Microsoft Entra ID integration

With a Microsoft Entra ID (formerly Azure AD) integration, you can receive identity enrichment for Investigator detections.

The Microsoft Entra ID integration provides valuable context by mapping users and groups from Entra ID to Investigator network detections. This enrichment helps analysts identify the users involved in detected activities, providing deeper insight for threat analysis and incident response.

To configure the integration, you need to have a registered application in your Microsoft Entra ID tenant with appropriate API permissions.

To integrate Microsoft Entra ID with Investigator

  1. From System Settings in the left navigation, choose Integrations.

  2. In the Integrations tab, click the Entra ID card.

  3. Click Configure.

    An integration dialog box appears.

  4. Toggle the integration value to Enabled.

  5. Enter your Tenant ID.

  6. Enter your Client ID (App ID) and Client Secret.

    These values are obtained when you register an application in the Microsoft Entra admin center.

  7. Click Verify Connection to ensure Investigator can access your Entra ID data.

    You cannot save your connection until you verify it.

  8. Click Save.

With Microsoft Entra ID configured and enabled, detection details will include synchronized user attributes and identity information.

If you want to pause the integration, toggle the integration setting to Disabled. This preserves your connection details.