Skip to main content

Getting Started

How our integration works

We use Microsoft’s OAuth support for you to authorize Wirespeed to access your Microsoft tenant, collect a daily inventory of your licensed Microsoft products, and begin syncing your directory data (users and endpoints) and security telemetry. If you license a new Microsoft product today or 3 years from now, we’ll notice, pull the telemetry, and begin triaging detections on your behalf. For details about the required permissions to do this work, read the Permission Details section below.

Integrating

To get started, add a new integration and select Microsoft. You will be redirected to the OAuth Consent Page.
Connect the Microsoft integration using a Global Administrator account. Wirespeed validates access to your tenant’s subscribed SKUs during setup, and Microsoft commonly withholds that access unless the consent flow is completed by a Global Administrator.

Testing

Microsoft Defender for Endpoint

Running any of the below commands will trigger a detection for Microsoft Defender for Endpoint and will be ingested by Wirespeed. They will automatically be identified as test events by Wirespeed.

Microsoft Entra ID Protect

Depending on your licensing level, additional tests are available as well.

Errors

AADSTS650051

AADSTS650051: Consent action for Application ‘UUID’ failed due to the following error: … service principal name is already present for the tenant …
This is a common error from Microsoft due to an error in their OAuth consent process. If you are a Wirespeed user, log in to Wirespeed and try adding the integration from the start again. If a URL was shared with you to integrate Wirespeed, follow that URL and try consenting once more. If the issue persists, please contact support@wirespeed.co.

AADSTS650052

This error means your tenant is missing a service principal for a Microsoft service that Wirespeed requests during OAuth consent. Match the application ID in your error message to a service below, then expand that section for fix steps.
You may see this error more than once during integration setup, each time for a different Microsoft application (for example, Defender for Endpoint, then Purview). That is expected. Follow the fix steps for whichever application is named in the current error, then retry integration from Wirespeed until consent completes.
ServiceApplication ID
WindowsDefenderATPfc780465-2017-40d4-a0c5-307022471b92
Azure Purview73c2949e-da2d-457a-9607-fcc665198967
Microsoft Cloud App Security05a65629-4c1b-48c1-a78b-804c4abdd4af
If the service in your error is not listed above, copy the application ID (UUID) from the error details on the Wirespeed integration error page. It appears immediately after access a service — for example, in access a service '05a65629-4c1b-48c1-a78b-804c4abdd4af'(Microsoft Cloud App Security), the application ID is 05a65629-4c1b-48c1-a78b-804c4abdd4af. Use that UUID in the Other service section below.
AADSTS650052: The app is trying to access a service ‘fc780465-2017-40d4-a0c5-307022471b92’(WindowsDefenderATP) that your organization ‘[ORGANIZATION_ID]’ lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
This error means you have not purchased Microsoft Defender for Endpoint. If you would like to proceed without purchasing, add a placeholder service principal so Microsoft allows the integration to continue. The placeholder is associated with application id fc780465-2017-40d4-a0c5-307022471b92, a built-in Microsoft application for Defender for Endpoint.
Choose either Graph Explorer or Command line — you only need to complete one method, not both.
  1. As a global administrator, navigate to Microsoft Graph Explorer
  2. In the top right, make sure the Tenant shown is the one you want to integrate with. Otherwise select your profile icon next to that field and change accounts.
    1. If the Request Body dialogue box is empty, paste in {"appId": "fc780465-2017-40d4-a0c5-307022471b92"}
  3. Select Modify Permissions and consent to both required permissions
    1. If the permissions do not show up, manually select Application.ReadWrite.All and Directory.ReadWrite.All
  4. Click run query
Make sure you receive a 201 Created response. Then retry the integration setup from Wirespeed.
AADSTS650052: The app is trying to access a service ‘73c2949e-da2d-457a-9607-fcc665198967’(Azure Purview) that your organization ‘[ORGANIZATION_ID]’ lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
This error means you have not purchased or provisioned Microsoft Purview in your tenant. Wirespeed requests Purview access so you can optionally import Purview Unified Catalog policies. If you do not use that feature, add a placeholder service principal so Microsoft allows the integration to continue. The placeholder is associated with application id 73c2949e-da2d-457a-9607-fcc665198967, a built-in Microsoft application for Azure Purview.
Choose either Graph Explorer or Command line — you only need to complete one method, not both.
  1. As a global administrator, navigate to Microsoft Graph Explorer
  2. In the top right, make sure the Tenant shown is the one you want to integrate with. Otherwise select your profile icon next to that field and change accounts.
    1. If the Request Body dialogue box is empty, paste in {"appId": "73c2949e-da2d-457a-9607-fcc665198967"}
  3. Select Modify Permissions and consent to both required permissions
    1. If the permissions do not show up, manually select Application.ReadWrite.All and Directory.ReadWrite.All
  4. Click run query
Make sure you receive a 201 Created response. Then retry the integration setup from Wirespeed.
AADSTS650052: The app is trying to access a service ‘05a65629-4c1b-48c1-a78b-804c4abdd4af’(Microsoft Cloud App Security) that your organization ‘[ORGANIZATION_ID]’ lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
This error means you have not purchased or provisioned Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) in your tenant. Wirespeed requests Cloud Apps access to ingest security alerts from that service. If you do not use that feature, add a placeholder service principal so Microsoft allows the integration to continue. The placeholder is associated with application id 05a65629-4c1b-48c1-a78b-804c4abdd4af, a built-in Microsoft application for Microsoft Cloud App Security.
Choose either Graph Explorer or Command line — you only need to complete one method, not both.
  1. As a global administrator, navigate to Microsoft Graph Explorer
  2. In the top right, make sure the Tenant shown is the one you want to integrate with. Otherwise select your profile icon next to that field and change accounts.
    1. If the Request Body dialogue box is empty, paste in {"appId": "05a65629-4c1b-48c1-a78b-804c4abdd4af"}
  3. Select Modify Permissions and consent to both required permissions
    1. If the permissions do not show up, manually select Application.ReadWrite.All and Directory.ReadWrite.All
  4. Click run query
Make sure you receive a 201 Created response. Then retry the integration setup from Wirespeed.
Use this section when the application ID from your error is not in the table above. Expand Show Error Details on the Wirespeed integration error page and copy the UUID in single quotes after access a service.Example error detail:
access_denied: AADSTS650052: The app is trying to access a service '05a65629-4c1b-48c1-a78b-804c4abdd4af'(Microsoft Cloud App Security) that your organization '01e288fd-692b-40c7-ac92-58e47ec12340' lacks a service principal for. ...
In this example, use application ID 05a65629-4c1b-48c1-a78b-804c4abdd4af. Replace YOUR_APP_ID in the steps below with the UUID from your error.This error means your tenant is missing a service principal for a Microsoft service that Wirespeed requests during OAuth consent. If you have not purchased or provisioned that service, you can add a placeholder service principal so Microsoft allows the integration to continue.
Choose either Graph Explorer or Command line — you only need to complete one method, not both.
  1. As a global administrator, navigate to Microsoft Graph Explorer
  2. In the top right, make sure the Tenant shown is the one you want to integrate with. Otherwise select your profile icon next to that field and change accounts.
  3. Set the request body to (replace YOUR_APP_ID with the UUID from your error):
{"appId": "YOUR_APP_ID"}
  1. Select Modify Permissions and consent to both required permissions
    1. If the permissions do not show up, manually select Application.ReadWrite.All and Directory.ReadWrite.All
  2. Click run query
Make sure you receive a 201 Created response. Then retry the integration setup from Wirespeed.

