diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index a003bd5a09..8f2cc40426 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -67,6 +67,9 @@ Enable security information and event management (SIEM) integration so you can p
    > [!NOTE]
    > You'll need to generate a new Refresh token every 90 days. 
 
+6. Follow the instructions for creating an Azure AD app registration and assigning the correct permissions to it to read alerts.
+   https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp
+
 You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
 
 ## Integrate Microsoft Defender ATP with IBM QRadar