Connect WatchGuard MDR with Microsoft Office 365

Applies To: WatchGuard Core MDR This topic applies to the WatchGuard Core MDR managed service., WatchGuard Core MDR for Microsoft This topic applies to the WatchGuard Core MDR for Microsoft managed service.

To enable the WatchGuard SOC (security operations center) team to monitor your Microsoft Office 365 and Azure AD environment, you must configure a connection from your Microsoft cloud environment to WatchGuard.

When your Microsoft Azure and Office 365 environments are hosted in the cloud, the WatchGuard MDR for Office365 application can disable a Microsoft user account, log out all active sessions, reset a password, and reset MFA for a user.

If you operate in a hybrid (cloud-hosted and on-premise) or fully on-premise environment, the WatchGuard MDR for Office365 application can only monitor your environment. It cannot make changes.

To connect WatchGuard MDR and your Microsoft environment, complete these steps:

• Allow Permissions for the WatchGuard MDR for Office365 Application
• Enable Audit Log Search
• Add a Role Assignment for Automated Response
• Complete the Onboarding Form

To complete these steps, you must have a Microsoft Azure global administrator account.

Allow Permissions for the WatchGuard MDR for Office365 Application

The WatchGuard MDR for Office365 application sends data from your Microsoft environment to WatchGuard so the SOC can detect potential threats. You must authorize the application for your Microsoft environment and accept the requested permissions.

To allow the WatchGuard MDR for Office365 application to connect to your Microsoft Office 365 environment:

1. Go to Approve WatchGuard MDR for Office365 and log in to your Microsoft environment with a Microsoft Azure global administrator account.
   A Permissions Requested dialog box opens.

2. Click Accept.

Enable Audit Log Search

Before WatchGuard can get access to Office 365 data, you must enable unified audit logging for your Office 365 organization. This setting might already be enabled.

The integration process can take between 60 and 90 minutes before data is available to WatchGuard MDR.

To enable unified audit logging, from the Microsoft Purview portal:

1. Go to the Microsoft Purview portal at purview.microsoft.com and log in with a global administrator account.
2. From the left navigation menu, select Solutions. Click Explore All.

3. From the Core section, select the Audit solution card.
4. If auditing is not already enabled for your organization, from the blue banner, select Start Recording User and Admin Activity.

For more information, go to Turn Auditing On or Off in the Microsoft documentation.

Add a Role Assignment for Automated Response

To allow the WatchGuard MDR for Office365 authorized application to make user and authentication changes on your behalf in your Microsoft environment, you must enable an additional Microsoft Entra ID role.

To add a role assignment for the WatchGuard MDR for Office365 application:

1. Go to the Microsoft Azure Portal at portal.azure.com and log in with a global administrator account.
2. In the portal menu, select Microsoft Entra ID.
3. In the left navigation menu, select Manage > Roles and Administrators.
   The Roles and Administrator page opens.

4. From the Administrative Roles section, find and select the row for Privileged Authentication Administrator.
5. On the Privileged Authentication Administrator role page, click Add Assignment.
   The Add Assignments page opens.

6. Click No Member Selected.
7. In the Search box, search for WatchGuard MDR for Office365.
8. Select the WatchGuard MDR for Office365 check box. Click Select.
   If the role assignment Is successful, the Privileged Authentication Administrator assignments page shows WatchGuard MDR for Office365.

Complete the Onboarding Form

After you configure your Microsoft environment, complete the WatchGuard MDR Office 365 Onboarding Form. To complete the form, you must have this information from your Microsoft account:

• Microsoft Tenant ID — The tenant ID format is: XXXXXXX-XXXX-MXXX-NXXX-XXXX. For instructions from Microsoft to find your tenant ID, go to How to Find Your Microsoft Entra Tenant ID in the Microsoft documentation.

You also need this information:

• Customer Company Name — The company name of the customer account for this connector.
• Partner Company Name — The company name of the Partner.
• WatchGuard Partner ID — The Partner ID format is: ACC-XXXXXXX.
• Partner Contact Email Address — The Partner contact email address the deployment team can use if they have questions.
• Customer/Subscriber WatchGuard Account ID — The Account ID format is: ACC-XXXXXXX or WGC-X-XXXXXXXXXXXXXXXXXXXX.

Related Topics

About Managed Services with WatchGuard MDR