Entra ID P2 License - Grant Red Canary analysts Read-Only access to Microsoft Defender
- 09 Aug 2024
- 3 Minutes to read
- PDF
Entra ID P2 License - Grant Red Canary analysts Read-Only access to Microsoft Defender
- Updated on 09 Aug 2024
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
After you grant permissions to your Microsoft Defender for Endpoint API, you can give Red Canary read-only access to your Defender for Endpoint console using role-based access control; see Manage portal access using role-based access control in Microsoft Docs for more information. This enables your Red Canary teams, such as your threat hunting and detection engineering teams, to perform ad-hoc hunting and investigation of potential threats in your environment.
Note: This process requires an Entra AD Premium P2 license. If you have an Entra AD Premium P1 license, see P1 Azure License - Granting Red Canary analysts read-only access to Microsoft Defender.
Step 1: Prepare your Microsoft Entra group for Role-Based Access Control, and link the Red Canary active directory tenant
Navigate to https://portal.azure.com, and log in with your global administrator account.
Expand the navigation pane, and then select Entra Active Directory | Groups | New Group.
Fill in the group parameters with the following values:
Group Type: Security
Group Name: Red Canary
Group Description: Red Canary Access Group
Entra AD roles can be assigned to the group (Preview): Yes
Roles: Security Reader
Membership Type: Assigned
Owners: No owners selected
Members: No members selected
Click Create, and then click Identity Governance. (You may need to enter this in the search bar)
Under Entitlement Management, select Connected organizations, and then Add connected organization.
Fill out the form with the following values:
Basics
Name: Red Canary
Description: Red Canary Access Group
State: Configured
Directory + domain
Click Add directory + domain.
Type
redcanary.cominto the tenant ID search bar.Highlight the entry, and click Select.
Sponsors
Under Add Internal Sponsor, click Add/Remove.
Search for the name of your active directory administrator, highlight the account, and click Select.
Review the parameters, and then click Create.
Step 2: Enable Microsoft Defender XDR Unified Role-based Access (RBAC) in Microsoft Defender for Endpoint
Create a RBAC role within Defender for your endpoint, and then assign the Red Canary Entra AD security group to the role.
Navigate to https://security.microsoft.com, and log in with your global administrator account.
Select Settings | Endpoints | Roles | Create Custom Role.
Fill out the form with the following values:
Role Name: Red Canary
Description: Red Canary Access Role
Click Next.
Under Permissions, select Security Operations.
Check the following boxes:
Select custom permissions
Security data
Select custom permissions
Security data basics (read)
Raw data (Email and collaboration)
Select custom permissions
Email & collaboration metadata (read)
Click Apply.
Click Authorization and settings, then click Next.
Check the following boxes.
Select custom permissions.
Authorization
Select Read-only.
Security Settings
Select custom permissions.
Core security settings (read)
System settings
Read-only (Defender for Office, Defender for Identity)
Click Apply.
Click Next.
Click Create assignment (or +add assignment).
.png?sv=2022-11-02&spr=https&st=2024-09-20T14%3A32%3A13Z&se=2024-09-20T14%3A42%3A13Z&sr=c&sp=r&sig=2VRF95vwqVTEiG7%2B%2FjupYLpCDViJ3sCRBuwPW8soBwA%3D)
Click Next.
Add the Assignment name.
Note: The name should reflect the assignment.
Assign the users and groups.
From Data Sources ensure all the boxes are checked.
Click Add.
Click Next.
Review the content and click Submit.
.png?sv=2022-11-02&spr=https&st=2024-09-20T14%3A32%3A13Z&se=2024-09-20T14%3A42%3A13Z&sr=c&sp=r&sig=2VRF95vwqVTEiG7%2B%2FjupYLpCDViJ3sCRBuwPW8soBwA%3D)
Step 3: Configure your Microsoft Entra Identity Governance Access Packages
Navigate to https://portal.azure.com and log in with your global administrator account.
Expand the navigation pane, and then select Entra Active Directory | Identity Governance.
Under Entitlement Management, select Catalogs, and then New Catalog.
Fill out the form with the following values:
Name: Red Canary Access
Description: Red Canary MTP Service Access Catalog
Enabled: Yes
Enabled for external users: Yes
Under Entitlement Management, select Access Package, and then New Access Package.
Fill out the forms with the following values:
Basics
Name: Red Canary Access Package
Description: Red Canary Access
Catalog: Red Canary Access
Resource Roles
Select Groups and Teams | Red Canary | Member | Select.
Important: In order to select the Red Canary Group, make sure to select See all Group and Team(s) not in the Red Canary Access catalog. You must have the correct permissions to add them in this access package.
Requests
Select For users not in your directory, Specific connected organizations, and then Red Canary.
Require Approval: No
Enable new requests and assignments: Yes
Lifecycle
Access package assignments expire: Never
Users can request specific timeline*: No
Require access reviews: Yes
Starting on: [today's date]
Review frequency: Bi-annually
Duration in days: 90
Reviewers: Specific reviewers
Click Add reviewers.
Select the members of your organization responsible for IAM review procedures.
Review the parameters, and then click Create.
Select the newly created access package under Entra Portal | Active Directory | Identity Governance | Access Packages | Red Canary.
Under Properties, copy the My access portal link.
Provide the link to your Red Canary contact.
Was this article helpful?