AADSTS50097

AADSTS50097: Device authentication is required.
This error occurs when your Microsoft Entra tenant has Conditional Access policies that require device authentication. Your tenant administrator has configured policies that only allow sign-in from devices that are Azure AD joined, hybrid joined, or marked as compliant. To resolve this issue:
  1. Use an authorized device — Perform the OAuth connection from a device that is joined to your Azure AD domain or marked as compliant in Intune/Endpoint Manager.
  2. Avoid incognito or private browsing — Private browsing sessions cannot present device credentials, which will cause this error even on an otherwise authorized device.
  3. Contact your IT administrator — If you are unsure which devices are authorized, ask your IT admin to verify that the device you are using meets your organization’s Conditional Access requirements.

Permission Details

We need a variety of permissions to integrate with your Microsoft tenant. The permissions manifest during the oAuth challenge can appear daunting or even unnecessary; we understand, which is why we only request permissions we need to deliver the best experience for you.

Read Access

  • The majority of the listed permissions in the oAuth dialog are read only. Microsoft requires us to request them individually, so the list seems long. At a high level, we need to read:
  • Security Alerts, obviously, because we need to triage these
  • IOCs (indicators of compromise), because these are a form of detection
  • Audit Log data, where important supplementary security telemetry lives
  • Sign in logs and data, so we can perform detections and analysis
  • Organization Information, which is metadata about your tenant itself, so we can ensure we are properly covering all of your organization’s security telemetry
  • Directory data, so we can learn your organization, your people, their roles, and how to best triage cases or interact with them.
  • Users’ profiles and authentication methods, so we can determine proper guidance for a security detection
  • File profiles, for enriching files referenced in detections
  • URL profiles, for enriching URLs referenced in detections
  • Risk detection and information, because posture related information informs and correlates with detections
  • Threat & Vulnerability management information, which informs and enriches detections
  • Security Baseline Assessment data, which informs and enriches detections
  • Remediation tasks, so we can know what tasks you completed and make better recommendations

