deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #4473 from ojrb/Issue3739

Browse Source 
Update the real steps for AAD App Registration
This commit is contained in:
jcaparas
2019-07-29 10:50:49 -07:00
committed by GitHub
parent 93b5f576cb 2040f5d8d8
commit ba2d55e055
1 changed files with 75 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
View File

@ -1,6 +1,8 @@
---
title: Configure managed security service provider support
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -21,9 +23,11 @@ ms.date: 09/03/2018
# Configure managed security service provider integration
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu
> - MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender Security Center portal
- Get access to MSSP customer's Windows Defender Security Center portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
In general, the following configuration steps need to be taken:
- **Grant the MSSP access to Microsoft Defender Security Center** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
- **Grant the MSSP access to Windows Defender Security Center** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
- **Configure alert notifications sent to MSSPs** <br>
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
## Grant the MSSP access to the portal
>[!NOTE]
>[!NOTE]
> These set of steps are directed towards the MSSP customer. <br>
> Access to the portal can only be done by the MSSP customer.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
You'll need to take the following 2 steps:
- Add MSSP user to your tenant as a guest user
- Grant MSSP user access to Microsoft Defender Security Center
- Grant MSSP user access to Windows Defender Security Center
### Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
### Grant MSSP user access to Microsoft Defender Security Center
Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
### Grant MSSP user access to Windows Defender Security Center
Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md).
>[!NOTE]
>There is no difference between the Member user and Guest user roles from RBAC perspective.
@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
## Access the Microsoft Defender Security Center MSSP customer portal
## Access the Windows Defender Security Center MSSP customer portal
>[!NOTE]
>[!NOTE]
>These set of steps are directed towards the MSSP.
By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
@ -123,7 +138,9 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications).
These check boxes must be checked:
- **Include organization name** - The customer name will be added to email notifications
@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: Whitelist your application on Microsoft Defender Security Center
Step 3: Whitelist your application on Windows Defender Security Center
### Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
3. Click **New application registration**.
3. Click **New registration**.
4. Specify the following values:
- Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- Application type: Web app / API
- Sign-on URL: `https://SiemMsspConnector`
- Supported account types: Account in this organizational directory only
- Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
5. Click **Create**. The application is displayed in the list of applications you own.
5. Click **Register**. The application is displayed in the list of applications you own.
6. Select the application, then click **Settings** > **Properties**.
6. Select the application, then click **Overview**.
7. Copy the value from the **Application ID** field.
7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
8. Change the value in the **App ID URI** to: `https://<domain_name>/SiemMsspConnector` (replace \<domain_name\> with the tenant name.
8. Select **Certificate & secrets** in the new application panel.
9. Ensure that the **Multi-tenanted** field is set to **Yes**.
9. Click **New client secret**.
10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`.
11. Click **Save**.
12. Select **Keys** and specify the following values:
- Description: Enter a description for the key.
- Expires: Select **In 1 year**
13. Click **Save**. Save the value is a safe place, you'll need this
10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
### Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
@ -248,17 +268,20 @@ After providing your credentials, you'll need to grant consent to the applicatio
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
- Replace \<client_id\> with the Application ID you got from the previous step.
- Replace \<app_key\> with the application key you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's tenant ID.
- Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
- Replace \<app_key\> with the **Client Secret** you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's **Tenant ID**.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
### Step 3: Whitelist your application on Microsoft Defender Security Center
You'll need to whitelist the application you created in Microsoft Defender Security Center.
### Step 3: Whitelist your application on Windows Defender Security Center
You'll need to whitelist the application you created in Windows Defender Security Center.
You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
@ -272,17 +295,21 @@ You'll need to have **Manage portal system settings** permission to whitelist th
5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md).
- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
## Related topics
- [Use basic permissions to access the portal](basic-permissions.md)
- [Manage portal access using RBAC](rbac.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)