1. Expel Help Center
  2. Connect Your Technology
  3. SaaS Integrations
  4. Microsoft

Microsoft Defender XDR Setup for Workbench

This setup guide is only for Microsoft Defender for Cloud Apps (MDCA) and Defender for Identity. To find a different setup guide, search for the technology in the Help Center or go to the Integrations page and select the hyperlink (if available) to go directly to the guide.

 

This guide covers the provisioning of the Azure App needed to perform the graph API queries for the /security/alerts_v2, /security/incidents and /security/runHuntingQuery endpoints, which allows the Expel Workbench to collect logs for Microsoft Defender XDR.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Add a Service Account for Console Access
  2. Enable Defender XDR Application Access
  3. Add Microsoft Defender XDR as a Security Device in Workbench

Step 1: Add a Service Account for Console Access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses all Expel traffic comes from.

  1. Log in to the Azure portal as a Global Admin user, as you will need to be able to assign the Global Reader role.
  2. In the side navigation, select Microsoft Entra ID.
  3. Under Manage, select Users.
  4. Select New user > Invite external user.
  5. On the Invite external user page, configure the following:
    • Email - enter "expel_analyst@expel.io".
    • Send invite message - leave this checked.
    • Message - enter a message (optional).
  6. Select the Assignments tab.
  7. Select Add role.
  8. On the Directory roles screen, search for and select the Global Reader role.
    Screenshot 2025-02-27 at 12.59.32 PM.png
  9. Choose Select at the bottom.
  10. Select Review + Invite and then Invite to automatically send the invitation.
  11. After you send the invitation, the user account is added to the directory as a guest. Expel will accept the email invite and complete console access setup.

Step 2: Create a Custom Microsoft Entra ID Application

  1. In the Azure portal, use the search bar to navigate to App registrations and select New registration.
  2. On the Register an application screen, configure the following settings:
    • Name - enter "Expel Defender XDR".
    • Supported account types - select Accounts in this organizational directory only.
    • Leave all other defaults on this page as is.
  3. Select Register.
  4. The settings page for the new "Expel Defender XDR" application appears. Copy and save the following values provided on this page in a safe place as you will need to enter them into Workbench later:
    • Application (client) ID
    • Directory (tenant) ID
      Note
      If the new application page doesn't appear automatically, navigate to App Registrations > View all
      applications > Expel Defender XDR.
  5. Under Client credentials, select Add a certificate or secret.
    ms-xdr-client-creds.png
  6. Select New client secret.
  7. On the Add a client secret screen, configure the following settings:
    • Description - enter "Expel API".
    • Expires - select 730 days (24 months).
  8. Select Add.
  9. The Certificates & secrets page appears. Copy the Value and save it to a safe place as you will need it later and it will not be shown again after you leave this page.
    ms-xdr-client-secret.png
  10. In the left side navigation, select API permissions.
  11. Select Add a permission.
  12. Select Microsoft Graph > Application permissions.
  13. Select Add a permission and provide the following permissions:
    • SecurityAlert.Read.All
    • SecurityEvents.Read.All
    • ThreatHunting.Read.All
    • SecurityIncident.Read.All
  14. Select Add permissions.
  15. Review the completed list of permissions and make sure they are all present, including the User.Read permission, which is required and automatically added for the Microsoft Graph API.
  16. Make sure Admin consent is granted for the permissions by selecting Grant admin consent for [Tenant Name].
    ms-xdr-admin-consent-updated.png

Step 3: Add Microsoft Defender XDR as a Security Device in Workbench

Now that you have the correct access configured and noted the credentials, you can integrate your tech with Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “XDR” and then select the Microsoft Defender XDR integration.
    Screenshot 2025-02-27 at 4.14.23 PM.png
  5. A configuration pane displays. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Microsoft Defender XDR”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Directory ID - enter the Directory (tenant) ID value from Step 2.
    • Application ID - enter the Application (client) ID value from Step 2.
    • Client secret - enter the Client secret Value from Step 2.
  6. Select Save.
  7. On the Why give Expel console access? screen, select Set up later from the dropdown, as Expel is completing console access setup on our side.

Related articles