Skip to main content

​
βœ… Pre-requisites

Before AirMDR can integrate with your Microsoft 365 tenant to retrieve quarantined emails, the following technical and organizational prerequisites must be met:

Microsoft 365 Tenant Requirements
RequirementDescription
Microsoft 365 TenantAn active M365 tenant with admin access
Microsoft Defender for Office 365Plan 1 or Plan 2 licensed (for access to quarantine APIs)
Global or Security Admin RoleA user with sufficient privileges to register applications and consent APIs
Azure AD App Setup Requirements
RequirementDescription
Access to Azure PortalTo register an application and manage certificates
App Registration PermissionMust be able to create an app in Azure Active Directory
Upload Public CertificateYou will receive a .cer file from AirMDR to upload to your Azure AD application
Grant Admin ConsentRequired to authorize API permissions (e.g., Mail.Read, Security.Read.All) for the app

​
Onboarding Guide - step by step process to get_ms365_quarantined_emails

This guide outlines the process to provide credentials securely, by creating an Azure AD application and uploading a certificate, so AirMDR can access Microsoft 365 quarantine APIs on your behalf. This enables AirMDR security team to audit, review, or act on potentially malicious emails.
1

Create an App Registration in Azure Portal

  1. Log in to your Azure Portal using a user with Global Admin or Application Administrator permissions.
  2. Navigate to Microsoft Entra ID β†’ App registrations β†’ New registration. MDE7 Pn
  3. Fill out the mandatory details:
    • Name: AirMDR Quarantine Access
    • Supported account types: Select β€œAccounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)” option). MDE3 Pn
  4. Click Register.
Redirect URI (Optional): If your app uses authentication, enter a URL (e.g., https://myapp.com/auth).
MDE22 Pn
2

Upload a Certificate

  1. After registering the app, navigate to the Manage β†’ Certificates & secrets section.
  2. Under Certificates, click Upload certificate. MDE8 Pn
  3. Select a file and upload the public certificate provided by AirMDR (usually a .cer file).
    If you do not already have the certificate, please request AirMDR to generate and provide a new certificate for you.
  4. Once uploaded, copy the thumbprint of the certificate and click on Add at the bottom of the page.
    Share the thumbprint (SHA-1 hash) of the certificate data with AirMDR.
    MDE21 Pn
3

Configure API Permissions

  1. In the application Overview page left navigation pane, select Manage dropdown.
  2. Navigate to API Permissions and click + Add a permission. MDE17 Pn
  3. On the Request API permissions page, choose APIs my organization uses tab.
  4. Search and select Office 365 Exchange Online exactly as shown. MDE18 Pn
  5. Choose Application permissions. MDE11 Pn
  6. Search and select the required permissions as shown:
    • To Manage Exchange as Application - Exchange.ManageAsApp
    MDE12 Pn
  7. Choose Grant admin consent. MDE19 Pn
  8. Navigate to Manage β†’ Roles and administrators page, to assign the Exchange Administrator role to the application.
  9. Search and select the Exchange Administrator role. MDE14 Pn
  10. Choose Add assignments, and add the app registration we created. MDE16 Pn
  11. In the search bar enter the application name β€œFor example: AirMDR Quarantine Access” given earlier.
  12. Click on Add at the bottom of the page.
  13. Navigate to **Entra ID **β†’**Manage ** β†’**App registrations ** β†’All Applications
  14. Search and select the application name.
  15. In the Overview page copy all the required essentials (Application (client) ID, Directory (tenant) ID). MDE20 Pn
4

Create a Client Secret (For Authentication)

  1. In the left navigation pane, select Manage dropdown.
  2. Click Certificates & secrets.
  3. Click + New client secret. MDE6 Pn
  4. Enter a description (e.g., MySecretKey) and set expiration.
  5. Click Add.
Copy and secure the Secret ID and Value (Client Secret) immediately – (It won’t be shown again!)

​
πŸ“€ Information to Provide to AirMDR

  1. Go to Azure Portal β†’ Entra ID.
  2. Click App registrations and select your registered app.
  3. Under the Overview section, locate the Application (client) ID and Tenant ID (Directory ID).
  4. Click the Copy icon πŸ“‹ next to the Client ID, and the Tenant ID respectively.
Securely share the Client (Application) ID, Tenant ID, Client Secret Value, Secret ID, Certificate Thumbprint, and the Tenant Domain (Organization) to AirMDR.
FieldDescription
Client (Application) ID and Tenant IDFound under the Overview section of the registered Azure AD app
Certificate ThumbprintFound in the Certificates & Secrets tab after uploading the certificate
Tenant Domain (Organization)Usually in the form <yourcompany>.onmicrosoft.com (e.g., foundationcap.onmicrosoft.com)
Client Secret Value andSecret IDClient Secret Value andSecret ID securely saved earlier for Authentication
Example:
For a customer like FCAP, the domain was foundationcap.onmicrosoft.com. The .onmicrosoft.com suffix is common across tenants.
If you need assistance during this process, contact AirMDR support.

​
πŸ’Ό AirMDR Internal Requirements

Once credentials are received:
  • AirMDR will create a connection in the Connection Manager using:
    • Provider type: Microsoft
    • The credentials listed above
  • Access is used only for retrieving quarantined emails via Microsoft Graph or Defender APIs

​
πŸ” Future Automation

Once AirMDR agents are deployed to the customer’s remote infrastructure:
  • The current Powersheller instance used to perform these operations can be deprecated.
  • The onboarding steps (like certificate auth and quarantine sync) will be handled directly by remote agents.
This ensures full automation, scalability, and centralized control without requiring manual setup steps on an ongoing basis.

​
πŸ›‘ Security & Access Best Practices

  • βœ… Certificate-based auth ensures non-password-based secure access
  • βœ… Permissions are application-only and limited to read quarantine info