This article helps you integrate your Microsoft Defender for Cloud Apps installation with the Expel Workbench.
Quick Links
Step 1: Enable Console Access
Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.
-
In the navigation pane, click Microsoft Entra ID.
-
Under Manage, select Users.
-
Select New guest user.
-
On the New user page, click Invite user, fill out the email address (expel_analyst@expel.io), and optionally include a message.
-
Under roles, add the role Global Reader role.
-
Click Invite to automatically send the invitation to the guest user.
-
After you send the invitation, the user account is automatically added to the directory as a guest.
Step 2: Enable Defender for Cloud Apps Enterprise Application
To integrate Defender for Cloud Apps with Expel, we need to create secure credentials to the API. We provide two options for enabling API access:
-
Option 1: Enable the Expel Defender for Cloud Apps Integration Enterprise Application within Azure.
-
Option 2: Create a custom Microsoft Entra ID Application.
Usually enabling the Enterprise Application (option 1) is the recommended approach. The second option is offered for cases where the absolute minimum permissions are required. In either case, the table below shows the required items to obtain during this step:
Item we need |
Description |
Azure Directory (tenant) ID |
A unique identifier for your Azure instance. Expel needs this information to route our API requests to the right place. |
Application (client) ID (Option 2 only) |
A unique identifier for the application you create that grants Expel the access it needs to your Defender for Cloud Apps instance. |
Application (client) Secret (Option 2 only) |
The API secret that allows Expel to authenticate as the created application to your Defender for Cloud Apps instance. |
Option 1: Enable Defender for Cloud Apps Integration (Preferred)
-
As an Administrator, navigate to the Expel Admin Consent Page.
-
Review and accept requested permissions.
-
The Expel Defender for Cloud Apps Integration app now appears under Enterprise Applications. Review properties and make sure that all permissions were properly granted. Note the Directory (Tenant) ID when viewing the Expel Defender for Cloud Apps Integration application for use in later steps.
-
Skip to step 3.
Option 2: Create Custom Microsoft Entra ID Application
-
Log into your Azure account (https://portal.azure.com) and open Microsoft Entra ID.
-
Navigate to App registrations and create a new app by clicking + New registration.
-
Fill in the application details. You can technically fill these in however you want, but we recommend the following:
-
Name: Expel Defender for Cloud Apps Integration.
-
Supported account types: accounts in this organizational directory only (first option).
-
-
After you fill out the fields, click Register to create the new application.
-
You navigate automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to App Registrations > View all applications (if you don’t see the new app) > Expel Defender for Cloud Apps Integration.
-
Make a note of the Application (client) ID and the Directory (tenant) ID. We need that later.
-
Navigate to API permissions and click Add a permission.
-
Add these permissions for the Expel App:
-
Microsoft Cloud App Security
-
discovery.read
-
investigation.read
-
-
Microsoft Graph
-
user.read
-
-
-
Select the appropriate API Category (for example, Microsoft Graph).
-
Select Application Permissions.
-
Select the appropriate permission(s) and click Add Permissions.
-
Repeat these steps for each permission needed. Verify that:
-
All permissions are added as Application permissions and NOT Delegated permissions.
-
All Permissions are assigned.
-
Consent is granted for the permissions by the AAD admin.
-
-
After permissions are assigned, click Grant admin consent, and click Yes at the prompt.
-
Navigate to Expel Cloud Service > Certificates & secrets to begin creating an API key (aka client secret). To create a new key, click +New client secret.
-
Add a description for the secret (like Expel API) and select Never for expiration. Click Add to create the secret.
-
You see a new client secret (API Key) appear under Client secrets.
Note
Copy the value and save it for later. It disappears after you navigate away from this screen.
Step 3: Generate the MCAS URL
-
Go to https://portal.cloudappsecurity.com/ and log in.
-
From the address bar, copy the URL.
-
Save the URL for later. The URL format should be
https://<custom-name>.portal.cloudappsecurity.com
.
Step 4: Configure the Technology in Workbench
-
In a new browser tab, click this link to open the Add Security Device screen in Workbench.
-
Fill out the fields like this:
Field Name
What to put in it
Name
What you want to name the security device.
Location
Microsoft Cloud
MCAS URL
The URL from step 3.
MCAS Token
A legacy field that you do not need to update.
Tenant ID
Client ID (Option 2 only)
The Azure Application (client) ID created in Option 2.
Client Secret (Option 2 only)
The Application (client) Secret created in Option 2.
-
Click Save.