Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

MS Defender XSOAR Integration daily re-auth.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

MS Defender XSOAR Integration daily re-auth.

L1 Bithead

Hello, used this integration guide (https://xsoar.pan.dev/docs/reference/integrations/microsoft-365-defender) and the integration pulls incidents just fine. Currently using a self-deployed application and device code flow. Problem I am running into is a daily re-auth for a user account using the device code flow. I suspect it might have to do with token reauth for the user account used in device code flow along with our conditional access policies. Anyone have any ideas to get the integration to just pull incidents without having to use an account to reauth every day?  Checked the self-deployed application box, and device code flow box off and on and reinstalled the integration as well as generated new keys etc. 

1 accepted solution

Accepted Solutions

L2 Linker

Good morning.   Do you have offline_access scope provisioned for the self deployed app?     I would doublecheck that and then confirm with your AAD admin  that offline_access was provisioned as well as confirm what policies exist that might impact token expiration.    Let us know if that resolves the issue. 

Here's the resources to read up on offline access and refresh tokens. 
https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
https://learn.microsoft.com/en-us/answers/questions/1118562/how-to-extend-the-expiry-of-access-token... (a little dated but bhanu Kiran provided a clear description of refresh tokens and also points to this article https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes)   




View solution in original post

2 REPLIES 2

L2 Linker

Good morning.   Do you have offline_access scope provisioned for the self deployed app?     I would doublecheck that and then confirm with your AAD admin  that offline_access was provisioned as well as confirm what policies exist that might impact token expiration.    Let us know if that resolves the issue. 

Here's the resources to read up on offline access and refresh tokens. 
https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
https://learn.microsoft.com/en-us/answers/questions/1118562/how-to-extend-the-expiry-of-access-token... (a little dated but bhanu Kiran provided a clear description of refresh tokens and also points to this article https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes)   




Awesome thanks for the reply and additional documentation. The permissions are fine, now I am having other issues with XSOAR telling me the App integration giving me this error - "No tenant-identifying information found in either the request or implied by any provided credentials." Just had this functioning earlier today and nothing was changed. Im going to remove it entirely and start from scratch, also waiting on upgraded to XSOAR 8 starting next Tuesday so hopefully some of these odd occasional issues disappear. 

  • 1 accepted solution
  • 1190 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!