03-05-2024 05:42 AM
Hello, used this integration guide (https://xsoar.pan.dev/docs/reference/integrations/microsoft-365-defender) and the integration pulls incidents just fine. Currently using a self-deployed application and device code flow. Problem I am running into is a daily re-auth for a user account using the device code flow. I suspect it might have to do with token reauth for the user account used in device code flow along with our conditional access policies. Anyone have any ideas to get the integration to just pull incidents without having to use an account to reauth every day? Checked the self-deployed application box, and device code flow box off and on and reinstalled the integration as well as generated new keys etc.
03-06-2024 08:36 AM - edited 03-06-2024 08:41 AM
Good morning. Do you have offline_access scope provisioned for the self deployed app? I would doublecheck that and then confirm with your AAD admin that offline_access was provisioned as well as confirm what policies exist that might impact token expiration. Let us know if that resolves the issue.
Here's the resources to read up on offline access and refresh tokens.
https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
https://learn.microsoft.com/en-us/answers/questions/1118562/how-to-extend-the-expiry-of-access-token... (a little dated but bhanu Kiran provided a clear description of refresh tokens and also points to this article https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes)
03-06-2024 08:36 AM - edited 03-06-2024 08:41 AM
Good morning. Do you have offline_access scope provisioned for the self deployed app? I would doublecheck that and then confirm with your AAD admin that offline_access was provisioned as well as confirm what policies exist that might impact token expiration. Let us know if that resolves the issue.
Here's the resources to read up on offline access and refresh tokens.
https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
https://learn.microsoft.com/en-us/answers/questions/1118562/how-to-extend-the-expiry-of-access-token... (a little dated but bhanu Kiran provided a clear description of refresh tokens and also points to this article https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes)
03-07-2024 05:13 AM
Awesome thanks for the reply and additional documentation. The permissions are fine, now I am having other issues with XSOAR telling me the App integration giving me this error - "No tenant-identifying information found in either the request or implied by any provided credentials." Just had this functioning earlier today and nothing was changed. Im going to remove it entirely and start from scratch, also waiting on upgraded to XSOAR 8 starting next Tuesday so hopefully some of these odd occasional issues disappear.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
