Setting Up Exchange Online Integration with Security Incident Response - Support and Troubleshooting

Setting Up Exchange Online Integration with Security Incident Response Overview

The upgraded version of the Security Incident Response integration with Microsoft Exchange Online is a new and robust SIR integration, which operates by utilizing application ID, tenant ID (organization), and client secret to procure a bearer token (JWT) via REST APIs. This new integration doesn't require any Mid-Server or additional PowerShell capabilities. The application object established within Azure AD is assigned a Directory Role, which is then reflected in an access token.

Prerequisites:

Defender for Office 365 Plan 2.

This integration requires License/Subscription of Defender for Office 365 Plan 2 to fetch email logs or metadata using advanced hunting in Microsoft 365 Defender.

Microsoft Graph API .

License/ Subscription of Microsoft Graph API is required to fetch email details of specific emails along with its current location and delete status.

Step 1: Register the application in Azure AD

Open the Azure AD portal at https://portal.azure.com/ . In the Search box at the top of the page, start typing App registrations , and then select App registrations from the results in the Services section. Or, to go directly to the App registrations page, use https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade .

On the App registrations page, select New registration . On the Register an application page that opens, configure the following settings:

Name : Enter something descriptive. For example, ExO HuntingAPI. Supported account types : Verify that Accounts in this organizational directory only ( only - Single tenant) is selected. To make the application multi-tenant for Exchange Online delegated scenarios, select the value Accounts in any organizational directory (Any Azure AD directory - Multitenant) .

When you're finished on the App registrations page, select Register .

Leave the app page that you return to open. You'll use it in the next step.

Step 2: Assign API permissions to the application

The procedures in this section replace any default permissions that were automatically configured for the new app. The app doesn't need the default permissions that were replaced.

On the app page under Management , select Manifest . On the Manifest page that opens, find the requiredResourceAccess entry (on or about line 52). Modify the resourceAppId , resourceAccess id , and resourceAccess type values as shown in the following code snippet:

"requiredResourceAccess": [

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "e2a3a72e-5f79-4c64-b1b1-878b674786c9",

"type": "Role"

},

{

"id": "dd98c7f5-2d42-42d3-a0e4-633161547251",

"type": "Role"

}

]

}

],

When you're finished on the Manifest page, select Save .

3. Still on the Manifest page, select API permissions under Management .

On the API permissions page that opens, do the following steps:

API / Permissions name : Verify the value ThreatHunting.Read.All and Mail.ReadWrite is shown. Status : The current incorrect value is Not granted for , and this value needs to be changed. Select Grant admin consent for , read the confirmation dialog that opens, and then select Yes .

The Status value should now be Granted for .

Troubleshooting: If the "ThreatHunting.Read.All" permission is not visible, verify the Defender for Office 365 License. For further information, refer to https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide .

Limitation:

The availability of data through the Microsoft Threat Hunting API is subject to delays caused by latency between the Exchange Server, Graph API, and Hunting API. Synchronization between the Hunting API and the Exchange server may require a few minutes. The latency period is variable and can differ from one instance to another. Limitations of hunting API, Quotas and resource allocation https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#advanced-hunting