Microsoft Defender Office365 E-Discovery Cases

Microsoft Defender for Office 365 E-Discovery Cases is a comprehensive tool designed to assist organizations in managing, identifying, and securing data during legal investigations or compliance reviews. It streamlines the process of searching, collecting, and preserving relevant email and file content from Office 365 environments. For detailed information, please refer to the Microsoft’s official documentation.

Integration Method: API

Tables: Incident Finding (2005)

The integration supports the following events.

This integration supports the following versions.

Note:

Microsoft Defender Office365 E-Discovery Cases API version doesn’t follow a traditional versioning system. Instead, it is a continuously updated cloud service. As for this document preparation, the latest release was in March 2025.

Prerequisites

• The user should have access to the Azure portal with an account that has the Global Administrator privileges.

• The user should have access to the DataBee console.

Configuration Overview

1. Create an application with required permissions to fetch the data.

   1. Create an application

   2. Add endpoint access

   3. Create the client secret

2. Create Microsoft Defender for Office365 E-Discovery data feed in the DataBee console with the required Client credentials.

   DataBee Feed Parameter	Azure Parameter
   Client Key	Application (client) ID
   Client Secret	Client Secret Value
   Token URL(<tenant_id>)	Directory (Tenant) ID
   Username	Username
   Password	Password

   Note:

   Username and Password mentioned above are the user credentials used for logging in.

Microsoft Defender Office365 Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator privileges.  

2. In the search bar, search for App registrations and select it.
    

3. On the “App registrations” page, select New registration, then “Register an application” window will appear.
    

4. On the “Register an application” window:

   1. Under ‘Name’ enter your Application Name then click on Register to create the application.

   

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     

Add Endpoint Access

Once the application is created, one permission to the Graph API is needed. This section details how to configure and add permission to the required endpoints.  

Add Permissions

From the Azure Active Directory portal:

1. Select the application registered in the previous step.

2. Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.
    
   

3. On “Request API permissions” window, click on Microsoft APIs then on Microsoft Graph.
    
   

4. The following permissions need to be granted for the endpoint to function properly:

   Event	Type	Permission
   Cases	Application	eDiscovery.Read.All

5. From the ‘eDiscovery’ dropdown, select eDiscovery.Read.All

   

6. Click the Add permissions button after selecting all required permissions.
    

7. On the “API permissions” page, click Grant Admin Consent for <tenant>.
    

8. Click the Yes button on the consent confirmation.
    
   

9. The necessary permissions have now been added for the endpoints. After this step, the permissions should include these minimum required permissions shown.
    

   Note:

   If you found any difficulties while configuring. You can refer to Microsoft's official documentation.

Creating the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

1. Select the application created above.

2. Under Manage, click Certificates & secrets, and then Client secrets. 
    
   

3. Click on New client secret.

   
   
   

4. On “Add a client secret” window:

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

   2. Then click on Add to create the client secret.

   

   Note:

   The user needs to re-create the client secret when it expires.

5. Copy Client secrets Value field for later use.
    
   

   Note:

   The API restricts data retrieval to the last 7 days. Older data cannot be fetched.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    
   

2. Search for Microsoft Defender for Office365 E-Discovery Cases and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    
   

4. Enter feed contact information and click Next.
    

5. In the configuration page, enter the following:

   • Authorization Method: OAuth2

   • Client Key: paste the Application (Client) ID generated earlier in the Azure portal.

   • Client Secret: paste the Client Secret value generated earlier in the Azure portal.

   • Token URL: replace <tenant_id> with your Directory (Tenant) ID.

   • Username: paste username Credentials.

   • Password: paste password Credentials.

   

6. Click Submit.

   Note:

   The URL for the API endpoint that you use is based on the type of Microsoft 365 or Office 365 subscription plan for your organization. Here, we have used the URL for Microsoft Graph global service. You can change the URL as per subscription plan for your organization. Below are the list of URLs as per the subscription plans.

   Microsoft Graph global service:https://graph.microsoft.com

   Microsoft Graph for US Government L4:https://graph.microsoft.us

   Microsoft Graph for US Government L5 (DOD):https://dod-graph.microsoft.us

   Microsoft Graph China operated by 21Vianet:https://microsoftgraph.chinacloudapi.cn

Troubleshooting Tips

• If you encounter an Invalid client or Unauthorized client error, it may be due to incorrect credentials. Please double-check that the client key, client secret, and Tenant ID are entered correctly. Since the client secret is only visible upon creation, you may need to regenerate it. To avoid any issues, consider pasting it into a text editor to ensure there are no extra spaces or unexpected characters before reconfiguring the DataBee feed.

• If you receive an Unauthorized error, it may be because the client ID and client secret belong to different applications. Kindly verify that you are using credentials from the same application to resolve the issue.

• If we encounter response code 401, it is likely due to missing permissions. Ensure that all required permissions are correctly granted as per the steps outlined above.

  • For example:
    {"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}