Configuring the Microsoft Entra ID Protection Connector for Sign-In Anomaly Data

Microsoft Entra ID Protection helps organizations detect identity-based risks for their Entra ID tenant. This article explains how to configure a connector for Microsoft Entra ID Protection to integrate data about sign-in anomalies with Cato events and the Cloud Activities Dashboard.

For more about viewing sign-in anomalies on the Cloud Activity Dashboard, see Using the Cloud Activity Dashboard.

Note

Note: Microsoft recently changed the name of Azure AD to Entra ID. All mentions of Azure AD in Cato documentation refer to Entra ID.

Overview of the Microsoft Connectors

To configure Cato's Microsoft Entra ID Protection connector to fetch sign-in anomaly data, first you need to configure the Microsoft 365 connector as the parent app to give read permissions for the Entra ID Protection connector. The parent app only has permissions to manage the Microsoft connectors. After configuring the Microsoft 365 connector, you can configure an Entra ID Protection connector to retrieve the sign-in data.

If you want to import sign-in data from different sub-organizations within your organization, create a separate Microsoft 365 connector for each relevant Entra ID tenant, and then configure an Entra ID Protection connector for each tenant.

Prerequisites

  • A Microsoft 365 E3 license or better, or a standalone Entra ID P1 or P2 plan is required.

  • The Microsoft 365 connector requires an admin with the global admin role to give permissions to Cato's Entra ID Protection connector.

Required Permissions for the Microsoft Entra ID Protection Connector

To let the Entra ID Protection connector retrieve the sign-in data for your account, the connector gives Cato the following permissions and actions with Microsoft 365:

  • Connect to the Microsoft APIs and read all Microsoft Entra ID Protection data for an organization

  • Sign in and read user profile

Configuring the Microsoft Connectors

Configure a parent Microsoft 365 connector and then define an Entra ID Protection for the Microsoft 365 account.

If your organization already configured a Microsoft 365 parent connector for another feature, such as a Saas Security API policy for Microsoft apps, or for importing MIP labels to your DLP policy, you only need to configure an Entra ID Protection connector.

Configuring the Microsoft 365 Connector

Use the Cato Management Application to create the Microsoft 365 SaaS application connector for the relevant Azure tenant. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.

To create the Microsoft 365 parent connector:

  1. From the navigation pane, select Assets > Integrations and select the Installed SaaS Applications tab.

  2. Click New. The New Connector window opens.

  3. In the New Connector panel, select the Microsoft 365 app.

    New_Microsoft_365_Connector.png
  4. Click Authorize and Save.

    A new browser tab opens to the Microsoft 365 app.

  5. In the new browser tab, authenticate to the Microsoft 365 app:

    1. Select the Microsoft account for the Microsoft 365 app.

    2. Enter the password for the app and approve it.

    3. Accept the permissions to let Cato access the Microsoft 365 app.

    4. The screen shows that you have successfully applied the permissions for the app.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application.

  6. The Microsoft 365 SaaS application is added to the Installed SaaS Applications page.

Configuring the Microsoft Entra ID Protection Connector

Use the Cato Management Application to create the Microsoft Entra ID Protection application connector for the Entra ID tenant with the sign-in data you want to use. You must have the correct credentials to authenticate to Microsoft 365 to add the connector to your Cato account.

To configure the Entra ID Protection connector:

  1. From the navigation pane, select Assets > Integrations and select the Installed SaaS Applications tab.

  2. Click New. The New Connector window opens.

  3. From the Saas Application drop-down menu, select the Microsoft Entra ID Protection app.

    Entra_ID_Protection_Connector_New_Panel.png
  4. From the Connector Tenant drop-down menu, select the parent Microsoft 365 connector for the tenant with the sign-in data you want to use.

  5. Enter a unique Connector Name for the Entra ID Protection connector.

  6. Set Permissions to Read.

  7. Click Save.

  8. After the connector is successfully created, click Authorize.

    MIP_Labels_SuccessCreate_Authorize.png

    A new browser tab opens to the Microsoft 365 app.

  9. In the new browser tab, authenticate to the Microsoft 365 app:

    1. Select the Microsoft account for the Microsoft 365 app.

    2. Enter the password for the app and approve it.

    3. Accept the permissions to let Cato access the Microsoft 365 app.

      Entra_ID_Protection_Permissions.png
    4. The screen shows that you have successfully applied the permissions for the app.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application.

  10. The Microsoft Entra ID Protection SaaS application is added to the Installed SaaS Applications page.

    It can take Entra ID Protection several seconds to process the request, so if the Status shows Pending user consent, refresh the browser.

Understanding the Connector Status

The Status column on the Connectors Settings page shows the status of the connection between the Microsoft app and your Cato account. These are the explanations of the statuses:

  • Connected - Your account is connected to the app and it is working correctly

  • Pending user consent - Permissions have not been granted to let Cato access the Microsoft 365 app. To resolve this issue, refresh the browser. If Status changes to Connected, the issue is resolved, if Status doesn't change, delete and recreate the connector.

  • Error - There is a connectivity, permissions, or other issue with the Microsoft connector. Delete and recreate the connector.

Cato Event Fields for Entra ID Protection Sign-In Anomalies

These are the relevant fields for Entra ID Protection sign-in anomaly events of sub-type Identity Alert:

  • Alert ID: Identification number for the alert in Entra ID Protection

  • Classification: Classification of the alert according to Entra ID Protection

  • Status: The alert status in Entra ID Protection

  • Event Message: A detailed description of the anomaly

  • Title: Name of the anomaly

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment