---
title: "Microsoft 365 Defender"
slug: "microsoft-365-defender"
updated: 2024-07-23T14:40:03Z
published: 2024-07-23T14:40:03Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safe.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft 365 Defender

## **1. About this document**

---

This document provides step-by-step instructions to configure Microsoft 365 Defender in SAFE.

> [!NOTE]
> **Note:** This integration only supports the standard policies or templates in the source product for use in Risk Scenario calculations in SAFE based on their mapping to FAIR CAM controls

## **2. Introduction**

---

Note

Make a note that for misconfiguration availability, products or services need to be configured in Microsoft 365 Defender, and prerequisites must be met. Click the "Learn more" link adjacent to the product name for easy reference to check prerequisites and access step-by-step configuration instructions.

SAFE integrates with Microsoft 365 Defender to fetch the configuration assessment of the following Microsoft products:

1. Microsoft Teams (Enabled by Default)
2. Microsoft 365 Exchange Online (Enabled by Default)
3. Microsoft SharePoint Online (Enabled by Default)
4. Microsoft Azure AD (Enabled by Default)
5. Microsoft 365 (Enabled by Default)
6. Microsoft Defender for Endpoint ([Learn more](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide))
7. Microsoft Intune
8. Microsoft Information Protection
9. Microsoft Defender for Identity ([Learn more](https://learn.microsoft.com/en-us/defender-for-identity/deploy-defender-identity))
10. Microsoft Defender for Cloud Apps ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started))
11. App governance ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started))
12. Citrix ShareFile ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/connect-citrix-sharefile))
13. Docusign ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/connect-docusign))
14. Github ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/connect-github-ec))
15. Okta ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/connect-okta))
16. Salesforce ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/connect-salesforce))
17. ServiceNow ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/connect-servicenow))
18. Zoom ([Learn more](https://learn.microsoft.com/en-us/defender-cloud-apps/connect-zoom))

## **3. Prerequisites**

---

- Azure Active Directory Primary Domain.
- Azure Active Directory application with SecurityEvents.Read.All permission.
- Client ID and Client Secret associated with the above application.
- SAFE admin access.

## 4. Generate Connection Details (Client ID and Client Secret)

---

1. Login to [Microsoft 365 admin center](http://admin.microsoft.com/).
2. From the left navigation menu, navigate to **Azure Active Directory** (This will open a new tab).
3. Click on the **Overview** from the left navigation.
4. Here, you can see the value for the **Primary Domain**. **Copy** and **save** this value to use while configuring Microsoft 365 Defender in SAFE in the next section. Alternatively, you can open SAFE in a new tab, go to the Microsoft 365 Defender configuration page, and enter the Primary Domain in the respective field.

![Def1](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Def1.png)
5. Expand Applications, then select the **App registrations** option from the left navigation.
6. At the top of the page, click **New registration**.

![Def2](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Def2.png)
7. Enter a **Name** and click the **Register** button. All other settings can stay as default.

![Def3](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Def3.png)
8. **Copy** and **save** the value for the **Application (Client) ID**to use while configuring Microsoft 365 Defender in SAFE in the next section.

Alternatively, you can paste the **Client ID** on the Microsoft 365 Defender configuration page in SAFE.
9. Next, click the **API Permissions** from the left navigation.
10. Click **Add a permission** option availabe in the center of the page.

![Def5](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Def5.png)
11. From the options, select**Microsoft Graph.**

![Def6](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Def6.png)
12. Click on the **Application permissions** option.
13. Search for **SecurityEvents.Read.All**and tick the box to select it.

![Def7](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Def7.png)
14. Click the **Add permissions**button.

Admin Consent

You will now need to grant admin consent to apply this permission. If you do not have the privileges to do this, reach out to your administrator to do this.
15. Select **Certificates & secrets** from the left navigation.
16. Click on the **New client secret** option available in the center of the page.

![Def8](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Def8.png)
17. Enter a **Description** and select an option from the **Expiry** drop-down.
18. Click the **Add**button at the bottom of the page.
19. **Client Secret**value is availabe in the **Value** column. **Copy** and **save**this value to use while configuring Microsoft 365 Defender in SAFE in the next section.

Alternatively, you can paste the **Client Secret** on the Microsoft 365 Defender configuration page in SAFE.

![Defender 365](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Defender%20365.png)

## 5. Configure Microsoft 365 Defender in SAFE

---

1. Navigate to Integrations.
2. Click the **Microsoft 365 Defender** card.
3. Enter the **Primary domain, Client ID, and Client Secret**generated in **section 4.**
4. Select the **Auto Sync frequency** in a number of days.
5. In the **Product Exclude List**drop-down**,** select the products you do not want to fetch the assets and misconfiguration for in SAFE.
6. Click on the **Test Connection**button. A success message appears when the connection is successful.
7. Click the **Save** button.
8. Click the **Sync Now** button to trigger an on-demand sync.
9. Upon a successful sync, the system adds the Microsoft 365 Defender assets to SAFE, and their assessments and scores can be reviewed. You can track the status of the sync in the History table.

## **View results**

---

Scroll down to the **Finding View** and **Asset View** on the configuration page.

- **Findings View:**This tab displays all the findings details fetched from MS 365 Defender.
- **View Assets:**This tab displays all the assets pulled from Microsoft 365 Defender.

## 6. History

---

[Learn More about Integration History here.](/safe-4/docs/integration-history)

## 8. SAFE's Outgoing IP Addresses

---

[Click here](/safe-4/docs/safes-outgoing-ip-addresses) to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

## **9. FAQs**

---

**Q. How does the Control Status get calculated?**

Using a field named "scoreInPercentage" from the Defender API, which is equivalent to points achieved in the UI (but the UI shows it in points, while the API provides it in %), to determine if the configuration is done properly or not.

**Examples**

1. In the UI, the “Points Achieved“ is shown as 1/1, then the API response corresponding to that will be 100%, and the status will be "Completed." If the Status in the UI is "Completed," then in SAFE UI, the Control Status will be Qualified because the configuration is done properly.
2. In the UI, the "Points Achieved" is shown as 0/10, then the API response corresponding to that will be 0%, and the status will be "To address." If the Status in UI is “To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.
3. In the UI, the "Points Achieved" is shown as 0.89/9, then the API response corresponding to that will be 11%, and the status will be "To address." If the Status on UI is "To address," then in SAFE UI, the Control Status will be Failed because the configuration is not done properly and needs to be remediated.

Note

If the "Points Achieved" shown in the UI is 1/1, 2/2, or M/N (Where M and N are always equal), then the status will be "Completed," and "scoreInPercentage" will always be 100%. But if the "Points Achieved" shown on the UI is 0/1, 1/2, or M/N (Where M is Less than N), then the Status will be “To address" and “scoreInPercentage" will always be less than 100%.

![Defender(1)](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Defender(1).png)