Configuring the Microsoft Entra ID (Azure AD) Connector

This article explains how to configure the Microsoft Entra ID (formerly Azure AD) connector to integrate data about Entra ID sign-ins with Cato events and the Cloud Activities Dashboard.

Note

Note: Microsoft recently changed the name of Azure AD to Entra ID. All mentions of Azure AD in Cato documentation refer to Entra ID.

Overview of the Microsoft Connectors

To configure Cato's Microsoft Azure AD connector to fetch sign-in data, first you need to configure the Microsoft 365 connector as the parent app to give read permissions for the Azure AD connector. The parent app only has permissions to manage the Microsoft connectors. After configuring the Microsoft 365 connector, you can configure an Azure AD connector to retrieve the sign-in data.

If you want to import sign-in data from different sub-organizations within your organization, create a separate Microsoft 365 connector for each relevant Azure tenant, and then configure an Azure ID connector for each tenant.

Prerequisites

  • A Microsoft 365 E3 license or better, or a standalone Entra ID P1 or P2 plan is required.

  • The Microsoft 365 connector requires an admin with the global admin role to give permissions to Cato's Azure AD connector.

Required Permissions for the Microsoft Azure AD Connector

To let the Azure AD connector retrieve the sign-in data for your account, the connector gives Cato the following permissions and actions with Microsoft 365:

  • Connect to the Microsoft APIs and read all Microsoft Azure AD (Entra ID) data for an organization

  • Sign in and read user profile

Configuring the Microsoft Connectors

Configure a parent Microsoft 365 connector and then define an Azure AD connector for the Microsoft 365 account.

If your organization already configured a Microsoft 365 parent connector for another feature, such as a Saas Security API policy for Microsoft apps, or for importing MIP labels to your DLP policy, you only need to configure an Azure AD connector.

Configuring the Microsoft 365 Connector

Use the Cato Management Application to create the Microsoft 365 SaaS application connector for the relevant Azure tenant. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.

Integrations_InstalledApps_MS365.png

To create the Microsoft 365 parent connector:

  1. From the navigation menu, click Assets > Integrations.
  2. Select the Installed SaaS Applications tab.

  3. Click New. The New Connector panel opens.

  4. In the New Connector panel, select the Microsoft 365 app.

    SaaS_Security_API_NewConnector_MS365.png
  5. Click Authorize and Save.

    A new browser tab opens to the Microsoft 365 app.

  6. In the new browser tab, authenticate to the Microsoft 365 app:

    1. Select the Microsoft account for the Microsoft 365 app.

    2. Enter the password for the app and approve it.

    3. Accept the permissions to let Cato access the Microsoft 365 app.

    4. The screen shows that you have successfully applied the permissions for the app.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application.

  7. The Microsoft 365 SaaS application is added to the Installed SaaS Applications page..

    Integrations_InstalledApps_MS365.png

Configuring the Microsoft Azure AD Connector

Use the Cato Management Application to create the Microsoft Azure AD application connector for the Azure tenant with the sign-in data you want to use. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.

To configure the Microsoft Azure AD connector:

  1. From the navigation menu, click Assets > Integrations.
  2. Select the Installed SaaS Applications tab.
  3.  
  4. Click New. The New Connector window opens.

  5. From the Saas Application drop-down menu, select the Microsoft Azure AD app.

    Azure_AD_Connector.png
  6. From the Connector Tenant drop-down menu, select the parent Microsoft 365 connector for the tenant with the sign-in data you want to use.

  7. Enter a unique Connector Name for the Azure AD connector.

  8. Set Permissions to Read.

  9. Click Save.

  10. After the connector is successfully created, click Authorize.

    MIP_Labels_SuccessCreate_Authorize.png

    A new browser tab opens to the Microsoft 365 app.

  11. In the new browser tab, authenticate to the Microsoft 365 app:

    1. Select the Microsoft account for the Microsoft 365 app.

    2. Enter the password for the app and approve it.

    3. Accept the permissions to let Cato access the Microsoft 365 app.

      AzureAD_Connector_permissions.png
    4. The screen shows that you have successfully applied the permissions for the app.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application.

  12. The Microsoft Azure AD SaaS application is added to the  Installed SaaS Applications page.

    It can take Microsoft Azure several seconds to process the request, so if the Status shows Pending user consent, refresh the browser.

Understanding the Connector Status

The Status column on the Connectors Settings page shows the status of the connection between the Microsoft app and your Cato account. These are the explanations of the statuses:

  • Connected - Your account is connected to the app and it is working correctly

  • Pending user consent - Permissions have not been granted to let Cato access the Microsoft 365 app. To resolve this issue, refresh the browser. If Status changes to Connected, the issue is resolved, if Status doesn't change, delete and recreate the connector.

  • Error - There is a connectivity, permissions, or other issue with the Microsoft connector. Delete and recreate the connector.

Cato Event and API Fields for Azure AD Sign-Ins

These are the relevant fields for Azure AD sign-in events of sub-type Application Sign-in.

The eventsFeed query of the Cato API shows data for Azure AD sign-ins in these fields for eventFieldName type, you can see descriptions of the fields: here.

API enum Value

Event Field

is_compliant

Is Compliant

is_managed

Is Managed

vendor_event_id

Vendor Event Id

tenant_id

Tenant Id

tenant_name

Tenant Name

sign_in_event_types

Sign In Types

risk_level

Risk Level

client_class

Client Class

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment