Skip to content
English
Sign in
  • There are no suggestions because the search field is empty.

Data Integration Guide - Microsoft O365/Graph

Overview

The Microsoft Graph API integration enables Living Security Unify to ingest key identity and security telemetry from Microsoft 365 environments.

Supported Streams

Stream

Endpoint(s)

Description

Alerts (Legacy - Deprecated by Microsoft April 2026)

⚠️ This endpoint is being deprecated by Microsoft. New and existing integrations should use Alerts v2.

/security/alerts

Ingests security alerts from multiple providers (Azure Identity Protection, Azure Security Center, Cloud App Security, O365 Security, Windows Defender).

Alerts v2

/security/alerts_v2

Ingests confirmed security alerts from Microsoft Graph Security. Filters alerts to exclude any alerts classified as falsePositive. Captures key evidence objects for user, device, and mailbox context.

Attack Simulations

/security/attackSimulation/simulations

/security/attackSimulation/simulations/{simulationId}/report/simulationUsers

Retrieves phishing/smishing attack simulation training results including user behavior (opened, clicked, reported, deleted)

Devices

/devices

Retrieves Azure AD device registrations with compliance and management status

Directory Audits

/auditLogs/directoryAudits

Retrieves directory audit logs for user, group, policy, and role changes

Managed Devices

/deviceManagement/managedDevices

Retrieves Intune-managed devices with compliance, encryption, and supervision status

Sign-ins

/auditLogs/signIns

Retrieves Azure AD authentication events with risk signals, MFA status, and conditional access results

Users

/users

/users/delta

Retrieves user profiles with demographic, organizational, and authentication attributes. Supports both full sync and delta query patterns

User Registration Details

/reports/authenticationMethods/userRegistrationDetails

Retrieves user MFA registration status, SSPR capabilities, and passwordless authentication enablement

Risky Users

/identityProtection/riskyUsers

/identityProtection/riskDetections

Imports identity risk information for users marked with riskLevel of medium or high, and riskState of atRisk or confirmedCompromised.

Configuration

Prerequisites

  • Azure AD app registration with Application-Level permissions:
    • SecurityEvents.Read.All - Deprecated. Can be removed if previously used.
    • SecurityAlert.Read.All
    • IdentityRiskEvent.Read.All
    • IdentityRiskyUser.Read.All
    • User.Read.All
    • DeviceManagementApps.Read.All
    • DeviceManagementConfiguration.Read.All
    • DeviceManagementManagedDevices.Read.All
    • DeviceManagementServiceConfig.Read.All
    • Device.Read.All
    • PrivilegedAccess.Read.AzureAD
    • PrivilegedAccess.Read.AzureADGroup
    • AttackSimulation.Read.All
    • AuditLog.Read.All 
    • Reports.Read.All
    • Policy.Read.ConditionalAccess
  • Microsoft 365 tenant with E5 License is recommended,  E3 or F3 with Add-on Licenses is supported.

Setup Steps

  1. Create a Microsoft Graph connector in Unify:
    1. Navigate to Integrations → Microsoft Graph → Add Connection.
  2. Provide connection details:
    1. Azure Tenant ID
    2. Azure Client ID
    3. Azure Client Secret
  3. Select desired streams:
  4. Enable one or more of the supported data streams
  5. Save and activate the integration.