Red Canary Managed Security Service Provider (MSSP) Access Instructions for Azure P1 will provide Red Canary organization Cyber Incident Response Team (CIRT) members with direct access to your Microsoft 365 Defender console.  

These instructions are intended for customers who use Microsoft Azure P1 type licenses, which does not allow access to the Identity Governance features of Azure AD. If you have an E5/A5 license, see Connecting Red Canary to Microsoft Defender for Endpoint in the Red Canary Help Center.

Granting Red Canary Access consists of the following steps: 

• Create a Microsoft Azure AD security group
• Enable Role-based Access Controls in Microsoft Defender for Endpoint
• Add a Red Canary shared user account

Prerequisites

• Before beginning the MSSP Access process for Azure P1, you will need to have access to an account with a minimum of Security Administrator privileges within your Azure organization
• Review the following articles before connecting Red Canary to your Microsoft Defender for Endpoint instance:
  • Minimum requirements for Microsoft Defender for Endpoint
  • Compare Microsoft Defender for Endpoint plans

Step 1: Azure Active Directory (AD)–Create a Microsoft Azure AD security group

Create the Azure AD security group that will contain the Red Canary shared user account.

1. Navigate to https://portal.azure.com and log in with your Global or Security Administrator Microsoft account. 
2. Expand the navigation pane and click Azure Active Directory. 
3. Click Groups. 
4. Click New Group. 
5. Fill in the group parameters with the following: 
   • Group Type: Security
   • Group Name: Red Canary
   • Group Description: Red Canary Access Group
   • Azure AD roles can be assigned to the group: Yes
   • Roles: Security Reader.
   • Membership Type: Assigned
   • Owners: No owners selected
   • Members: No members selected
6. Click Create. 

Step 2: Enable Role-based Access Controls (RBAC) in Microsoft Defender for Endpoint

Create a RBAC role within Defender for your endpoint, and then assign the Red Canary Azure AD security group to the role.

1. Navigate tohttps://security.microsoft.com, and log in with your global administrator account. 
2. Select Settings | Endpoints | Roles | Add item.
3. Fill out the form with the following values:
   • Role Name: Red Canary
   • Description: Red Canary Access Role
   • Check the following boxes:
     • • View Data
         • • Security Operations
           • Threat and Vulnerability Management
4. Click Assigned user groups, Red Canary, and then Add Selected Groups.
5. Click Save.

Step 3: Azure AD–Add a Red Canary shared user account

Invite the Red Canary shared user account to Azure AD, and then add the account to the Azure AD security group that was created in Step 1.

1. Navigate to https://portal.azure.com and log in with your Global or Security Administrator Microsoft account. 
2. Expand the navigation pane and click Azure Active Directory. 
3. Click Users. 
4. Click Invite User. 
5. Fill in the group parameters with the following: 
   1. Identity
      • User Name: redcanary
      • Email Address: <Red Canary will provide you this email address>
      • Name: Red Canary
      • First Name: Leave blank

      • Last Name: Leave blank

   2. Groups and Roles

      • Groups: Select the Red Canary group you just created

      • Roles: Don't select a role

   3. Settings

      • Block Login: Off

      • Usage Location: United States

   4. Job Info: Leave blank

6. Click Create.