Skip to content

Configure MS Office 365 and Azure AD to connect to ActZero

Estimated Time to Complete: 15 minutes

Contact us to learn more about adding Managed Detection & Response (MDR) services to your cloud endpoints.

To enable the ActZero team to monitor your MS O365 and Azure AD endpoints, you need to complete a few steps to configure a connection from your cloud environment to ActZero. Use the instructions below to set up a connection. You must have MS Azure Global Administrator privileges to complete the steps below.

As you go, be sure to collect the following pieces of information to securely share with ActZero:

  • tenant ids

Configure

  1. Log in to your Microsoft account. You must have MS Azure Global Administrator privileges to complete the following steps.
  2. Follow Microsoft’s instructions to turn on audit log search. Note that you may already have this setting turned on.
  3. Access the following link to approve ActZero O365 MDR as an authorized application: Approve ActZero O365 MDR
  4. When the Pick an account window appears, select your user account, the one with Global Administrator privileges.
  5. When the Permissions requested window appears, click Accept to allow the ActZero O365 MDR application to access your MS Office 365 environment.
  6. The system automatically redirects you to the ActZero customer portal; in the URL, take note of the tenant ID and copy it to a temporary place in your local environment. The tenant ID looks something like this: XXXXXXXX-XXXX-MXXX-NXXX-XXXXX. Alternatively, follow Microsoft’s instructions to find your tenant ID using the Azure portal, or simply navigate to https://login.microsoftonline.com/yourdomain.com/.well-known/openid-configuration to display the tenant ID.
  7. Send the tenant ID you collected to an ActZero Threat Hunter to complete the setup.

Enable Office 365 Response Actions

In order for the ActZero O365 MDR authorized application to make user and authentication changes on your behalf, it must be granted an extra Entra role.

Note that response options can be enabled ONLY if your Azure and O365 environments are hosted in the cloud. Hybrid and on-premise deployment models are currently NOT supported for this feature.

  1. Log in to the Microsoft Azure Portal with a Global Administrator account.
  2. Navigate to Microsoft Entra ID
  3. Within Microsoft Entra ID, click on "Roles and administrators" from the left hand sidebar navigation.

    Roles and administrators

  4. In the "Roles and administrators" page, search for "Privileged Authentication Administrator" in the list of roles, then click on the search result row. (Do not click on the checkbox)

    Search role

  5. On the "Privileged Authentication Administrator" role page, click on "Add assignments"

    Role assignments

  6. Clicking on "Add assignments" will expand a modal from the right. In the Add assignments modal, search for "ActZero O365 MDR"

    Search app

  7. Click the checkbox for "ActZero O365 MDR" and then the Add button at the bottom of the screen.

    Select app

  8. If the role assignment was successful, you will be returned to the "Privileged Authentication Administrator" assignments page, where you will see "ActZero O365 MDR" listed.

    Success



Was this documentation helpful? Please send us your feedback!