1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Microsoft

Microsoft Defender for Identity Setup for Workbench

This setup guide only covers Microsoft Defender for Identity. To find a different setup guide, search for the technology in the Help Center or go to the Integrations page and select the hyperlink (if available) to go directly to the guide.

Scope and Limitations

In order for us to collect the logs from Microsoft Defender for Identity, you must provision the Azure App so that it can perform graph API queries for the following three endpoints:

  • /security/alerts_v2
  • /security/incidents
  • /security/runHuntingQuery

The steps in this guide will help you provision the access properly via a custom Microsoft Entra ID App.

Prerequisites

  1. You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Enable Console and Cross-Tenant Access for Expel
  2. Create a Custom Microsoft Entra ID Application
  3. Add Microsoft Defender for Identity as a Security Device in Workbench

Step 1: Enable Console and Cross-Tenant Access for Expel

Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.

Enable Console Access for a New Account

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
  2. Navigate to Entra ID > Users > All Users.
  3. Select User > Invite external user.
  4. On the Basics tab, include the following:
    • Email - enter  "<Your Organization GUID>@soc.expel.io". For example, a123bc45-aa12-123b@soc.expel.io
    • Display Name - enter "Expel SOC".
  5. On the Assignments tab, configure the following:
    • Select Add role.
    • Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
  6. Select Review + invite and then Invite.

The user account will be added to your directory as a guest, and an invitation will be sent to the
email provided.

Enable Cross-Tenant Access

In this step you will add Expel as an external organization and configure inbound trust.

  1. Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
  2. Select the Organizational settings tab.
  3. Select Add organization.
  4. On the Add organization pane, enter Expel’s tenant ID: 1cde81fd-b430-4035-b24d-709921922876
  5. Select Expel from the search results, and then select Add.
  6. In the Organizational settings list, locate the Expel row and select Inbound access.
  7. On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
    • Select Customize settings.
    • Enable Trust multifactor authentication from Microsoft Entra tenants.
    • Enable Trust compliant devices.
    • Enable Trust Microsoft Entra hybrid joined devices.
    • Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
  8. Select Save.

Step 2: Create a Custom Microsoft Entra ID Application

If you have onboarded the Microsoft Defender XDR integration and wish to reuse your custom Entra ID app rather than creating a new one, you may skip to Step 3. Just be sure you know the Entra ID app's Application (client) ID, Directory (tenant) ID, and client secret Value, as you will need them to set up the security device in Workbench.

Creating a custom application is necessary to allow us to perform the necessary graph API queries and collect the Microsoft Defender for Identity logs.

  1. In the Azure portal, use the search bar to navigate to App registrations.
  2. Select New registration.
  3. On the Register an application screen:
    • Name - enter "Expel Defender for Identity".
    • Supported account types - select "Accounts in this organizational directory only".
    • Leave all other defaults on this page as is.
  4. Select Register.
  5. Copy and save the following two values for your new application (you will need to enter them into Workbench later):
    • Application (client) ID
    • Directory (tenant) ID

Note
If the new application page does not appear automatically, navigate to App Registrations > View all applications > Expel Defender for Identity.

  1. Under Client credentials, select Add a certificate or secret.
  2. Select New client secret.
  3. On the Add a client secret screen:
    • Description - enter "Expel API".
    • Expires - select 730 days (24 months).
  4. Select Add.
  5. For your new client secret, copy the Value and save it to a safe place (you will need to enter it in Workbench later). This value only displays immediately after creation, and cannot be viewed again later.
  6. In the left side navigation, select API permissions.
  7. Select Add a permission.
  8. Select Microsoft Graph, then select Application permissions.
  9. Locate and add the following permissions:
    • SecurityAlert.Read.All
    • SecurityEvents.Read.All
    • ThreatHunting.Read.All
    • SecurityIncident.Read.All
  10. Select Add permissions.
  11. Review the completed list of permissions and make sure they are all present, including the User.Read permission, which is required and automatically added for the Microsoft Graph API.
  12. Make sure Admin consent is granted for all permissions by selecting Grant admin consent for [Tenant Name].

Step 3: Add Microsoft Defender for Identity as a Security Device in Workbench

Before you begin, make sure you have the Application (client) ID, Directory (tenant) ID, and the client secret Value from Step 2.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Defender” and then select the Microsoft Defender for Identity integration.
  5. A configuration pane displays. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Microsoft Defender for Identity”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Directory ID - enter the Directory (tenant) ID value from Step 2.
    • Application ID - enter the Application (client) ID value from Step 2.
    • Client secret - enter the client secret Value from Step 2.
  6. Select Save.
  7. For console access, select Set up later from the dropdown (Expel is completing the console access setup).
  8. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Troubleshooting

If your device is not healthy, edit the security device and:

  • Make sure you entered the Application (client) ID and Directory (tenant) ID correctly, and that you put the correct value in the correct field.
  • Make sure you entered the client secret Value and not the Secret ID into the security device.
  • If neither of the above works, validate the permissions of the Entra ID app and that the app was given access to the appropriate resources.

Related articles