This article explains how to configure the Microsoft Entra ID (formerly Azure AD) connector to integrate data about Entra ID sign-ins with Cato events and the Cloud Activities Dashboard.
Note
Note: Microsoft recently changed the name of Azure AD to Entra ID. All mentions of Azure AD in Cato documentation refer to Entra ID.
To configure Cato's Microsoft Azure AD connector to fetch sign-in data, first you need to configure the Microsoft 365 connector as the parent app to give read permissions for the Azure AD connector. The parent app only has permissions to manage the Microsoft connectors. After configuring the Microsoft 365 connector, you can configure an Azure AD connector to retrieve the sign-in data.
If you want to import sign-in data from different sub-organizations within your organization, create a separate Microsoft 365 connector for each relevant Azure tenant, and then configure an Azure ID connector for each tenant.
-
A Microsoft 365 E3 license or better, or a standalone Entra ID P1 or P2 plan is required.
-
The Microsoft 365 connector requires an admin with the global admin role to give permissions to Cato's Azure AD connector.
To let the Azure AD connector retrieve the sign-in data for your account, the connector gives Cato the following permissions and actions with Microsoft 365:
-
Connect to the Microsoft APIs and read all Microsoft Azure AD (Entra ID) data for an organization.
-
Sign in and read user profile.
Configure a parent Microsoft 365 connector and then define an Azure AD connector for the Microsoft 365 account.
If your organization already configured a Microsoft 365 parent connector for another feature, such as a Saas Security API policy for Microsoft apps, or for importing MIP labels to your DLP policy, you only need to configure an Azure AD connector.
Use the Cato Management Application to create the Microsoft 365 SaaS application connector for the relevant Azure tenant. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.
To create the Microsoft 365 parent connector:
-
From the navigation menu, select Assets > Integrations and and click Installed SaaS Applications.
-
Click New. The Edit Connector panel opens.
-
In the Edit Connector panel, select the Microsoft 365 (New Tenant) app.
-
Enter the Connector Name.
-
Click Authorize and Save.
A new browser tab opens to the Microsoft 365 app.
-
In the new browser tab, authenticate to the Microsoft 365 app:
-
Select the Microsoft account for the Microsoft 365 app.
-
Enter the password for the app and approve it.
-
Accept the permissions to let Cato access the Microsoft 365 app.
-
The screen shows that you have successfully applied the permissions for the app.
You can close the browser tab and return to the Cato Management Application.
-
-
The Microsoft 365 SaaS application is added to the Installed SaaS Applications page.
Use the Cato Management Application to create the Microsoft Azure AD application connector for the Azure tenant with the sign-in data you want to use. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.
To configure the Microsoft Azure AD connector:
-
From the navigation menu, select Assets > Integrations and and click Installed SaaS Applications.
-
Click New. The Edit Connector panel opens.
-
From the Saas Application drop-down menu, select the Microsoft Azure AD app.
-
From the Connector Tenant drop-down menu, select the parent Microsoft 365 connector for the tenant with the sign-in data you want to use.
-
Enter a unique Connector Name for the Azure AD connector.
-
Set Permissions to Read.
-
Click Save.
-
After the connector is successfully created, click Authorize.
A new browser tab opens to the Microsoft 365 app.
-
In the new browser tab, authenticate to the Microsoft 365 app:
-
Select the Microsoft account for the Microsoft 365 app.
-
Enter the password for the app and approve it.
-
Accept the permissions to let Cato access the Microsoft 365 app.
-
The screen shows that you have successfully applied the permissions for the app.
You can close the browser tab and return to the Cato Management Application.
-
-
The Microsoft Azure AD SaaS application is added to the Installed SaaS Applications page.
It can take Microsoft Azure several seconds to process the request, so if the Status shows Pending user consent, refresh the browser.
The Status column on the Connectors Settings page shows the status of the connection between the Microsoft app and your Cato account. These are the explanations of the statuses:
-
Connected - Your account is connected to the app and it is working correctly.
-
Pending user consent - Permissions have not been granted to let Cato access the Microsoft 365 app. To resolve this issue, refresh the browser. If Status changes to Connected, the issue is resolved, if Status doesn't change, delete and recreate the connector.
-
Error - There is a connectivity, permissions, or other issue with the Microsoft connector. Delete and recreate the connector.
These are the relevant fields for Azure AD sign-in events of sub-type Application Sign-in.
The eventsFeed query of the Cato API shows data for Azure AD sign-ins in these fields for eventFieldName type, you can see descriptions of the fields: here.
API enum Value |
Event Field |
---|---|
is_compliant |
Is Compliant |
is_managed |
Is Managed |
vendor_event_id |
Vendor Event Id |
tenant_id |
Tenant Id |
tenant_name |
Tenant Name |
sign_in_event_types |
Sign In Types |
risk_level |
Risk Level |
client_class |
Client Class |
0 comments
Please sign in to leave a comment.