topic Re: MS Defender XSOAR Integration daily re-auth. in Cortex XSOAR Discussions

MS Defender XSOAR Integration daily re-auth.

STeegarden — Tue, 05 Mar 2024 13:42:44 GMT

Hello, used this integration guide (https://xsoar.pan.dev/docs/reference/integrations/microsoft-365-defender) and the integration pulls incidents just fine. Currently using a self-deployed application and device code flow. Problem I am running into is a daily re-auth for a user account using the device code flow. I suspect it might have to do with token reauth for the user account used in device code flow along with our conditional access policies. Anyone have any ideas to get the integration to just pull incidents without having to use an account to reauth every day? Checked the self-deployed application box, and device code flow box off and on and reinstalled the integration as well as generated new keys etc.

Re: MS Defender XSOAR Integration daily re-auth.

cpayne26 — Wed, 06 Mar 2024 16:41:35 GMT

Good morning. Do you have offline_access scope provisioned for the self deployed app? I would doublecheck that and then confirm with your AAD admin that offline_access was provisioned as well as confirm what policies exist that might impact token expiration. Let us know if that resolves the issue.

Here's the resources to read up on offline access and refresh tokens.
https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
https://learn.microsoft.com/en-us/answers/questions/1118562/how-to-extend-the-expiry-of-access-token-so-i-dont (a little dated but bhanu Kiran provided a clear description of refresh tokens and also points to this article https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes)

Re: MS Defender XSOAR Integration daily re-auth.

STeegarden — Thu, 07 Mar 2024 13:13:19 GMT

Awesome thanks for the reply and additional documentation. The permissions are fine, now I am having other issues with XSOAR telling me the App integration giving me this error - "No tenant-identifying information found in either the request or implied by any provided credentials." Just had this functioning earlier today and nothing was changed. Im going to remove it entirely and start from scratch, also waiting on upgraded to XSOAR 8 starting next Tuesday so hopefully some of these odd occasional issues disappear.

Re: MS Defender XSOAR Integration daily re-auth.

mkjones — Fri, 15 Nov 2024 17:25:08 GMT

Good afternoon. Did you ever find a resolution to the"No tenant-identifying information found in either the request or implied by any provided credentials." . I'm having the same issue.

Thanks!