Login
        Contents x
        Integrate Microsoft Defender for Endpoint with Red Canary
        • 06 Oct 2025
        • 8 Minutes to read
        • PDF
        Contents

        Integrate Microsoft Defender for Endpoint with Red Canary

        • Updated on 06 Oct 2025
        • 8 Minutes to read
        • PDF
        Article summary

        Integrating Microsoft Defender for Endpoint with Red Canary strengthens your endpoint security by combining threat detection, investigation, and response capabilities across both platforms. This guide walks you through the steps needed to connect Red Canary to your Microsoft Defender for Endpoint instance, enabling a more effective and coordinated approach to endpoint protection.

        Prerequisites

        Before you start the Microsoft Defender for Endpoint integration, please make sure the following requirements are met:

        1 Red Canary | Set up Your Red Canary Account

        When you first sign up with Red Canary, you’ll need to:

        1. Provide the name and email address with global admin privileges to your Technical Implementation Manager.

        2. Check your email for an invitation to accept access permissions. If your account doesn’t have an associated email inbox, notify your Technical Implementation Manager who will provide you with an invitation link.

          Note

          When logging in to your Red Canary portal, you should be prompted to accept certain permissions. Only Global Administrators can approve admin consent requests.

          If you do not see this permissions page on your first login, try opening this link in an incognito browser window. To learn more about permissions Red Canary requires and why we need them, see Permissions Requirements for Microsoft.

        2 Microsoft Defender Portal | Export Data to Red Canary

        After you configure your onboarding account, you can set up data export from your Defender for Endpoint instance to Red Canary’s Event Hub. This configuration instructs the Defender for Endpoint platform send your telemetry to Red Canary.

        1. In your Microsoft Defender Portal, navigate to Settings > Microsoft Defender XDR > Streaming API.

        2. Click + Add.

        3. Name the export “Red Canary.”

        4. Click Forward events to Event Hub.

        5. Fill in the “Event Hubs” and “Event Hubs ID” fields using the credentials Red Canary has provided to you via email.

        6. Select all Event Types.

        7. Click Submit. It will take 30 minutes to four hours after the final step is completed before the data stream is established within Red Canary.

        Note: If you get a “Failed to created Streaming API Settings Request Body is invalid or missing” error, try the steps below:

        • Verify the “Event Hubs” and “Event Hubs ID” fields:

          • Check for extra spaces: Ensure that there are no leading or trailing spaces in the Event Hub Resource ID and Event Hub name fields.

          • Use a plain text editor: To be certain, copy the Resource ID and name and paste them into a plain text editor. This will remove any hidden formatting or spaces. Then, copy the cleaned text and resubmit.

        • Refresh your session:

          • Completely clear all the data you've entered in the event fields. Then, refresh the entire browser window and try entering the information again.

          • Open a new incognito or private browser window and fill out the fields again.

        3 Red Canary | Grant Red Canary Permissions to Defender for Endpoint API

        Grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, process endpoint metadata, and orchestrate actions on endpoints.

        1. Log in to your Microsoft account (MFA is required).

        2. Approve permissions for Red Canary API integration.

        To learn more about permissions Red Canary requires and why we need them, see Permission Requirements for Microsoft.

        4 Red Canary | Grant Red Canary Analysts Read-only Access to your Microsoft Defender Console

        Grant Red Canary read-only access to your Defender for Endpoint console using role-based access control. This enables your Red Canary teams, such as your threat hunting and detection engineering teams, to perform ad-hoc hunting and investigation of potential threats in your environment. For more information, see Manage portal access using role-based access control.

        If you have an Entra ID Premium P2 license, follow the steps below.

