Microsoft 365

Connect your Microsoft 365 tenant so AgentSOAR can block malicious sender domains and disable compromised users automatically. AgentSOAR authenticates as a Microsoft Entra app registration using a client secret and calls Microsoft Graph with application permissions granted by an admin.

What this enables

This credential powers two AgentSOAR response capabilities against your Microsoft 365 tenant:

CapabilityWhat it doesHow
block_email_domainBlocks inbound mail from a malicious sender domainDefender Tenant Allow/Block List
disable_userBlocks sign-in for a compromised user accountMicrosoft Graph

Prerequisites

  • A Microsoft 365 tenant with Microsoft Entra (Azure AD) and Microsoft Defender for Office 365.
  • An account that can create app registrations and grant admin consent for the tenant (Global Administrator, or Application Administrator plus a consenting admin).
  • Access to AgentSOAR → Settings → Credentials (/agentsoar/settings/credentials).

How the connection works

AgentSOAR authenticates to Microsoft 365 as a Microsoft Entra app registration using a client secret, and calls Microsoft Graph with application permissions granted by an admin. Three values go into the credential form:

ValueWhat it is
Tenant IDYour Microsoft Entra (Microsoft 365) directory ID
Client IDThe app registration's Application (client) ID
Client SecretA secret generated for that app registration

By the end of this guide you will have all three and a validated credential in AgentSOAR.

Step 1 — Create an app registration

  1. Open the Microsoft Entra admin centerIdentity → Applications → App registrations.
  2. Click New registration, name it e.g. agentsoc-m365, and register it.

Step 2 — Copy the Client ID and Tenant ID

On the app registration's Overview page, copy:

  • Application (client) ID → the Client ID field in AgentSOAR.
  • Directory (tenant) ID → the Tenant ID field in AgentSOAR.

Step 3 — Create a client secret

  1. Go to Certificates & secrets → Client secrets → New client secret.
  2. Set a description and expiry, then Add.
  3. Copy the secret Value immediately — not the Secret ID.

The value is shown only once. Track the expiry and rotate the secret before it lapses.

Step 4 — Add Microsoft Graph application permissions

Go to API permissions → Add a permission → Microsoft Graph → Application permissions and add:

PermissionUsed for
User.ReadWrite.AllDisable (block sign-in for) a compromised user
Directory.Read.AllRead the tenant's organization and verified domains

The Tenant Allow/Block List action additionally requires the Graph permission for security Tenant Allow/Block List entries — add the permission Microsoft documents for the tenantAllowBlockListEntries resource.

Step 5 — Grant admin consent

Application permissions are inert until an admin consents to them. On the API permissions page, click Grant admin consent for <tenant> and confirm. Each permission's status must show a green Granted check.

Without admin consent, validation fails even though the secret is correct.

Step 6 — Add the credential in AgentSOAR and validate

  1. In AgentSOAR, open Settings → Credentials (/agentsoar/settings/credentials).
  2. Add a Microsoft 365 credential and enter the Tenant ID, Client ID, and Client Secret from the steps above.
  3. Save. AgentSOAR validates by acquiring a Graph token and reading the organization.
  4. Once it shows Healthy, the Microsoft 365 action capabilities are ready to use.

Troubleshooting

ErrorLikely cause and fix
AADSTS7000215 — invalid client secretThe Client Secret is wrong, expired, or you copied the Secret ID instead of the Value. Create a new secret (Step 3).
AADSTS700016 — application not foundThe Client ID or Tenant ID is wrong. Re-copy both from the app registration Overview.
403Authorization_RequestDeniedAdmin consent wasn't granted, or a permission is missing. Re-check Steps 4 and 5.
Domain discovery skippedBest-effort only — the credential is still valid. Ensure Directory.Read.All is granted to enable it.

Reference: Microsoft — Register an app and create a client secret