Set up Exchange Online Integration with Security Incident Response
Summarize
Summary of Set up Exchange Online Integration with Security Incident Response
This guide outlines the steps to set up Exchange Online Integration with Security Incident Response, requiring initial onboarding for authentication through application objects in Azure Active Directory (Azure AD). Understanding the distinction between application and service principal objects is crucial, as they serve different purposes in the integration process.
Show less
Key Features
- Application Registration: Register an application in Azure AD to facilitate integration.
- API Permissions Assignment: Customize API permissions to replace default configurations for enhanced security.
Key Outcomes
By following this guide, ServiceNow customers can successfully integrate Exchange Online with Security Incident Response, ensuring proper authentication and access control. The integration allows for efficient management of security incidents related to email communications.
An initial onboarding is required for authentication using application objects. Application and Service principal are used interchangeably, but an application is like a class object while a service principal is like an instance of the class.
For more information on Application and service principal objects in Azure Active Directory, see Application and service principal objects in Azure Active Directory. For a detailed visual flow about creating applications in Azure AD, see Create an Azure Active Directory application and service principal that can access resources.
Perform the following steps to set up:
Step 1: Register the application in Azure AD
- Open the Azure AD portal.
- In the Search box at the top of the page, type App registrations.
- Select App registrations from the results in the Services section and then select App registrations from the results in the Services section.
Alternatively, you can navigate to the App registrations page by using https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.
- On the App registrations page, select New registration.
- In the Register an application page, configure the following settings:
Field Description Name Enter something descriptive. For example, ExO PowerShell CBA. Supported account types Verify that Accounts in this organizational directory only (<YourOrganizationName> only - Single tenant) is selected. To make the application multi-tenant for Exchange Online delegated scenarios, select the value Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- After completing the App registration, select Register and close the app page.
Step 2: Assign API permissions to the application
The procedures in this section replace any default permissions that were automatically configured for the new app. The app doesn't need the default permissions that were replaced.
- On the app page,select Manifest under Management.
- In the Manifest page, find the
requiredResourceAccessentry (on or about line 52). - Modify the
resourceAppId,resourceAccess id, andresourceAccess typevalues as shown in the following code snippet:"requiredResourceAccess": [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e2a3a72e-5f79-4c64-b1b1-878b674786c9", "type": "Role" }, { "id": "dd98c7f5-2d42-42d3-a0e4-633161547251", "type": "Role" } ] } ], - Select Save.
- On the Manifest page, select API permissions under Management.
- On the API permissions page, fill in the fields.
Field Description API / Permissions name Verify the value ThreatHunting.Read.AllandMail.ReadWriteis shown.Status The current incorrect value is Not granted for <Organization>, and this value needs to be changed. Select Grant admin consent for <Organization>, read the confirmation dialog that opens, and then select Yes.
The Status value should now be Granted for <Organization>.
- Close the current API permissions page (not the browser tab) to return back to the App registrations page.