Skip to main content
Status: Active — fully supported
Auth: OAuth 2.0 (client credentials)
Syncs: Users, MFA, Conditional Access, Groups, Roles, Intune devices, Defender alerts, SharePoint, O365 Audit logs

What You’ll Need

  • Azure Portal admin access (Global Admin or Application Administrator role)
  • Microsoft 365 tenant ID
  • 15 minutes

Step 1 — Create an App Registration in Azure Portal

  1. Go to portal.azure.com
  2. Search for “App registrations” → click New registration
  3. Fill in:
    • Name: SecurAtlas Integration
    • Supported account types: Accounts in this organizational directory only (Single tenant)
    • Redirect URI: https://www.securatlas.com/api/integrations/callback
  4. Click Register
  5. Copy the Application (client) ID — you’ll need this
  6. Copy the Directory (tenant) ID — you’ll need this

Step 2 — Create a Client Secret

  1. In your app registration → Certificates & secrets
  2. Click New client secret
  3. Description: SecurAtlas
  4. Expiry: 24 months (recommended)
  5. Click Add
  6. Copy the secret VALUE immediately — it’s only shown once
Copy the client secret value right now. Once you navigate away, it’s permanently hidden and you’ll have to create a new one.

Step 3 — Add API Permissions

  1. In your app → API permissionsAdd a permission
  2. Select Microsoft GraphApplication permissions
  3. Add ALL of these permissions:
PermissionPurpose
User.Read.AllRead all user profiles
Directory.Read.AllRead directory data
Policy.Read.AllRead conditional access policies
AuditLog.Read.AllRead sign-in and audit logs
IdentityRiskyUser.Read.AllRead risky user detections
RoleManagement.Read.DirectoryRead privileged role assignments
DeviceManagementManagedDevices.Read.AllRead Intune managed devices
DeviceManagementConfiguration.Read.AllRead Intune device compliance
Organization.Read.AllRead org/tenant info
ServiceHealth.Read.AllRead Microsoft service health
Reports.Read.AllRead usage and activity reports
SecurityEvents.Read.AllRead Defender security events
TeamworkDevice.Read.AllRead Teams device settings
  1. Click Grant admin consent for [your org] → Confirm
Admin consent is required. Without it, the permissions are requested but not active. You must click “Grant admin consent” as a Global Admin.

Step 4 — For Defender (Optional)

If you want Defender for Endpoint data (machines, alerts, CVEs):
  1. Add a permissionAPIs my organization uses
  2. Search for “WindowsDefenderATP”
  3. Add Application permissions:
    • Alert.Read.All
    • Machine.Read.All
    • SecurityRecommendation.Read.All
    • Vulnerability.Read.All
    • AdvancedQuery.Read.All
  4. Grant admin consent again

Step 5 — Connect in SecurAtlas

  1. Go to your tenant → Integrations tab
  2. Click Connect on Microsoft Azure AD
  3. Enter:
    • Client ID (Application ID from Step 1)
    • Client Secret (from Step 2)
    • Tenant ID (Directory ID from Step 1)
  4. Click Connect → SecurAtlas triggers a full sync immediately

What Gets Synced

Entity TypeData Collected
UsersName, UPN, enabled status, last sign-in
MFA StatusPer-user MFA registration and enforcement
Conditional AccessAll CA policies, enabled/disabled state
GroupsAll security and M365 groups
Privileged RolesGlobal Admins, privileged role assignments
Guest UsersExternal guest accounts
Intune DevicesCompliance status, OS version, last sync
Defender AlertsActive high/critical alerts
Defender CVEsUnpatched critical vulnerabilities
Defender Secure ScoreOverall Defender security score

Sync Schedule

  • Nightly automatic sync: 03:00 UTC via pg_cron
  • Manual sync: Click the refresh icon on the integration card

Token Refresh

OAuth tokens are refreshed automatically every 6 hours via the securatlas_token_refresh cron job. If a token expires, reconnect the integration from the Integrations page.

Troubleshooting

Check that admin consent was granted. Go to Azure Portal → App registrations → your app → API permissions. All permissions should show a green checkmark under “Status”. If any show “Not granted”, click “Grant admin consent”.
Defender permissions are separate from Graph permissions. Make sure you added WindowsDefenderATP permissions AND granted admin consent for those separately. Also verify the tenant has Defender for Endpoint P1 or P2 licensed.
If you rotate the client secret in Azure, go to SecurAtlas → Integrations → click the Azure AD connection → Disconnect → reconnect with the new secret. The existing data is preserved — only the credentials update.
The app registration needs the WindowsDefenderATP API permissions specifically. Graph SecurityEvents.Read.All is NOT the same as MDE permissions. Add the WindowsDefenderATP application permissions from “APIs my organization uses”.