Skip to main content

Microsoft Defender for Office 365 Integration Setup

This guide walks you through integrating Microsoft Defender for Office 365 with RAD Security to ingest email threats and email activity events for unified threat detection and investigation. Defender for Office 365 protects your Microsoft 365 email against phishing, malware, and impersonation. RAD Security authenticates to Microsoft Graph using an Azure AD app registration (OAuth 2.0 client credentials) and pulls email threat detections and email activity events on a scheduled basis to correlate them with your runtime, cloud, and Kubernetes security data.
Read-only integration: RAD Security only reads data from Defender for Office 365. It never writes to, modifies, or deletes anything in your Microsoft 365 tenant.

Prerequisites

Before you begin, ensure you have:
  • A Microsoft 365 tenant with Defender for Office 365 enabled
  • Permission to register an application in Azure Active Directory (Microsoft Entra ID)
  • Permission to grant admin consent for the application’s API permissions
  • Your Directory (Tenant) ID
  • Access to a RAD Security workspace with integration permissions

Understanding Integration Components

RAD Security authenticates to Microsoft Graph using the OAuth 2.0 client-credentials grant. You register an application in Azure AD and provide its Client ID and Client Secret. RAD exchanges them for short-lived access tokens automatically.
The Directory (Tenant) ID identifies your Microsoft 365 tenant and is used in the OAuth token request. You can find it on the application’s overview page or in your Azure AD tenant properties. This field is required.
The optional Region selects the Microsoft cloud environment. Leave it at the default (global) for standard commercial tenants. Set it only if your tenant runs in a sovereign or national cloud.
RAD Security ingests Defender for Office 365 data via scheduled polling. Webhooks are not used — data arrives on RAD’s polling cadence rather than being pushed by Microsoft.

Step 1: Register an Application in Azure AD

1

Sign in to the Azure Portal

Log in to the Azure portal with an account that can register applications and grant admin consent in Microsoft Entra ID (Azure Active Directory).
2

Create an App Registration

Navigate to Microsoft Entra ID → App registrations → New registration. Give the app a name (for example, RAD Security Email), choose single-tenant, and register it.
3

Create a Client Secret

On the app, open Certificates & secrets → Client secrets → New client secret. Set an expiry and create it. This is your Client Secret.
Copy the Client Secret value immediately. Azure shows the secret value only once at creation time. Store it securely in a password manager or secrets vault.
4

Grant Microsoft Graph Permissions

Open API permissions → Add a permission → Microsoft Graph → Application permissions and add the read permissions required to read Defender for Office 365 threats and email activity (for example, the security alerts and email activity report permissions). Then select Grant admin consent for your tenant.
5

Collect Your Client ID and Tenant ID

On the app’s Overview page, copy the Application (client) ID and the Directory (tenant) ID.
Exact portal navigation, permission names, and labels vary across Azure AD / Microsoft Entra versions. See the Microsoft Graph permissions reference and the Defender for Office 365 documentation for current steps and the exact permissions to grant.

Configure in RAD Security

Navigate to your RAD Security workspace and configure the Microsoft Defender for Office 365 integration with the following parameters:

Required Parameters

ParameterDescription
Client IDAzure AD application (client) ID
Client SecretAzure AD application client secret
Directory (Tenant) IDMicrosoft 365 directory/tenant identifier (required)
RegionMicrosoft cloud environment — optional, defaults to global

Verify Integration

1

Check Connection Status

  1. Navigate to Data Sources > Integrations > Email Security in RAD Security
  2. Locate your Microsoft Defender for Office 365 integration
  3. Verify the connection status shows as Connected
Your Defender for Office 365 integration is now configured! RAD Security will ingest email threats and email activity events on a scheduled basis.

What Data is Synced

Email threat detections — phishing, malware, impersonation — mapped to OCSF Detection Finding, stored as security findings, and correlated with runtime, cloud, and identity signals.
Email message events across your tenant, mapped to OCSF Email Activity and stored alongside RAD’s other activity feeds.

Use Cases

Threat Investigation

Investigate Defender email threats with context from RAD runtime, cloud, and identity detections.

Email Activity Monitoring

Track email activity events to understand message flow across your tenant.

Correlated Detection

Correlate email threats and activity with RAD runtime and identity signals to cut through the noise.

RADBot Prioritization

Leverage RADBot to prioritize Defender email threats by real-world impact.

Troubleshooting

Possible causes:
  • Incorrect Client ID, Client Secret, or Directory (Tenant) ID
  • The client secret expired or was deleted in Azure AD
Solution:
  • Verify the Client ID, Client Secret, and Tenant ID are copied correctly (no extra spaces)
  • Confirm the client secret is still valid under Certificates & secrets
  • Generate a new client secret in Azure AD and update it in RAD Security if needed
Possible causes:
  • Required Microsoft Graph application permissions were not added
  • Admin consent was not granted for the tenant
Solution:
  • Confirm the required read permissions are present under API permissions
  • Select Grant admin consent and re-check the permission status shows consent granted
Possible causes:
  • The selected Region does not match your tenant’s Microsoft cloud
Solution:
  • Leave Region at global for standard commercial tenants
  • Set the matching sovereign/national cloud only if your tenant runs in one, then reconnect
Possible causes:
  • No email threats or activity events in scope for the configured tenant
Solution:
  • Confirm Defender for Office 365 is generating detections in the Microsoft 365 Defender portal
  • Verify the Tenant ID matches the tenant where Defender for Office 365 is active

Security Best Practices

Use a Dedicated App Registration

Register a dedicated application for the RAD integration rather than reusing an existing one.

Least Privilege

Grant only the read permissions required for email threats and activity events.

Rotate Credentials

Set a client-secret expiry and rotate it periodically according to your security policy.

Secure Secret Storage

Store the Client Secret in a secrets vault. Never commit it to version control.

Additional Resources

Defender for Office 365 Documentation

Official Microsoft Defender for Office 365 documentation

Email Security Overview

Learn about RAD’s email security integrations

Next Steps

Mimecast Setup

Connect Mimecast Cloud Gateway for email threats

Email Security Integrations

Explore other email security integration options

RADBot

Learn how RADBot helps prioritize findings