TEAM: Huntress Managed Identity Threat Detection and Response (ITDR)
SUMMARY: Commonly asked questions about the Huntress Managed ITDR integration.
Which permissions are required for Huntress to manage ITDR?
Here is our KB with a full breakdown of all the permissions required and what they do.
Microsoft 365: Huntress Managed ITDR Permissions Breakdown
Google Workspace: Scope and Permission Justifications for ITDR for GWS
How do I exclude a user from the Managed ITDR licensing?
Huntress and the security community consider every user a potential attack vector for a threat actor to leverage in an incident. Users can be created and removed on the fly, and ensuring that Huntress can see all user information (including service accounts and other account types) is the best security outcome.
Huntress does not bill for all user accounts, only those that are actually billed for by Microsoft/Google.
For example, this excludes guests and most shared mailboxes. You can read the full breakdown of our billing methodology here.
What Microsoft 365 Licenses are excluded?
Please take a look at the following guide to see what licenses we exclude: Licenses that Huntress Excludes
Will you be adding coverage for Google Workspace?
Yes! Google Workspace support has officially been added. Check out our Google Workspace documentation for more information.
Why does Huntress incorrectly report Microsoft 365 MFA as Disabled in the portal?
The Huntress portal utilizes a turn key report from Microsoft to display MFA status. This report does not recognize all methods of MFA enforcement, such as the legacy per-user multi-factor authentication. Huntress will report those methods as not having MFA. For example, moving to enforcement by Conditional Access will be correctly reported in the Huntress portal. This report also requires the tenant have Entra ID P1, tenants on the Entra ID Free tier may incorrectly report MFA status.
Does Huntress recognize third-party MFA for Microsoft 365 as Enabled in the portal?
The Huntress portal utilizes a turn key report from Microsoft to display MFA status. As this report does not account for third-party MFA usage, Huntress will not report this as having MFA enabled. This report also requires the tenant have Entra ID P1, tenants on the Entra ID Free tier may incorrectly report MFA status
Can Huntress read my clients' emails with this product?
While previously the answer to this question was No, in December 2025 Huntress introduced detections that will expose e-mail contents to its detection engine and analysts within Microsoft 365. Email contents are currently used in the detection of outbound phishing/spam campaigns and will be used to locate phishing lures in the future.
Will Huntress block or disable accounts when they are compromised?
Yes. Huntress will revoke all active sessions and disable a Microsoft 365 account when it's suspected the account is involved in malicious activity.
How long does Huntress keep my logs from my identity provider?
With the introduction of Huntress Managed SIEM, ITDR data may be kept for up to 1 year at no additional charge.
How long does it take for my Microsoft 365 logs to reach Huntress systems?
There is always some variability but we generally receive and begin processing logs from Microsoft within the first hour after onboarding. In tenants where audit logging was not yet enabled when Huntress was onboarded it can take up to 24 hours.
Will Huntress Managed ITDR detect existing malicious activity in my environment?
The product will detect existing malicious inbox rules but will not detect historical malicious logins.
Does the Managed ITDR have an external API available?
Yes! Please visit Huntress API.