        1 Microsoft Entra Admin Center | Create a Red Canary Security Group

        1. Go to the Microsoft Entra Admin Center.

        2. Navigate to Entra ID > Groups > Overview > New Group.

        3. Update the following parameters:

          • Group type: “Security”

          • Group name: “Red Canary”

          • Group description: “Red Canary Access Group”

          • Roles: Security Reader

          • Membership type: Assigned

          • Microsoft Entra roles can be assigned to the group: Yes

          • Owners: No owners selected

          • Members: No members selected

        4. Click Create.

        2 Microsoft Entra Admin Center | Add Red Canary as a Connected Organization

        1. Click Identity Governance (you may need to enter this in the search bar).

        2. Under Entitlement Management, select Connected organizations > Add connected organization.

        3. Fill out the form with the following values:

          • Basics:

            • Name: “Red Canary”

            • Description: “Red Canary Access Group”

            • State: “Configured”

          • Directory + domain

            • Click Add directory + domain.

            • Type “redcanary.com” into the tenant ID search bar.

            • Highlight the entry and click Select.

          • Sponsors

            • Under Add Internal Sponsor, click Add/Remove.

            • Search for the name of your active directory administrator, highlight the account, and click Select.

        4. Click Create.

        3 Microsoft Defender Portal | Create a RBAC Role

        Create a RBAC role within Defender for your endpoint and assign the Red Canary Entra ID security group to the role.

        1. Go to the Microsoft Defender portal.

        2. Navigate to System > Settings > Microsoft Defender XDR > Permissions and roles.

        3. Under Workloads, toggle all available workloads. At a minimum, make sure Endpoints & Vulnerability Management is enabled.

        4. Click Activate on the confirmation message.

        5. Click Go to Permissions and Roles.

        6. Under Microsoft Defender XDR, click Roles > Create custom role.

        7. Fill out the form with the following values:

          • Role Name: “Red Canary”

          • Description: “Red Canary Access Role”

        8. Click Next.

        9. Under Permissions, select Security Operations.

        10. Check the following boxes:

          • Select custom permissions

          • Security data > Select custom permissions > Security data basics (read)

          • Raw data (Email and collaboration) > Select custom permissions > Email & collaboration metadata (read)

        11. Click Apply.

        12. Click Authorization and settings, then click Next.

        13. Check the following boxes.

          • Custom permissions

          • Authorization > Read-only

          • Security Settings > Custom permissions > Core security settings (read)

          • System settings > Read-only (Defender for Office, Defender for Identity)

        14. Click Apply.

        15. Click Next.

        16. Click Create assignment (or + Add assignment).

        17. Click Next.

        18. Name the assignment “Read Canary Read Only Assignment.”

        19. In Assign the users and groups, add “Red Canary”.

        20. Under Data Sources, check all sources.

        21. Click Add > Next > Submit.

        4 Microsoft Entra Admin Center | Configure your Microsoft Entra Identity Governance Access Packages

        1. Navigate to Microsoft Entra Admin Center.

        2. Click ID Governance > Entitlement management > Catalogs > New Catalog.

        3. Fill out the form with the following values:

          • Name: Red Canary Access

          • Description: Red Canary MTP Service Access Catalog

          • Enabled: Yes

          • Enabled for external users: Yes

        4. Click Create.

        5. In the main Entra Admin Center, click ID Governance > Entitlement management > Access package > New Access Package.

        6. Fill out the forms with the following values:

          • Basics:

              • Name: Red Canary Access Package

              • Description: Red Canary Access

              • Catalog: Red Canary Access

          • Resource roles:

              • + Groups and Teams: Red Canary (Role: Member)

                In order to select the Red Canary Group, make sure to check the box See all Group and Team(s) not in the Red Canary Access catalog. If you’re unable to see the Red Canary Group, you might not have the correct permissions.

          • Requests:

              • For users not in your directory > Specific connected organizations > Red Canary

              • Require approval: No

              • Enable new requests and assignments: Yes

          • Lifecycle:

              • Access package assignments expire: Never

              • Users can request specific timeline: No

              • Require access reviews: Yes

              • Starting on: [today's date]

              • Review frequency: Bi-annually

              • Duration in days: 90

              • Reviewers: Specific reviewers

                • Click Add reviewers.

