deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #3344 from MicrosoftDocs/delegated

Browse Source 
Delegated access
This commit is contained in:
Tina Burden 2020-07-24 09:41:54 -07:00 committed by GitHub
commit ce6dc49bf4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 448 additions and 249 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/threat-protection/TOC.md
View File

@ -601,6 +601,7 @@
##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Partners & APIs]()
@ -615,7 +616,12 @@
###### [Using device groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
#### [Managed security service provider (MSSP) integration]()
##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
##### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
### [Partner integration scenarios]()
#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)

56
windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Access the Microsoft Defender Security Center MSSP customer portal
description: Access the Microsoft Defender Security Center MSSP customer portal
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Access the Microsoft Defender Security Center MSSP customer portal
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!NOTE]
>These set of steps are directed towards the MSSP.
By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
1. As an MSSP, login to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
## Related topics
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Configure alert notifications](configure-mssp-notifications.md)
- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)

46
windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Configure alert notifications that are sent to MSSPs
description: Configure alert notifications that are sent to MSSPs
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure alert notifications that are sent to MSSPs
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!NOTE]
>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
These check boxes must be checked:
- **Include organization name** - The customer name will be added to email notifications
- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
## Related topics
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Access the MSSP customer portal](access-mssp-portal.md)
- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)

249
windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
View File

@ -1,8 +1,6 @@
---
title: Configure managed security service provider support
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/03/2018
---
# Configure managed security service provider integration
@ -67,249 +64,11 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
## Grant the MSSP access to the portal
>[!NOTE]
> These set of steps are directed towards the MSSP customer. <br>
> Access to the portal can only be done by the MSSP customer.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
You'll need to take the following 2 steps:
- Add MSSP user to your tenant as a guest user
- Grant MSSP user access to Microsoft Defender Security Center
### Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
### Grant MSSP user access to Microsoft Defender Security Center
Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
>[!NOTE]
>There is no difference between the Member user and Guest user roles from RBAC perspective.
It is recommended that groups are created for MSSPs to make authorization access more manageable.
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
## Access the Microsoft Defender Security Center MSSP customer portal
>[!NOTE]
>These set of steps are directed towards the MSSP.
By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
1. As an MSSP, login to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
## Configure alert notifications that are sent to MSSPs
>[!NOTE]
>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
These check boxes must be checked:
- **Include organization name** - The customer name will be added to email notifications
- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
## Fetch alerts from MSSP customer's tenant into the SIEM system
>[!NOTE]
>This action is taken by the MSSP.
To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: allow your application on Microsoft Defender Security Center
### Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
3. Click **New registration**.
4. Specify the following values:
- Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- Supported account types: Account in this organizational directory only
- Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
5. Click **Register**. The application is displayed in the list of applications you own.
6. Select the application, then click **Overview**.
7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
8. Select **Certificate & secrets** in the new application panel.
9. Click **New client secret**.
- Description: Enter a description for the key.
- Expires: Select **In 1 year**
10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
### Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
1. Create a new folder and name it: `MsspTokensAcquisition`.
2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
>[!NOTE]
>In line 30, replace `authorzationUrl` with `authorizationUrl`.
3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
```
param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Load our Login Browser Function
Import-Module .\LoginBrowser.psm1
# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"
Write-Host 'Prompt the user for his credentials, to get an authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri, $resourceId)
Write-Host "authorzationUrl: $authorizationUrl"
# Fake a proper endpoint for the Redirect URI
$code = LoginBrowser $authorizationUrl $redirectUri
# Acquire token using the authorization code
$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}
$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token
Write-Host " ----------------------------------- TOKEN ---------------------------------- "
Write-Host $token
Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
Write-Host $refreshToken
```
4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
5. Run the following command:
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
- Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
- Replace \<app_key\> with the **Client Secret** you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's **Tenant ID**.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
### Step 3: Allow your application on Microsoft Defender Security Center
You'll need to allow the application you created in Microsoft Defender Security Center.
You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
2. Click **Settings** > **SIEM**.
3. Select the **MSSP** tab.
4. Enter the **Application ID** from the first step and your **Tenant ID**.
5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
## Related topics
- [Use basic permissions to access the portal](basic-permissions.md)
- [Manage portal access using RBAC](rbac.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Access the MSSP customer portal](access-mssp-portal.md)
- [Configure alert notifications](configure-mssp-notifications.md)
- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)

196
windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md Normal file
View File

