Microsoft Defender for Office365
- 18 Mar 2025
- 3 Minutes to read
- Print
- DarkLight
Microsoft Defender for Office365
- Updated on 18 Mar 2025
- 3 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Microsoft Defender for Office 365 allows you to secure your email and Microsoft Teams with advanced protection against phishing, business email compromise, ransomware, and other cyberthreats. For more information, please refer to Microsoft’s official documentation.
Integration Method: API
Tables: Detection Finding (2004), Ticket Inventory (99405001), Training Inventory (99405002)
This integration supports the following events.
Event | Description |
|---|---|
Simulation User Coverage | List training coverage for each tenant user in attack simulation and training campaigns. |
Simulation Repeat Offenders | List the tenant users who have yielded to attacks more than once in attack simulation and training campaigns. |
Simulation Training User Coverage | List training coverage for tenant users in attack simulation and training campaigns. |
Attack Simulations | List users of a tenant and their online actions in an attack simulation campaign. |
This integration supports the following versions.
Microsoft Graph API version | v1.0 |
Note:
Microsoft Defender for Office365 is a SaaS service. This document was prepared with the latest release in February 2025.
Prerequisites
The user should have access to the Azure portal with an account that has the Global Administrator privileges.
The user should have access to the DataBee console.
Configuration Overview
Create an application with required permissions to fetch the data.
Create Microsoft Defender for Office365 Data Feed in the DataBee console with the required Client credentials.
DataBee Parameter
Azure Parameter
Client Key
Application (client) ID
Client Secret
Client Secret Value
Token URL(<application_id>)
Directory (Tenant) ID
Azure Configuration
Create an application
Log on to Azure portal with an account that has the Global Administrator privileges.
In the search bar, search for App Registrations and select it.
On the “App registrations” page, select New registration, the “Register an application” window will appear.
On the “Register an application” window:
Under ‘Name’ enter your Application Name then click on Register to create the application.
On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
Add Endpoint Access
Once the application is created, one permission to the Graph API is needed to fetch the data. This section details how to configure and add permission to the required endpoints.
Add Permissions
From the Azure portal:
Select the application registered in the previous step.
Under Manage, click API Permissions and then click Add a Permission, the Request API permissions window will appear.
On “Request API permissions” window, Click on Microsoft APIs then on Microsoft Graph.
Click on Application Permissions.
The following permissions need to be granted for the endpoint to function properly:
Event
Type
Permission
Simulation User Coverage
Application
AttackSimulation.Read.All
Simulation Repeat Offenders
Application
AttackSimulation.Read.All
Simulation Training User Coverage
Application
AttackSimulation.Read.All
Attack Simulations
Application
AttackSimulation.Read.All
In the Select permissions search bar, enter the permission shown above, and check the box to include them.
Click the Add permissions button after selecting all required permissions.
On the “API permissions” page, click Grant Admin Consent for <tenant> and click on Yes button for consent confirmation.
The required permissions have now been added for the endpoints. After this step, the permissions should include these minimum required permissions shown.
Create the Client Secret
The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:
Select the application created above.
Under Manage, Click Certificates and Secrets, and then Client Secrets.
Click New client secret. Then “Add a client secret” window appears.
In the “Add a client secret” window:
Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.
Then click on Add to create the client secret.
Note:
The user needs to re-create the client secret when it expires.
Copy the Secrets Value field for later use.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the Microsoft Defender for Office365 and click it as shown below.
Click on the API Ingest option for collection method.
Enter feed contact information and click Next.
In the configuration page, enter the following:
API Base URL: this is the base URL that DataBee will interact with.
Authorization Method: OAuth2
Client Key: paste the Application (Client) ID generated earlier .
Client Secret: paste the Secret value generated earlier.
Token URL: replace <application_id> with your Directory (Tenant) ID.
Event Types: preselected for all the Event Types the integration pulls.
Click Submit.
Troubleshooting Tips
If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.
If you are facing a response code – 403 error, this might be possibly due to missing permission. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.
Was this article helpful?