Integrate Microsoft Graph with Red Canary
- 07 Oct 2025
- 3 Minutes to read
- PDF
Integrate Microsoft Graph with Red Canary
- Updated on 07 Oct 2025
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
The Microsoft Graph integration allows Red Canary to ingest security alert data from multiple Microsoft security sources. The integration leverages the the Microsoft Graph Security API endpoint to collect and process aggregated alert data from the following services:
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365
Microsoft Defender XDR
Microsoft Entra ID Protection
Once you activate the integration, you can view alerts and manage how data is ingested, all from one place. Follow the steps below to get started.
Prerequisites
Before you start the Microsoft Graph integration, please make sure the following requirements are met:
You have one of the following subscription packages:
MDR Complete (Cloud)
MDR Complete (Endpoint)
MDR Complete (Identity)
MDR Enterprise (Cloud)
MDR Enterprise (Endpoint)
MDR Enterprise (Identity)
You’re a Global Admin user
To successfully ingest data from Microsoft services, Red Canary requires certain license types and permissions. If you need to learn more about these requirements, see the following pages:
1 Red Canary | Add the Integration
Note: In the steps below, “v2” is a Red Canary reference, distinguishing our newer integration from a legacy version. It is not a reference to any Microsoft product versioning.
From your Red Canary homepage, go to the Integrations page, then click Add Integration.
On the Add integration dialog, search for Microsoft Graph, then click Configure.
On the Add Integration page, enter a name for the integration.
2 Red Canary | Choose How Red Canary Will Receive Data
In the Choose how Red Canary will receive this data section, select Microsoft Graph V2 via API Poll from the Ingest Format / Method dropdown.
Click Next.
3 Red Canary | Configure Red Canary to Retrieve Data
In the Configure Red Canary to retrieve data from this integration section:
In the Acknowledge integrations section, uncheck any Microsoft sources from which you don’t want to ingest data.
In the Microsoft Tenant ID field, enter your tenant ID.
In the Permissions section, click this consent link, which opens a permissions requested screen.
Click Accept to approve the permissions. Learn more about Microsoft Graph API permissions.
Note
Only Global Administrators can approve admin consent requests.
Return to Red Canary and check the Confirm Microsoft Graph v2 API Access Granted box.
Click Next.
4 Red Canary | Customize How Data is Handled
(Optional) In the Customize how data from this integration is handled section, you can enable Process Correlation if appropriate.
What is Process Correlation?
If a third-party alert platform lets you create your own rules to trigger alerts, Red Canary can correlate with the rule metadata when it displays the alerts in the timeline. To conserve API bandwidth and compute cycles, process correlation for user-defined alerts is disabled by default.
.png?sv=2022-11-02&spr=https&st=2025-10-13T03%3A41%3A58Z&se=2025-10-13T03%3A51%3A58Z&sr=c&sp=r&sig=Ez1V6bECIGpZZhJ9Y7C74mmKvLh6wO2PQKHkvnl43Uk%3D)
(Optional) In the Actions in the Source Platform section, you can disable or enable alert actions to control how Red Canary engages with alerts.
These settings manages how Red Canary engages with alerts. The table below describes the outcome of each setting when enabled.
Setting | Default State | Outcome |
As Red Canary validates the alert | Enabled | When enabled, Red Canary adds comments to the alert in Microsoft Graph v2 notifying users of the current investigation status as the alert is investigated and resolved. |
When Red Canary validates the alert as non-threatening | Enabled | When enabled, Red Canary resolves the alert in Microsoft Graph as |
When Red Canary validates the alert as suspicious | Disabled | When enabled, Red Canary resolves the alert in Microsoft Graph as |
When Red Canary publishes a threat involving the alert | Enabled | When enabled, Red Canary resolves the alert in Microsoft Graph as |
5 Red Canary | Activate the Integration
After you’ve completed the configuration, click Save to activate the integration.
The integration is now live!
You should see Microsoft security alerts start appearing in Red Canary within one hour.
For more information on how to trigger a test for the integration after it's been configured, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.
Once the integration is activated, you’ll see the alert sources you selected during setup. The "parent" integration (Graph) gathers and processes alerts from all sources, automatically assigning each one to its original Microsoft service, like Defender for Endpoint or Defender for Office 365. This is why each service appears as a distinct "child" alert source. From the Integrations page, you can view these "child" sources and their data, while all configuration happens at the "parent" level.
Note
If you want to remove the integration, we recommend deactivating rather than deleting it to retain its historical data.
If you want to remove a specific data source, such as Defender for Endpoint, go to the Graph integration, uncheck the source, and click Save. This will deactivate further data ingestion but will preserve historical data.
Was this article helpful?