Microsoft 365 app registration setup
A step-by-step walkthrough for producing the credentials AgentSOC needs to act on your Microsoft 365 tenant — blocking sender domains via the Defender Tenant Allow/Block List and disabling compromised users via Microsoft Graph.
Screenshots: image placeholders below point at
docs/images/m365-*.png. Capture each screenshot and drop it in at that path — the captions describe exactly what to show.
How the connection works
AgentSOC authenticates to Microsoft 365 as a Microsoft Entra app registration using a client secret, and calls Microsoft Graph with application permissions granted by an admin. Three values go into the credential form:
| Value | What it is |
|---|---|
| Tenant ID | Your Microsoft Entra (Microsoft 365) directory ID |
| Client ID | The app registration's Application (client) ID |
| Client Secret | A secret generated for that app registration |
By the end of this guide you will have all three and a validated credential in AgentSOC.
Step 1 — Create an app registration
- Open the Microsoft Entra admin center → Identity → Applications → App registrations.
- Click New registration, name it e.g.
agentsoc-m365, and register it.
Step 2 — Copy the Client ID and Tenant ID
On the app registration's Overview page, copy:
- Application (client) ID → the Client ID field in AgentSOC.
- Directory (tenant) ID → the Tenant ID field in AgentSOC.
Step 3 — Create a client secret
- Go to Certificates & secrets → Client secrets → New client secret.
- Set a description and expiry, then Add.
- Copy the secret Value immediately — not the Secret ID.
The value is shown only once. Track the expiry and rotate the secret before it lapses.
Step 4 — Add Microsoft Graph application permissions
Go to API permissions → Add a permission → Microsoft Graph → Application permissions and add:
| Permission | Used for |
|---|---|
User.ReadWrite.All | Disable (block sign-in for) a compromised user |
Directory.Read.All | Read the tenant's organization and verified domains |
The Tenant Allow/Block List action additionally requires the Graph permission for
security Tenant Allow/Block List entries — add the permission Microsoft documents for the
tenantAllowBlockListEntries
resource.
Step 5 — Grant admin consent
Application permissions are inert until an admin consents to them. On the API permissions page, click Grant admin consent for <tenant> and confirm. Each permission's status must show a green Granted check.
Without admin consent, validation fails even though the secret is correct.
Step 6 — Add the credential in AgentSOC and validate
- In AgentSOC, open AgentSOAR → Settings → Credentials (
/agentsoar/settings/credentials). - Add a Microsoft 365 credential and enter the Tenant ID, Client ID, and Client Secret from the steps above.
- Save. AgentSOC validates by acquiring a Graph token and reading the organization.
- Once it shows Healthy, the Microsoft 365 action capabilities are ready to use.
Troubleshooting
| Error | Likely cause and fix |
|---|---|
AADSTS7000215 — invalid client secret | The Client Secret is wrong, expired, or you copied the Secret ID instead of the Value. Create a new secret (Step 3). |
AADSTS700016 — application not found | The Client ID or Tenant ID is wrong. Re-copy both from the app registration Overview. |
403 — Authorization_RequestDenied | Admin consent wasn't granted, or a permission is missing. Re-check Steps 4 and 5. |
| Domain discovery skipped | Best-effort only — the credential is still valid. Ensure Directory.Read.All is granted to enable it. |
Reference: Microsoft — Register an app and create a client secret