Microsoft Entra ID integration

With a Microsoft Entra ID integration, you can receive identity enrichment details for Investigator detections. The Microsoft Entra ID integration extends Investigator’s identity capabilities by blending Microsoft Entra ID (formerly Azure Active Directory) identity data with Investigator network detections.

When integrated, detection details display valuable identity context such as recent sign-ins, user attributes, and risk information. This helps analysts investigate the history of a user leading up to the detection time and make informed decisions during the triage process.

Prerequisites

Before beginning the configuration, ensure you have the following in place:

  • Subscription: A Microsoft Entra ID P2 subscription.

  • EDR Integration: Microsoft Defender or CrowdStrike EDR already enabled in Investigator.

  • Registration: An Entra-registered device.

  • Entra Tenant: A Microsoft Entra ID tenant.

  • App Registration: An application registered in the Microsoft Entra admin center.

  • API Permissions: Appropriate Microsoft Graph API permissions granted, including Admin Consent.

  • Credentials: The Tenant ID, Application (Client) ID, and a generated Client Secret for the application.

Required Graph API permissions

The Microsoft Graph application must have the following Application permissions:

  • User.Read.All (to retrieve user details)

  • Directory.Read.All (to retrieve directory information)

  • AuditLog.Read.All (to retrieve sign-in logs)

  • IdentityRiskyUser.Read.All (optional, for risky user signals)

Response action permissions

To perform actions like universal logout, reset password, enable account, disable account, and tag high risk, the application must have the following permissions:

  • User-PasswordProfile.ReadWrite.All

  • User.RevokeSessions.All

  • User.EnableDisableAccount.All

  • IdentityRiskyUser.ReadWrite.All

Important

After assigning permissions, ensure Admin Consent is granted.

Obtaining connection details

Use the following steps to gather the necessary IDs and secrets from your Azure portal before beginning the integration.

Tenant ID

  1. Sign in to the Azure portal.

  2. Search for Microsoft Entra ID.

  3. Go to Overview in the left-hand menu.

  4. Look for Tenant ID and click the Copy to clipboard icon to copy it.

Application (Client) ID

  1. Sign in to the Azure portal.

  2. Navigate to App Registrations by searching for it in the top search bar.

  3. If your application is not listed under Owned Applications, switch to All Applications.

  4. Select your application to open its details.

  5. Go to the Overview tab and copy the value labeled Application (client) ID.

Client Secrets

  1. Navigate to App Registrations.

  2. Select your application.

  3. Click Certificates & Secrets in the left-hand menu and copy the value under Client Secrets.

Integrate Microsoft Entra ID with Investigator

  1. From System Settings in the left navigation, choose Integrations.

  2. In the Integrations tab, click the Entra ID card.

  3. Click Configure. An integration dialog box appears.

  4. Toggle the integration setting to Enabled.

  5. Enter your Tenant ID.

  6. Enter your Client ID (Application ID).

  7. Enter your Client Secret.

  8. Enable the Identity enrichment and Response actions if you want to perform user-specific actions.

    Note

    These values for the ID and secret are obtained from the Microsoft Entra Admin Center when registering your application.

  9. Click Verify Connection to ensure the Investigator can successfully authenticate and access your Microsoft Graph data.

  10. Click Save.

    Note

    You cannot save your connection until verification succeeds.

Identity Enrichment in Detection Details

With Microsoft Entra ID configured and enabled, the detection details page displays identity context related to the entity involved.

The detection view includes:

  • User Principal Name (UPN) and Display Name

  • User attributes (Department, Job Title, Office Location)

  • Risk state (if available)

  • Recent sign-in timestamp

For any user, you can perform the following actions by clicking on the Actions dropdown at the right-hand side:

  • Universal logout

  • Reset password

  • Enable account

  • Disable account

  • Tag high risk

Note

If the response actions are disabled by configuration, the response action dropdown does not display.

Actions

Response actions are currently limited to Investigator users with Admin permissions only. The details of the actions are given below:

Action

Description

Reset Password

The user can remain signed in until their next authentication event. On next sign-in, Microsoft prompts the user to set a new password.

Universal Logout

Users are forced to re-authenticate across Microsoft 365 and other apps relying on Entra ID tokens. The effect can take a few minutes depending on token refresh behavior.

Disable Account

The user is logged out (token revocation), then blocked from signing in.

Enable Account

The user is enabled and can sign in again immediately.

Tag High Risk

The user’s risk status is updated in Identity Protection.

Managing the Integration

If you want to temporarily pause identity enrichment, toggle the integration setting to Disabled. This preserves your connection details.

If you want to permanently disable the integration and remove stored credentials, click the Delete icon and click Save.

Note

User profile enrichments, such as email and job family, update on save, and every eight (8) hours. Sign in events update every hour.

Limitations

Investigator uses the Microsoft Graph SignIns API to return EntraID sign-in details. This endpoint currently only supports returning Interactive sign-ins. In some situations, Windows OS sign-ins are considered non-interactive.

../_images/ms-entra-id.png

Non-interactive sign-ins can include non-obvious cases such as an Entra ID authenticated user using Remote Desktop Protocol (RDP) to sign-in to another Entra ID-joined host. This authentication can occur as a “non-interactive sign-in” since the user is already authenticated with Entra ID. Given the limitations of the sign-ins API, Corelight is currently unable to pull this event, and no RDP login event will be displayed in the User Sign-In History table.

The ability to query non-interactive sign-ins is currently in beta. Corelight plans to remove this limitation when we can sufficiently depend on this new capability.