Connect WatchGuard MDR with Microsoft 365

Applies To: WatchGuard Core MDR This topic applies to the WatchGuard Core MDR managed service., WatchGuard Core MDR for Microsoft This topic applies to the WatchGuard Core MDR for Microsoft managed service., WatchGuard Total MDR This topic applies to the WatchGuard Total MDR managed service.

To enable WatchGuard MDR to monitor your Microsoft 365 and Azure AD environment, you must configure a connection from your Microsoft 365 cloud environment to WatchGuard.

To connect WatchGuard MDR and your Microsoft 365 environment, complete these steps:

• Select the Alert Response Option
• Allow Permissions for the WatchGuard MDR for Office365 Application
• Enable Audit Log Search
• Add a Role Assignment for Automated Response
• Add the Integration in the Managed Services Portal

To complete these steps, you must have a Microsoft Azure global administrator account.

Select the Alert Response Option

Before you complete the steps to connect WatchGuard MDR and Microsoft 365, determine how you want WatchGuard MDR to respond to alerts. The steps you must follow in this topic depend on the option you select. The alert response options available to you depend on your Microsoft 365 environment.

The alert response options are:

• Auto — The WatchGuard MDR for Office365 application can automatically disable a Microsoft user account, log out all active sessions, reset a password, and reset MFA for a user. This option is only available for fully cloud-hosted Microsoft Azure and Microsoft 365 environments. For the Auto alert response method, you must follow the steps in these sections:
  • Allow Permissions for the WatchGuard MDR for Office365 Application
  • Enable Audit Log Search
  • Add a Role Assignment for Automated Response
  • Add the Integration in the Managed Services Portal
• On-Demand — The WatchGuard MDR for Office365 application can only monitor your environment and recommend actions you can take to remediate the alert or investigation. The WatchGuard MDR for Office365 application cannot make changes to your environment. This option is available for fully cloud-hosted, hybrid (cloud-hosted and on-premise), or fully on-premise environments. For the On-Demand alert response method, you must follow the steps in these sections:
  • Allow Permissions for the WatchGuard MDR for Office365 Application
  • Enable Audit Log Search
  • Add the Integration in the Managed Services Portal

Allow Permissions for the WatchGuard MDR for Office365 Application

The WatchGuard MDR for Office365 application sends data from your Microsoft 365 environment to WatchGuard so WatchGuard MDR can detect potential threats. You must authorize the application for your Microsoft 365 environment and accept the requested permissions.

To allow the WatchGuard MDR for Office365 application to connect to your Microsoft 365 environment:

1. Go to Approve WatchGuard MDR for Office365 and log in to your Microsoft 365 environment with a Microsoft Azure global administrator account.
   A Permissions Requested dialog box opens.

2. Click Accept.

Enable Audit Log Search

Before WatchGuard can get access to Microsoft 365 data, you must enable unified audit logging for your Microsoft 365 organization. This setting might already be enabled.

The integration process can take between 60 and 90 minutes before data is available to WatchGuard MDR.

To enable unified audit logging, from the Microsoft Purview portal:

1. Go to the Microsoft Purview portal at purview.microsoft.com and log in with a global administrator account.
2. From the left navigation menu, select Solutions. Click Explore All.

3. From the Core section, select the Audit solution card.
4. If auditing is not already enabled for your organization, from the blue banner, select Start Recording User and Admin Activity.

For more information, go to Turn Auditing On or Off in the Microsoft documentation.

Add a Role Assignment for Automated Response

To allow the WatchGuard MDR for Office365 authorized application to make user and authentication changes on your behalf in your Microsoft 365 environment, you must enable an additional Microsoft Entra ID role. You must complete these steps to use the Auto option for incident response.

To add a role assignment for the WatchGuard MDR for Office365 application:

1. Go to the Microsoft Azure Portal at portal.azure.com and log in with a global administrator account.
2. In the portal menu, select Microsoft Entra ID.
3. In the left navigation menu, select Manage > Roles and Administrators.
   The Roles and Administrator page opens.

4. From the Administrative Roles section, find and select the row for Privileged Authentication Administrator.
5. On the Privileged Authentication Administrator role page, click Add Assignment.
   The Add Assignments page opens.

6. Click No Member Selected.
7. In the Search box, search for WatchGuard MDR for Office365.
8. Select the WatchGuard MDR for Office365 check box. Click Select.
   If the role assignment Is successful, the Privileged Authentication Administrator assignments page shows WatchGuard MDR for Office365.

Add the Integration in the Managed Services Portal

To add the integration:

1. In WatchGuard Cloud, select Monitor > Managed Services.
   
   The Managed Services portal opens in a new browser tab.
2. If you are a Service Provider, select your Subscriber account from the drop-down list.
3. In the upper, right corner of the Managed Services portal, click .
4. From the drop-down list, select Onboarding.
5. From the navigation menu, select Integrations.
   The Integrations page opens.

6. Click Add Service > O365.
   The O365 tab opens.

7. If you completed the steps earlier, go to the next step. If you did not complete the steps, click the Microsoft 365 icon and follow the steps in Allow Permissions for the WatchGuard MDR for Office365 Application.
8. From the Content Type drop-down list, select the option for each content type you want to monitor.
9. In the Tenant ID text box, type the tenant ID from your Microsoft account.

The tenant ID format is: XXXXXXX-XXXX-MXXX-NXXX-XXXX. For instructions from Microsoft to find your tenant ID, go to How to Find Your Microsoft Entra Tenant ID in the Microsoft documentation.

10. (Optional) In the Label text box, type a unique name for the integration.
11. Click Add.
    The Incident Response Options for Your O365 Infrastructure dialog box opens.

12. Select an alert response option:
    • On-Demand — WatchGuard MDR monitors your environment and recommends actions you can take to remediate the alert or investigation. If you do not set the required permissions, WatchGuard MDR cannot take an action when you click the Disable User button in the Managed Services portal Investigations page.
    • Auto — WatchGuard MDR monitors your environment and automatically takes action on your behalf for some detections. If you do not set the required permissions correctly for an Auto response, the setup completes automatically and the alert response option defaults to On-Demand. For more information about the required permissions, go to Add a Role Assignment for Automated Response.

    For more information about the alert and investigation response options, go to Select the Alert Response Option.

13. Click Submit.

After you add the integration in the Managed Services portal, WatchGuard validates that the Microsoft Tenant ID is correct and that unified audit logging is enabled for your Microsoft 365 organization. After you configure the connection, the integration requires no additional testing.

Related Topics

About Managed Services with WatchGuard MDR