Microsoft 365 Integration
The Microsoft 365 connector uses the Microsoft Graph Security API with a service principal (client credentials) to collect Secure Score, unresolved security alerts, Identity Protection risky users, and Conditional Access policy status. The setup is identical to the Azure Defender connector — you can reuse the same app registration if both integrations share the same tenant.
OAuth2
Authentication method
SecurityEvents.Read.All
Key Graph API permission
A.8.8, A.5.15
Example ISO 27001 control mappings
Prerequisites
Register an app in Azure AD
Create a service principal in Azure AD with application permissions on the Microsoft Graph API. This is application-level access — no user account or delegated consent is required.
Create the app registration
In Azure Portal → Azure Active Directory → App registrations → New registration.
- Name: aisec-m365-readonly (or reuse the Azure Defender registration)
- Supported account types: Accounts in this organizational directory only
- No redirect URI needed
- Note the Application (client) ID and Directory (tenant) ID
Add API permissions
In the app registration → API permissions → Add a permission → Microsoft Graph → Application permissions.
- SecurityEvents.Read.All — for security alerts and secure score
- IdentityRiskyUser.Read.All — for risky user data (requires Azure AD P2)
- Policy.Read.All — for Conditional Access policies
- Click "Grant admin consent for [tenant]" after adding all permissions
Create a client secret
In the app registration → Certificates & secrets → Client secrets → New client secret.
- Description: aisec-m365
- Expiry: 12 or 24 months
- Copy the secret value immediately — shown once only
Azure AD P2 note
Risky user data requires Azure AD Premium P2 (or Microsoft 365 E5).
- If P2 is not licensed, the risky user collection is skipped gracefully — no error is raised
- The other three evidence types (Secure Score, alerts, Conditional Access) work with any M365 licence tier
Configuration
Connect Microsoft 365 in AISEC
Enter the app registration details in Settings → Integrations → Microsoft 365 → Configure.
Step-by-step
- Azure Tenant ID: the Directory (tenant) ID from your app registration overview
- App Client ID: the Application (client) ID from your app registration overview
- App Client Secret: the secret value you copied
- Sync frequency: daily for posture data; hourly if you want near-real-time alert tracking
- Click Connect, then Sync now
Evidence collected
What appears in your evidence register
Up to four evidence items per sync depending on your licence tier.
Secure Score
Current Secure Score percentage and raw value from the Microsoft Graph Security API.
- Maps to ISO 27001: A.8.8, A.5.36
- Maps to SOC 2: CC7.1
Security Alerts
Unresolved alert count with severity breakdown and sample alert titles.
- Maps to ISO 27001: A.8.16, A.5.25
- Maps to SOC 2: CC7.2
Risky Users
Count of users flagged as medium or high risk by Azure AD Identity Protection.
- Maps to ISO 27001: A.5.15, A.8.5
- Maps to SOC 2: CC6.1
Conditional Access Policies
Enabled vs disabled Conditional Access policy count with policy names.
- Maps to ISO 27001: A.5.15, A.8.2
- Maps to SOC 2: CC6.3
Troubleshooting
Common issues
- AADSTS700016 — the client ID or tenant ID is incorrect; copy them directly from the app registration overview page.
- AADSTS7000215 — the client secret is invalid or expired; create a new secret in the app registration.
- 403 on SecurityEvents — admin consent has not been granted for the SecurityEvents.Read.All permission; click "Grant admin consent" in the API permissions page.
- 403 on IdentityRiskyUser — either the permission is not consented or the tenant does not have Azure AD P2; risky user collection is skipped gracefully.
- 403 on Policy.Read.All — grant admin consent for this permission in the API permissions page.
Ready to connect?
Register an app in Azure AD, grant the Graph API permissions with admin consent, then enter the credentials in AISEC.