AiStrike Documentation

Microsoft Entra

Microsoft Entra ID integrates with AiStrike through an Azure App Registration. This guide covers creating the App Registration, assigning the required API permissions, granting admin consent, assigning roles, and generating a client secret. AiStrike pulls identity, directory, sign-in, and audit telemetry.◼︎

Prerequisites

Ensure the following requirements are met before proceeding.

Required Azure Access

The person creating the app registration should have the following roles at the subscription level / management group:

  • Global Administrator

  • User Access Administrator (or higher) at the Management Group level

Step 1: Log in to Azure

  1. Navigate to the Azure Portal.

  2. Sign in with an account that has the required permissions.

Step 2: Create an App Registration

  1. Go to Microsoft Entra ID.

  2. Click on App registrations under Manage [left menu].

  3. Click on New registration.

  4. Enter a name for the application (e.g., AiStrikeAppRegistration).

  5. Choose:

    1. Single Tenant (Accounts in this organizational directory only — Default Directory)

    2. Multi-Tenant (Accounts in any organizational directory — Any Microsoft Entra ID tenant)

  6. Click Register.

Step 3: Assign API Permissions

  1. Open the newly created App Registration.

  2. Go to API Permissions → Add a permission.

  3. Select Microsoft Graph → Application permissions.

  4. Add the following permissions [use search box or select manually]:

    • Application.Read.All

    • Directory.Read.All

    • EntitlementManagement.Read.All

    • RoleManagement.Read.All

    • User.Read.All

    • SecurityEvents.Read.All

    • SecurityAlert.Read.All

    • Reports.Read.All

    • AuditLog.Read.All

    • MailboxSettings.Read

    • SecurityIncident.Read.All

    • Sites.Read.All

    • Files.Read.All

    • IdentityRiskEvent.Read.All

Below permission comes by default as Delegated permissions:

  • User.Read

To allow the AiStrike system to collect vulnerability information:

Navigate to API Permissions → APIs my organization uses → Application Permissions, search for WindowsDefenderATP, and select the following permissions:

  • Vulnerability.Read.All

  • Machine.Read.All

  • Software.Read.All

  • Alert.Read.All

  1. Click Grant admin consent and confirm.

  2. Expected status after granting consent: the status for the API permissions should display "Granted for [Tenant Name]" (e.g., "Granted for Default Directory").

1. Navigate to App Registrations

  1. Go to the Azure Portal.

  2. Search for Microsoft Entra ID and click on it.

  3. In the left menu, click App registrations.

  4. Locate and click on the newly created App Registration (e.g., AiStrikeAppRegistration).

2. Open API Permissions

  1. In the App Registration menu, click API permissions.

  2. You will see a list of requested permissions with a status of "Not Granted for <Tenant Name>" under Admin consent required.

3. Grant Admin Consent

  1. Click on Grant admin consent for <Tenant Name>.

  2. A confirmation prompt will appear — click Yes.

  3. Wait for the process to complete (this may take a few seconds).

  4. Ensure that the Status column now shows Granted for <Tenant Name>.

4. Verify Admin Consent

  1. Refresh the page and check the API permissions section.

  2. Ensure all permissions show Granted for <Tenant Name> in the Status column.

  3. If any permissions are missing, repeat the steps.

Step 4: Assigning Roles at the Management Group Level

  1. Go to Management Groups.

  2. Click on the top-level management group (where "Type" is "Management group").

  3. Click Access management (IAM) on the left menu.

  4. Click Add role assignment.

  5. Under Members, select the app registration.

  6. Search for the app registration name and select it.

  7. Click Review and assign.

  8. Validate the assignment under the Role assignments tab.

Assign the following roles:

  • Reader (Read-only permission for resources on Subscription under management group)

  • Security Reader (Required to read Azure Defender for Cloud alerts)

Step 5: Generate a Client Secret

  1. Go to Certificates & secrets.

  2. Click New client secret.

  3. Enter a description (e.g., AiStrikeAppSecret) and choose an expiration period.

  4. Click Add.

  5. Copy the Value immediately; it won't be visible later.

Step 6: Validate and Use the App Registration

Retrieve Application Details via CLI, or go to App Registration → locate and click the newly created App Registration (e.g., AiStrikeAppRegistration) → Overview page.

Using Azure CLI:

az ad app list --display-name "AiStrikeAppRegistration"

echo "=== App ID (Client ID) ==="
az ad app list --display-name "AiStrikeAppRegistration" --query "[0].appId" -o tsv

echo "=== Tenant ID ==="
az account show --query tenantId -o tsv

You can perform these steps via the Azure Portal or Terraform.

Terraform Setup

To automate the creation of the App Registration and assign the necessary permissions, apply the Terraform script provided below:

provider "azurerm" {
  features {}

  # ID of subscription where App registration will be created
  subscription_id = "12345678-1234-1234-1234-123456789abc"
}

module "aistrike_app" {
  source = "https://aistrike-terraform-modules.s3.us-east-1.amazonaws.com/azure-onboarding.zip"

  # Pass either management_group_ids or subscription_ids
  # management_group_ids = ["mg-example-group"]
  subscription_ids = ["12345678-1234-1234-1234-123456789abc"]
}

output "client_id" {
  value = module.aistrike_app.client_id
}

output "client_secret" {
  value = module.aistrike_app.client_secret
}

output "tenant_id" {
  value = module.aistrike_app.tenant_id
}

Ensure admin_consent is granted after applying the script (see the Grant Admin Consent steps above).

Terraform-Based Steps

Use Terraform to automate the above steps. The Terraform script should include:

  • App Registration creation

  • Assigning API permissions

  • Assigning RBAC roles at the Management Group level

  • Generating a client secret

  • The Client ID (Application (client) ID) & Client Secret will be displayed in the Terraform output.

Step 7: Add to AiStrike

Once completed, add the Client Secret, Client ID, and Tenant ID to the AiStrike Integrations Connector.

Upon successful configuration

  • You would start seeing data in Inventory for your Azure environment, populating in the next few hours.

After the integration is configured, all future alerts from Microsoft Defender and other security services will be available in the AiStrike application as per the configured permission list (see: Assign API Permissions).