@ -0,0 +1,196 @@
---
title: Fetch alerts from MSSP customer tenant
description: Learn how to fetch alerts from a customer tenant
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Fetch alerts from MSSP customer tenant
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!NOTE]
>This action is taken by the MSSP.
There are two ways you can fetch alerts:
- Using the SIEM method
- Using APIs
## Fetch alerts into your SIEM
To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: allow your application on Microsoft Defender Security Center
### Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
3. Click **New registration**.
4. Specify the following values:
- Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- Supported account types: Account in this organizational directory only
- Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
5. Click **Register**. The application is displayed in the list of applications you own.
6. Select the application, then click **Overview**.
7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
8. Select **Certificate & secrets** in the new application panel.
9. Click **New client secret**.
- Description: Enter a description for the key.
- Expires: Select **In 1 year**
10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
### Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
1. Create a new folder and name it: `MsspTokensAcquisition`.
2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
>[!NOTE]
>In line 30, replace `authorzationUrl` with `authorizationUrl`.
3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
```
param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Load our Login Browser Function
Import-Module .\LoginBrowser.psm1
# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"
Write-Host 'Prompt the user for his credentials, to get an authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri, $resourceId)
Write-Host "authorzationUrl: $authorizationUrl"
# Fake a proper endpoint for the Redirect URI
$code = LoginBrowser $authorizationUrl $redirectUri
# Acquire token using the authorization code
$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}
$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token
Write-Host " ----------------------------------- TOKEN ---------------------------------- "
Write-Host $token
Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
Write-Host $refreshToken
```
4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
5. Run the following command:
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
- Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
- Replace \<app_key\> with the **Client Secret** you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's **Tenant ID**.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
### Step 3: Allow your application on Microsoft Defender Security Center
You'll need to allow the application you created in Microsoft Defender Security Center.
You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
1. Go to `https://securitycenter.windows.com?tid=<customer_tenant_id>` (replace \<customer_tenant_id\> with the customer's tenant ID.
2. Click **Settings** > **SIEM**.
3. Select the **MSSP** tab.
4. Enter the **Application ID** from the first step and your **Tenant ID**.
5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
## Related topics
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Access the MSSP customer portal](access-mssp-portal.md)
- [Configure alert notifications](configure-mssp-notifications.md)

136
windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md Normal file
View File

@ -0,0 +1,136 @@
---
title: Grant access to managed security service provider (MSSP)
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Grant managed security service provider (MSSP) access (preview)
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
To implement a multi-tenant delegated access solution, take the following steps:
1. Enable [role-based access control](rbac.md) in Microsoft Defender ATP and connect with Active Directory (AD) groups.
2. Configure [Governance Access Packages](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-request-approve).
## Enable role-based access controls in Microsoft Defender ATP
1. **Create access groups for MSSP resources in Customer AAD: Groups**
These groups will be linked to the Roles you create in Microsoft Defender ATP. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
- Tier 1 Analyst
- Tier 2 Analyst
- MSSP Analyst Approvers
2. Create Microsoft Defender ATP roles for appropriate access levels in Customer Microsoft Defender ATP.
To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
![Image of MSSP access](images/mssp-access.png)
Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
Two possible roles:
- **Tier 1 Analysts** <br>
Perform all actions except for live response and manage security settings.
- **Tier 2 Analysts** <br>
Tier 1 capabilities with the addition to [live response](live-response.md)
For more information, see [Use role-based access control](rbac.md).
## Configure Governance Access Packages
1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
2. **Create a resource catalog in Customer AAD: Identity Governance**
Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
![Image of new catalog](images/goverance-catalog.png)
Further more information, see [Create a catalog of resources](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-catalog-create).
3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
- Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
- Has annual access reviews, where the SOC analysts can request an access extension
- Can only be requested by users in the MSSP SOC Tenant
- Access auto expires after 365 days
![Image of new access package](images/new-access-package.png)
For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create).
4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
![Image of access properties](images/access-properties.png)
The link is located on the overview page of each access package.
## Manage access
1. Review and authorize access requests in Customer and/or MSSP myaccess.
Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
To do so, access the customers myaccess using:
`https://myaccess.microsoft.com/@<Customer Domain >`.
Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
2. Approve or deny requests in the **Approvals** section of the UI.
At this point, analyst access has been provisioned, and each analyst should be able to access the customers Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=<CustomerTenantId>`
## Related topics
- [Access the MSSP customer portal](access-mssp-portal.md)
- [Configure alert notifications](configure-mssp-notifications.md)
- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

3
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -49,9 +49,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
- [Create indicators for certificates](manage-indicators.md) <br> Create indicators to allow or block certificates.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR> Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019. <BR> <BR> Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.

3
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -36,6 +36,9 @@ For more information preview features, see [Preview features](https://docs.micro
> ```
## July 2020
- [Create indicators for certificates](manage-indicators.md) <br> Create indicators to allow or block certificates.
## June 2020
- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) <br> Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.