Write Access

There are a handful of write permissions that we request, so that we can enable the best outcomes and experience for you. All of these are requested at the time of integration, but that does NOT mean they will be used until you opt into configuration settings that leverage these permissions. However, it’s a better user experience to request these permissions once, even if you don’t enable them within our platform. By default, these are blocked when your tenant is first created in test mode.
  • Risk detections, so we can update statuses (e.g. close resolved instances or false positives)
  • Security Alerts, so we can update statuses of the “ticket” portion of alerts and keep them in sync with our triage and response results
  • Users’ authentication methods, so we can update MFA policies for compromised accounts as a remediation step [Roadmap Feature, which will require opt-in within our platform]
  • Timeline events, so we can sync our case triage timelines with the timelines in the tickets of your detections within your Microsoft console
  • All machine information, so we can add comments and metadata to machines for your administrators to see as part of response

Containment Access

Lastly, there are a small set of permissions that we request, so that we can properly contain threats on your behalf, whether automated (if you opt-in and enable it), or manually (i.e. you click the contain button within our application to initiate a containment process). Just like the Write Access permissions above, none of these are enabled in our platform by default, and test mode is a total block that prevents these permissions from being used.
  • Enable/Disable user accounts, so that we can contain a compromised identity during a case, whether automated through user containment options or manually by clicking the contain button within our platform. The result is the Microsoft user account is disabled or enabled; this action is completely safe and reversible, either in-platform through the contain button, or directly in your preferred Microsoft user management tools.
  • Revoke all sign in sessions; in the case of an identity compromise, an unauthorized threat actor can persist with the access of your compromised user, even after the user’s credentials have been reset, by leveraging long-lasting sign in session tokens & cookies. This allows us to revoke all sign-ins, which kills threat actors’ access to user accounts. This is a safe and largely reversible action, i.e. the affected user can simply authenticate again to establish new sessions. At most, this is a minor inconvenience to users, in exchange for swift and complete containment of a hostile threat actor bent on reaching a malicious objective, like BEC or ransomware.
  • Run live response on a specific machine; this allows us the ability to perform additional telemetry collection, threat hunts, and thorough response actions by checking for a threat actor’s possible persistence on an endpoint in your fleet.
  • Restrict code execution; this grants us the ability to instruct Microsoft Defender for Endpoint (DFE) to take actions to block malicious code that DFE detected, but did not block, within your environment by establishing a rule to prevent its execution, following our endpoint containment configuration options after we’ve confirmed the code is hostile.
  • Stop and quarantine file; this allows us to instruct Microsoft Defender for Endpoint (DFE) to stop a malicious process and quarantine the malicious files associated with it, when DFE only detects, but does not outright block the threat, following our endpoint containment configuration options after we have confirmed the suspected threat is in fact malicious. Restoring quarantined files must be done manually in the Defender portal; MDE does not expose a REST API for automatic unquarantine.

Limiting Permissions

If, after reading and understanding the above about how and why the permissions are required, you would still like to reduce the permissions farther, you can:
  • Complete the oAuth dialog for the Microsoft integration to Wirespeed, accepting the permission list as presented.
  • Go to Azure > Enterprise Applications > Wirespeed and remove individual permissions (e.g. write or containment access) as a hard stop beyond the layers of controls present in Wirespeed.
  • Document the removed permissions, so that you can re-enable them manually, should you want to enable write/containment access later. Wirespeed will report errors when attempting certain functions, but it may not be readily apparent to us that the cause for the error is manually edited permissions.
  • Alternatively, you can choose to update the Microsoft integration later, accepting all of the permissions. You can do this in Wirespeed by going to Integrations > Add Integration > Microsoft and following the same process you did originally, without removing the permissions afterwards. This will update your permissions and retain your existing Microsoft data.

Allow-listing Wirespeed emails

You can add certain domains and email addresses to an allow-list across your Microsoft Tenant. To ensure Wirespeed emails get to your team:
  1. Go to the Microsoft Defender Portal.
  2. Under the Email & Collaboration panel on the left, navigate to Policies & rules.
  3. Select Threat policies.
  4. Under Rules select Tenant Allow/Block Lists.
  5. With Domains & addresses selected, click Add and select Allow.
  6. Add wirespeed.co to the dialogue box, leaving the Remove allow entry after set to the maximum 45 day time to live.
  7. Complete the form by clicking Add.
On first sync, Wirespeed fetches detections from up to the last 120 days across Microsoft detection sources. Microsoft Defender alert ingestion on first sync is additionally capped at the newest 5,000 alerts.