reach out to their team to activate this feature before attempting integration. Ensure you have the following requirements ready:

  • A Huntress user account with the Admin role.
  • An active Managed EDR subscription or trial.
  • A Microsoft 365 GCC High environment.
  • A Microsoft 365 user account with the Global Admin role.
  • A system running Windows PowerShell 5.x capable of executing unsigned scripts, with either the Microsoft Graph PowerShell SDK module (preferred) or the Azure Active Directory module installed.
  • At least one active Exchange Online license in the Microsoft 365 tenant.
  • Audit Logs: Audit logs must be enabled. Huntress attempts to enable them during integration if they are disabled.
  • Exchange Role Group: The Organization Management role group must have the Role Management role and contain the Audit Logs, Mail Recipients, Organization Configuration, and Transport Rules roles, with Exchange Administrator assigned as a member. Huntress attempts to add missing roles automatically if needed. It must
  • Service Principal: During onboarding, Huntress adds the Service Principal for the "Huntress Security Platform (gcchigh)" App Registration to the Exchange Administrator and Organization Branding Administrator Entra built-in roles. If you use Privileged Identity Management (PIM), you will receive alerts for these changes.
  • Timeline: The integration process takes approximately 10 minutes per tenant. Data can take up to 24 hours to flow.
     

Task Steps

  1. Download the PowerShell integration script from the links at the bottom of this article and save it to a known local folder.
  2. Open the command line and navigate to the folder where you saved the script using the cd command.
    • Example: cd $env:USERPROFILE\Downloads
  3. Run the script by preceding the filename with a backslash.
    • Example: .\HuntressAppRegistration-GCCHIGH-MgGraph.ps1
  4. Verify that the output matches the terminal window display.

Running the script from within the PowerShell ISE or VSCode may cause inconsistent compatibility. If you receive unsigned script errors, run Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process in an elevated administrator window before running the script.

  1. When the Modern Authentication window appears, log in using your Global Administrator credentials.



     
  2. Open a web browser, paste the link generated by the script into the address bar, and log in with your Global Administrator credentials.

The script automatically copies the URL to your clipboard. If the paste fails, manually copy the URL from the terminal window.

  1. Review the requested permissions in the consent window, and click Accept.

The permissions shown in the application manifest may change over time. Always verify the live requests in the consent window. For a full breakdown of requested permissions, review our permissions reference guide.

  1. When redirected to the Azure App Registrations page, return to the command prompt window and press any key to continue.
  2. Wait for the script to verify the application registration and permissions (about 10 seconds).
  3. When the script successfully completes, copy the generated base64 string located between the indicator lines to your clipboard.

Treat the base64 encoded string as protected credentials. It contains access keys for the App Registration created during this integration. Do not copy the BEGIN or END text lines.

  1. Log in to Huntress and go to Integrations.


     
  2. Click Add, select Microsoft Defender for Endpoint, and then click Add Tenant.


     
  3. Assign an organization to the integration, select the GCC High checkbox, paste the base64 script output into the field, and click Submit.

Result

A green confirmation banner indicates that onboarding is in progress. The Huntress Platform handles the tenant integration in the background, and organization data populates automatically as the process completes.

 

Troubleshooting Script Versions

There are two versions of the script available for download below:

  • MgGraph Version (Preferred): Utilizes the Microsoft Graph SDK for PowerShell. Tested with Graph SDK v2.28.0 or newer. If you experience AADSTS50011 errors during integration, downgrade your Graph SDK to v2.28.0 or use the AzureAD version.
  • AzureAD Version: Utilizes the deprecated Azure Active Directory module. Use this version as an alternative onboarding method if you encounter unresolved issues with the Microsoft Graph version.
     

Downloads

 

Related articles