                • Select the members of your organization responsible for IAM review procedures.

        7. Click Create.

        8. On the Identity Overview Governance page, click the newly created access package Red Canary.  

        9. Under Properties, copy My access portal link.

        10. Provide the link to your Red Canary contact.

        If you have an Entra ID Premium P1 license, contact your Red Canary account representative to walk you through the steps below.

        (Entra Admin Center) Step 1: Create a Red Canary Security Group

        1. Go to the Microsoft Entra Admin Center.

        2. Navigate to Entra ID > Groups > Overview > New Group.

        3. Fill in the parameters with the following:

          • Group type: “Security”

          • Group name: “Red Canary”

          • Group description: “Red Canary Access Group”

          • Roles: Security Reader

          • Membership type: Assigned

          • Microsoft Entra roles can be assigned to the group: Yes

          • Owners: No owners selected

          • Members: No members selected

        4. Click Create.

        (Defender Portal) Step 2: Create a RBAC role and assign it to Red Canary Security Group

        1. Go to the Microsoft Defender portal.

        2. Navigate to System > Permissions.

        3. Under Microsoft Defender XDR, click Roles > Create custom role.

        4. Fill out the form with the following values:

          • Role name: “Red Canary”

          • Description: “Red Canary Access Role”

        5. Click Next.

        6. Under Permissions, select Security Operations.

        7. Check the following boxes:

          • Select custom permissions

          • Security data:

            • Select custom permissions

            • Security data basics (read)

          • Raw data (Email and collaboration):

            • Select custom permissions

              1. Email & collaboration metadata (read)

        8. Click Apply, then Next.

        9. Check the following boxes:

          • Select custom permissions

          • Authorization: Read-only

          • Security settings:

            • Select custom permissions

              • Core security settings (read)

          • System settings:

            • Read-only (Defender for Office, Defender for Identity)

        10. Click Apply, then Next.

        11. Click Create assignment (or + Add assignment).

        12. Click Next.

        13. Add the Assignment name.

          Note: The name should reflect the assignment.

        14. In the Assign the users and groups field, add Red Canary RCsupport.

        15. From Data Sources ensure all the boxes are checked.

        16. Click Add, then Next.

        17. Review the content and click Submit.

        (Entra Admin Center) Step 3: Add Red Canary shared user account to your Entra Security Group

        1. Go to the Microsoft Entra Admin Center.

        2. Expand the navigation pane and click Entra ID.

        3. Click Users.

        4. Click Invite User.

        5. Fill in the group parameters with the following:

          1. Identity

            • User Name: “redcanary”

            • Email Address: “svc-customer-defender-[subdomain]@redcanary.com”

              Note

              Red Canary will provide this address via email.

            • Name: “Red Canary”

            • First Name: Leave blank

            • Last Name: Leave blank

          2. Groups and Roles

            • Groups: Select the Red Canary group you just created

            • Roles: Don't select a role

          3. Settings

            • Block Login: Off

            • Usage Location: United States

          4. Job Info: Leave blank

        6. Click Create.

        5 Microsoft Defender Portal | Add Permissions to Device/Machine Groups

        If your organization uses device groups, add permissions by completing the following steps:

        1. Go to the Microsoft Defender Portal.

        2. Navigate to Settings > Endpoints > Permissions > Device groups.

        3. Go to your device group settings and click Assigned User Groups.

        4. Select the Red Canary group you created in Step 3.

        5. Add the group to Entra ID user groups with this role, then click​ Save.

        IMPORTANT: Once you've added the Red Canary Group to the Device Groups, be sure to click Apply Changes.

        6 Red Canary | Integrate Microsoft Graph with Red Canary

        If you have Red Canary Complete or Enterprise subscriptions, you’ll need to set up our Microsoft Graph integration to get alerts and telemetry data to Red Canary. Follow the steps on Integrate Microsoft Graph with Red Canary.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout