Creating API apps in Entra ID for Microsoft cloud connectors
The Neurons Platform includes a variety of cloud connectors that enable Neurons to connect to your Microsoft database sources to retrieve data. Before setting up these connectors in Neurons, you need to create an API app in Entra ID (formerly Azure AD) for each one and add the necessary credentials.
This extra step is mandatory for the following connectors:
-
Entra ID
-
Intune
-
Microsoft 365
-
Defender for Endpoint (MDE) – Requires its own procedure.
Important notes:
-
To better facilitate troubleshooting, create a new app for each connector you plan on using.
-
When adding permissions for each app, ensure Grant admin consent is selected for each permission.
-
If you add or change permissions for the app after initial registration, the Microsoft Application Key will not be updated and will need to be generated again. Make sure to update the connector with the new secret after changing permissions.
-
If there is user data already in Neurons from another source and you import user data from Entra ID, Neurons will reconcile the records using the user’s email so that you do not have duplicate user records.
To create an app for the Entra ID, Intune, or Microsoft 365 connector
Repeat this procedure for each connector (Entra ID, Intune, or Microsoft 365) that you want to set up in Neurons.
1.Sign in to the Azure portal and select Microsoft Entra ID.
2.In the left navigation pane, click App registrations.
3.At the top of the page, click New registration.
4.On the Register an application page, enter a name for this app, select the appropriate account type, and click Register to create the application. No redirect URI is needed.
5.On the Overview page for your new app, click View API permissions.
6.Click Add a permission.
7.Click Microsoft Graph.
8.In the right pane under Request API permissions, click Application permissions.
9.Add the following API permissions for the connector and ensure Grant admin consent is selected (so that each permission displays with a green checkmark).
Entra ID:
•Application.Read.All
•Auditlog.Read.All
•Device.Read.All
•DeviceManagementServiceConfiguration.Read
•DeviceManagementServiceConfiguration.ReadWrite.All
•Directory.Read.All
•Directory.ReadWrite.All
•Reports.Read.All
•User.Export.All
•User.Read
•User.Read.All
•User.ReadWrite.All
•To receive purchase order identifier data: DeviceManagementServiceConfiguration.Read.All
•To use group filters (device and user) in Neurons: Group.Read.All
Intune:
•Device.ReadWrite.All
•Device.ManagementApps.Read.All
•DeviceManagementManagedDevices.Read.All
•Directory.Read.All
•User.Read.All
•To use scope tag filters in Neurons: DeviceManagementConfiguration.Read and DeviceManagementRBAC.Read.All
•To perform actions and queries in Neurons: DeviceManagementManagedDevices.ReadWrite.All, Directory.ReadWrite.All, and User.ReadWrite.All. You will also need to fill in the Action credentials fields for this connector in the Neurons console.
Microsoft 365:
•Directory.Read.All
•Organization.Read.All
•Reports.Read.All
•User.Read
10.Click Add permissions.
11.In the left navigation pane, click Certificates & secrets.
12.Click New client secret.
13.Enter a description and timeline, then click Add. Copy and paste the secret into Notepad. You will need this secret when setting up the connector in Neurons.
14.In the left navigation pane, click Overview. Copy and paste the Application (client) ID and Directory (tenant) ID into Notepad. You will need these IDs when setting up the connector in Neurons.
You are now ready to set up the same connector(s) in Neurons. For details, see Microsoft Entra ID connector, Microsoft Intune connector, or Microsoft 365 connector.
To create an app for the MDE connector
For more information not provided here, see Use Microsoft Defender for Endpoint APIs in the MDE documentation.
1.Sign in to the Azure portal and select Microsoft Entra ID.
2.In the left navigation pane, click App registrations.
3.At the top of the page, click New registration.
4.On the Register an application page, enter a name and select the appropriate account type.
5.Under the Redirect URI (optional) section, select Web and enter your application URI.
6.Click Register to create the application.
7.On the Overview page for your new app, copy and paste the Application (client) ID and Directory (tenant) ID into Notepad. You will need these IDs later when setting up the connector in Neurons.
8.In the left navigation pane, click Certificates & secrets, then click New client secret.
9.Enter a timeline and description, then click Add. Copy and paste the secret into Notepad. You will need this secret when setting up the connector in Neurons.
10.In the left navigation pane, click App registration. You should see the application that you created. Click it to open.
11.In the left navigation pane, click API permissions, then click Add a permission > APIs my organization uses.
12.In the search box, type windows, and look for WindowsDefenderATP in the list. Click it to open.
13.Click Application permission. You should see all the entities to which you can have access via this application.
14.Add the following API permissions for the connector and ensure Grant admin consent is selected (so that both permissions display with a green checkmark):
•Machine.Read.All
•Vulnerability.Read.All
15.Click Add permissions.
You are now ready to set up the MDE connector in Neurons. For details, see Microsoft Defender for Endpoint connector.