Entra ID P1 License - Grant Red Canary Read-Only Access to Microsoft Defender
- 09 Aug 2024
- 2 Minutes to read
- PDF
Entra ID P1 License - Grant Red Canary Read-Only Access to Microsoft Defender
- Updated on 09 Aug 2024
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Red Canary Managed Security Service Provider (MSSP) Access Instructions for Entra ID P1 license will provide Red Canary organization Cyber Incident Response Team (CIRT) members with direct access to your Microsoft 365 Defender console.
These instructions are intended for customers who use Microsoft Entra ID P1 type licenses, which does not allow access to the Identity Governance features of Entra ID. If you have an E5/A5 license, see Integrate Microsoft Defender for Endpoint with Red Canary.
Prerequisites
Before beginning the MSSP Access process for Entra ID P1, you will need to have access to an account with a minimum of Security Administrator privileges within your Entra ID organization
Review the following articles before connecting Red Canary to your Microsoft Defender for Endpoint instance:
Step 1: Entra ID–Create a security group
Create the Entra ID security group that will contain the Red Canary shared user account.
Navigate to your Azure portal and log in with your Global or Security Administrator Microsoft account.
Expand the navigation pane and click Entra ID.
Click Groups.
Click New Group.
Fill in the group parameters with the following:
Group Type: Security
Group Name: Red Canary
Group Description: Red Canary Access Group
Azure AD roles can be assigned to the group: Yes
Roles: Security Reader.
Membership Type: Assigned
Owners: No owners selected
Members: No members selected
Click Create.
Step 2: Enable Microsoft Defender XDR Unified Role-based Access (RBAC) in Microsoft Defender for Endpoint
Create a RBAC role within Defender for your endpoint, and then assign the Red Canary Entra AD security group to the role.
Navigate to https://security.microsoft.com, and log in with your global administrator account.
Select Settings | Endpoints | Roles | Create Custom Role.
Fill out the form with the following values:
Role Name: Red Canary
Description: Red Canary Access Role
Click Next.
Under Permissions, select Security Operations.
Check the following boxes:
Select custom permissions
Security data
Select custom permissions
Security data basics (read)
Raw data (Email and collaboration)
Select custom permissions
Email & collaboration metadata (read)
Click Apply.
Click Authorization and settings, then click Next.
Check the following boxes.
Select custom permissions.
Authorization
Select Read-only.
Security Settings
Select custom permissions.
Core security settings (read)
System settings
Read-only (Defender for Office, Defender for Identity)
Click Apply.
Click Next.
Click Create assignment (or +add assignment).
.png?sv=2022-11-02&spr=https&st=2024-09-20T14%3A56%3A51Z&se=2024-09-20T15%3A06%3A51Z&sr=c&sp=r&sig=KZ0cTzQdTOcSCmdT1xs%2FSRJeR%2FPlWDepgcvlotg9ZHM%3D)
Click Next.
Add the Assignment name.
Note: The name should reflect the assignment.
Assign the users and groups.
From Data Sources ensure all the boxes are checked.
Click Add.
Click Next.
Review the content and click Submit.
.png?sv=2022-11-02&spr=https&st=2024-09-20T14%3A56%3A51Z&se=2024-09-20T15%3A06%3A51Z&sr=c&sp=r&sig=KZ0cTzQdTOcSCmdT1xs%2FSRJeR%2FPlWDepgcvlotg9ZHM%3D)
Step 3: Entra ID–Add a Red Canary shared user account
Invite the Red Canary shared user account to Azure AD, and then add the account to the Azure AD security group that was created in Step 1.
Navigate to your Azure Portal and log in with your Global or Security Administrator Microsoft account.
Expand the navigation pane and click Entra ID.
Click Users.
Click Invite User.
Fill in the group parameters with the following:
Identity
User Name: redcanary
Email Address:
Name: Red Canary
First Name: Leave blank
Last Name: Leave blank
Groups and Roles
Groups: Select the Red Canary group you just created
Roles: Don't select a role
Settings
Block Login: Off
Usage Location: United States
Job Info: Leave blank
Click Create.
Was this article helpful?
