Azure Security¶

Collects security and identity telemetry from Microsoft Azure via the Microsoft Graph API — Defender XDR incidents and alerts, Entra ID sign-in and directory audit logs, Identity Protection risk detections and risky users, and Microsoft Secure Score — providing visibility into cloud workload protection and identity threats.

Prerequisites¶

• Active Azure subscription with security services enabled
• Global Administrator or Application Administrator role in Azure AD
• Network: Conductor can reach graph.microsoft.com and login.microsoftonline.com on port 443

Step 1: Create API Credentials¶

1. Log in to the Azure Portal at https://portal.azure.com/
2. Navigate to Azure Active Directory → App registrations → New registration
3. Configure the application:
   • Name: WitFoo Conductor
   • Supported account types: Accounts in this organizational directory only
4. Click Register
5. Note the Application (client) ID and Directory (tenant) ID from the overview page
6. Navigate to Certificates & secrets → New client secret
   • Description: WitFoo Conductor
   • Expires: 24 months (recommended)
7. Copy the Value (client secret) — it is only shown once

8. Navigate to API permissions → Add a permission → Microsoft Graph → Application permissions, and add the following seven application permissions (all read-only):

   Permission	Unlocks
   SecurityIncident.Read.All	Defender incidents
   SecurityAlert.Read.All	Defender alerts (v2)
   AuditLog.Read.All	Entra ID sign-in and directory audit logs
   IdentityRiskEvent.Read.All	Identity Protection risk detections
   IdentityRiskyUser.Read.All	Identity Protection risky users
   SecurityEvents.Read.All	Microsoft Secure Score
   SignInIdentifier.Read.All	User Identifiers

9. Click Grant admin consent for your tenant and confirm every row shows Granted. Application permissions require admin consent, and any later change requires re-consent.

Step 2: Configure in Conductor¶

1. Open the Conductor UI at https://<conductor-ip>/admin/settings/integrations
2. From the Add Integration dropdown, select Azure Security
3. Enter a unique name for this instance (e.g., "Azure Production Tenant")

4. Fill in the settings form:

   Field	Value	Description
   Tenant ID	<your-tenant-id>	Azure AD directory (tenant) ID
   Client ID	<your-client-id>	Application (client) ID from app registration
   Client Secret	<your-client-secret>	Secret value from step 1

5. Set the Polling Interval (recommended: 5 minutes for alerts)

6. Toggle Enabled to on
7. Click Save

Step 3: Validate Data Flow¶

After saving, verify the integration is working:

1. Check connection status — The integration tile should show a green status indicator within 1–2 polling cycles

2. Check Signal Client logs:

   docker logs signal-client-svc --tail=50 | grep "azure"
   

   Look for successful poll messages:

   [INFO] azure-security: fetched <N> events
   

3. Check artifacts in Analytics — Navigate to the WitFoo Analytics Signals → Search page and search for artifacts from this source

Data Collection Details¶

Each polling cycle, the connector pulls eight Microsoft Graph v1.0 endpoints. Every endpoint is collected independently: if your tenant is not licensed or permissioned for one, only that endpoint is skipped (and reported as unavailable) — the rest keep flowing.

V2 Alert Evidence Types¶

The v2 alerts endpoint (/security/alerts_v2) returns structured evidence objects. The connector processes these typed evidence payloads:

Pagination is handled automatically via @odata.nextLink response links.

Required API Permissions¶

Grant these seven Microsoft Graph application permissions (admin-consented) for full coverage of all eight checks. *.Read.All is read-only and least-privilege, so the *.ReadWrite.All variants are never required.

All seven require admin consent, and Microsoft does not apply a permission change until an administrator re-consents.

Troubleshooting¶

Authentication Failed (401)¶

• Verify the Tenant ID, Client ID, and Client Secret are correct
• Ensure the client secret has not expired
• Check that the app registration exists in the correct Azure AD tenant

Forbidden (403) on one or more checks¶

• A 403 affects only the specific check whose permission or license is missing — the other checks keep collecting.
• Confirm the matching application permission from the table above is added and that admin consent has been (re-)granted — a permission added without re-consent still returns 403.
• If the permission is consented, confirm the tenant holds the required license for that check (Entra ID P1/P2, or a Defender product).

Rate Limited (429)¶

• Microsoft Graph API has per-app and per-tenant throttling limits
• Increase the Polling Interval to 10 minutes if rate limiting occurs
• Conductor automatically implements exponential backoff on 429 responses

No Data Appearing¶

• Confirm the integration shows Enabled in the Conductor UI
• Check Signal Client logs for errors: docker logs signal-client-svc --tail=100
• Verify network connectivity: curl -I https://graph.microsoft.com
• Confirm security alerts exist in the Azure Security Center for the polling time window
• Ensure Microsoft Defender for Cloud or another security service is generating alerts

See also: Integration Catalog · Integration Management · Signal Client · Common Troubleshooting