1. Blumira Support
  2. Using Blumira
  3. Threat Response

Quick Links

Configuring Microsoft 365 Threat Response

Overview

Microsoft 365 Threat Response lets you respond to suspicious activity in your Microsoft 365, Azure, and Entra environments directly from Blumira as soon as you receive a finding notification. You can disable users and revoke their sessions from supported findings in the app without signing into Microsoft 365. Follow the instructions below to set up your connector and then start testing threat response actions from a finding.

Important: You cannot undo response actions from Blumira. Ensure you have permissions in Microsoft or an administrator is available to remediate after you have performed lockouts from Blumira so that disabled users can regain access after an incident is resolved or activity is confirmed as safe.

Before you begin

To set up the Microsoft 365 Threat Response connector that grants Blumira permission to perform actions in your Microsoft tenant, ensure the following requirements are met:

  • Your Microsoft tenant is not in the Government Community Cloud. Threat Response currently cannot be used with GCC High.
  • You are a global administrator in your Microsoft 365 account and an administrator in Blumira.
  • Your Blumira account has a Microsoft 365 Cloud Connector configured for logging and supported detection rules are enabled.
    Tip: You can review the supported rules by using the "Supports Response Actions" search preset at the top of the Rules table.
    Screenshot 2025-03-12 at 11.32.38 AM.png

The Microsoft 365 Threat Response connector, located in the Microsoft 365 Cloud Connector in your Blumira account, requires the following Microsoft credentials, which you will gather in the next section:

  • The Tenant ID that matches the one used for the Microsoft 365 logging connector.
    Tip: If you have multiple tenants in your account, run the “Microsoft 365 - Cloud Connectors and Tenant IDs” global report in Report Builder to verify which tenant goes to each of your Cloud Connectors.
  • The Client Secret Value for the app with Read/Write permissions and admin consent granted.

Gathering your credentials

To gather the credentials needed to configure the Blumira connector, do the following:

  1. In a browser window, log in to Blumira, then navigate to Settings > Cloud Connectors, and open the Microsoft 365 Cloud Connector for which you want to add Microsoft 365 Threat Response.
    Note: Your logging connector must not be GCC High.
  2. In the Edit Cloud Connector window, click Threat Response.
  3. Keep the Threat Response tab open for pasting these Microsoft credentials as you gather them: Client ID, Tenant ID, and Client Secret Value.
    Screenshot 2025-04-10 at 9.59.12 AM.png
  4. In another browser tab or window, log in to the Microsoft Entra admin center as a Global Admin.
  5. On the left side menu, under Identity, expand Applications.
  6. Click App Registrations.
  7. In the “All applications” section, find and select the Blumira app that already exists for logging to your Blumira Microsoft 365 Cloud Connector.
  8. Under “Essentials,” copy and paste the Application (client) ID and the Directory (tenant) ID into the Blumira Cloud Connector window.
  9. In the second-to-left panel in Entra, click API permissions.
  10. Click Add a Permission.
  11. Click Microsoft Graph.
  12. At the top of the window, click Application Permissions, and then do the following:
    1. Expand the Directory section and select the check box next to Directory.ReadWrite.All.

    2. Expand the Group section and select the check box next to Group.ReadWrite.All.
    3. Expand the User section and select the check boxes next to these permissions:
      • User.EnableDisableAccount.All
      • User.Read.All
      • User.ReadWrite.All
  13. Under "Configured permissions," click Grant admin consent.
  14. In the confirmation window that appears, click Yes.
  15. Verify the “Status” column shows a green check mark, which confirms consent was granted.
  16. Click Certificates & secrets.
  17. Click New client secret.
  18. In the Description box, type a descriptive name (e.g., Blumira sensor).
  19. Next to Expires, select an expiration timeframe up to 24 months for this client secret.
    Important: The Microsoft 365 Threat Response integration will fail when the client secret expires, so ensure that you set a reminder to update it in Microsoft and in Blumira before the chosen expiration date.
  20. Click Add.
  21. In the Client secrets tab, copy the string displayed under Value and paste it into the Client Secret "Value" box in the Threat Response tab of your Blumira Cloud Connector.
    Screenshot 2025-03-19 at 10.04.27 AM.png
    Important: Do not copy the “Secret ID, which appears next to Value on the Certificates & Secrets page.
  22. To save the response connector in Blumira, click Connect.
    Screenshot 2025-03-19 at 10.37.22 AM.png

Testing response actions

To start testing the available actions, go to Using response actions in Microsoft and Azure findings.

Related Articles