Overview
You must create a Microsoft Azure application to obtain credentials to install a Microsoft Defender for Endpoint Connector.
Two different authentication methods can be used:
- Application permissions
- Delegated permissions
You can find an overview of the differences between these authentication methods here.
Remote Setup in Microsoft Azure – performed by Cyclr Partner
You must create a Microsoft Azure application to obtain an Application (client) ID, Client Secret, and Directory (tenant) ID.
The Application (client) ID and Directory (tenant) ID can be found on the Overview screen and the Client Secret can be created and found on the Manage > Certificates & secrets screen:
Application permissions
Microsoft’s guide on creating a Microsoft Azure application with application permissions can be found here. Step 9 of the guide should be skipped if you’re using a single-tenanted application for internal processes. The following permissions should be added depending on which Connector methods you wish to use:
| Method | Permission | |
|---|---|---|
| Alerts | Get Alert Related Machine Information | Machine.Read.All or Machine.ReadWrite.All |
| List Alerts | Alert.Read.All or Alert.ReadWrite.All | |
| Browser Extensions | List Browser Extensions Permission Information | Software.Read.All |
| Device Health | List Antivirus Health Report | Machine.Read.All |
| Machines | Get Machine | Machine.Read.All or Machine.ReadWrite.All |
| List Machine Discovered Vulnerabilities | Vulnerability.Read.All | |
| List Machine Installed Software | Software.Read.All | |
| List Machine Logon Users | User.Read.All | |
| List Machine Related Alerts | Alert.Read.All or Alert.ReadWrite.All | |
| List Machine Security Recommendations | SecurityRecommendation.Read.All | |
| List Machines | Machine.Read.All or Machine.ReadWrite.All |
Delegated permissions
Microsoft’s guide on creating a Microsoft Azure application with delegated permissions can be found here.
The following permissions should be added depending on which Connector Methods you wish to use:
| Method category | Method | Permission |
|---|---|---|
| Alerts | Get Alert Related Machine Information | Machine.Read or Machine.ReadWrite |
| List Alerts | Alert.Read or Alert.ReadWrite | |
| Browser Extensions | List Browser Extensions Permission Information | Software.Read |
| Device Health | List Antivirus Health Report | Machine.Read |
| Machines | Get Machine | Machine.Read or Machine.ReadWrite |
| List Machine Discovered Vulnerabilities | Vulnerability.Read | |
| List Machine Installed Software | Software.Read | |
| List Machine Logon Users | User.Read.All | |
| List Machine Related Alerts | Alert.Read or Alert.ReadWrite | |
| List Machine Security Recommendations | SecurityRecommendation.Read | |
| List Machines | Machine.Read or Machine.ReadWrite |
Partner Setup in Cyclr Console
Having created an application within Microsoft Azure, go into your Cyclr Partner Console:
- Go to Connectors > Application Connector Library.
- Use the search box to locate the Microsoft Defender for Endpoint Connector entry.
- Select the Pencil button.
- Select the Settings tab.
- Enter the below values:
| Property | Description |
|---|---|
| Client ID | The Application (client) ID from the Overview page of your Microsoft Azure application. |
| Client Secret | The Client secret from the Manage > Certificates & secrets page of your Microsoft Azure application. |
- If using a multi-tenanted application, enter the below value:
| Property | Description |
|---|---|
| Tenant ID | Set this to “Common” in order to allow multi-tenanted auth. |
- Select Save Changes.
If you leave these values blank, they must be provided each time the Connector is installed.
Cyclr Connector Installation
When installing the Microsoft Defender for Endpoint Connector, the following values are used:
| Property | Description |
|---|---|
| Client ID | The Application (client) ID from the Overview page of your Microsoft Azure application.Only required if not set in your Cyclr Partner Console. |
| Client Secret | The Client secret from the Manage > Certificates & secrets page of your Microsoft Azure application.Only required if not set in your Cyclr Partner Console. |
| Username | The Username of the Microsoft Azure account to authenticate with.Delegated permissions only. |
| Password | The Password of the Microsoft Azure account to authenticate with.Delegated permissions only. |
| Tenant ID | The Directory (tenant) ID from the Overview page of your Microsoft Azure application. |