Red Canary Managed Security Service Provider (MSSP) Access Instructions for Azure P1 will provide Red Canary organization Cyber Incident Response Team (CIRT) members with direct access to your Microsoft 365 Defender console.  

These instructions are intended for customers who use Microsoft Azure P1 type licenses, which does not allow access to the Identity Governance features of Azure AD. If you have an E5/A5 license, see Connecting Red Canary to Microsoft Defender for Endpoint in the Red Canary Help Center.

Granting Red Canary Access consists of four steps: 

• Create a Microsoft Azure AD security group
• Enable Role-based Access Controls (RBAC) in Microsoft Defender for Endpoint
• Add a Red Canary shared user account
• Add the security reader role to your Red Canary account

Prerequisites

• Before beginning the MSSP Access process for Azure P1, you will need to have access to an account with a minimum of Security Administrator privileges within your Azure organization
• Review the following articles before connecting Red Canary to your Microsoft Defender for Endpoint instance:
  • Minimum requirements for Microsoft Defender for Endpoint
  • Compare Microsoft Defender for Endpoint plans

Step 1: Azure Active Directory (AD)–Create a Microsoft Azure AD security group

Create the Azure AD security group that will contain the Red Canary shared user account.

1. 1. Navigate to https://portal.azure.com and log in with your Global or Security Administrator Microsoft account. 
   2. Expand the navigation pane and click Azure Active Directory. 
   3. Click Groups. 
   4. Click New Group. 
   5. Fill in the group parameters with the following: 
   6. Group Type: Security
      1. Group Name: Red Canary
      2. Group Description: Red Canary Access Group
      3. Azure AD roles can be assigned to the group: Yes
      4. Membership Type: Assigned
      5. Owners: No owners selected
      6. Members: No members selected
   7. Click Create. 

Step 2:  Microsoft 365 Defender–Enable Role-based Access Controls (RBAC) in Microsoft Defender for Endpoint

Create a RBAC role within Defender for your endpoint, and then assign the Red Canary Azure AD security group to the role.

1. Navigate to https://security.microsoft.com and log in with your Global Administrator or Security Administrator Microsoft account.
2. Click Settings.
3. Click Roles.
4. Click Add Item. 
5. Configure permissions for the new role:
   1. Role Name: Red Canary
   2. Description: Red Canary Access Role
   3. Select the following Permissions boxes only. 
      1. View Data
         1. Security Operations
         2. Threat and Vulnerability Management
      2. Active Remediation Actions
         1. Security Operations
      3. Alerts Investigation
      4. Live Response Capabilities
         1. Basic
   4. Click Assigned User Groups.
   5. Select the group named Red Canary.
   6. Click Add Selected Groups.
   7. Click Save.
6. Click Assigned User Groups.
7. Select the group named Red Canary.
8. Click Add Selected Groups.
9. Click Save.

Step 3: Azure AD–Add a Red Canary shared user account

Invite the Red Canary shared user account to Azure AD, and then add the account to the Azure AD security group that was created in Step 1.

1. Navigate to https://portal.azure.com and log in with your Global or Security Administrator Microsoft account. 
2. Expand the navigation pane and click Azure Active Directory. 
3. Click Users. 
4. Click Invite User. 
5. Click Create a User.
6. Fill in the group parameters with the following: 
   1. Identity
      1. User Name: redcanary
      2. Email Address: <Red Canary will provide you this email address>
      3. Name: Red Canary
      4. First Name: Leave blank

      5. Last Name: Leave blank

   2. Groups and Roles

      1. Groups: Select the Red Canary group you just created

      2. Roles: Don't select a role.

   3. Settings

      1. Block Login: Off

      2. Usage Location: United States

   4. Job Info: Leave blank

7. Click Create.

Step 4: Azure AD–Add the security reader role to the Red Canary security group

Add the Security Reader permissions role to the Azure AD security group that contains the Red Canary shared user account.

1. Navigate to https://portal.azure.com, and then log in with your Global or Security Administrator Microsoft account. 
2. Expand the navigation pane, and then click Azure Active Directory.
3. Click Roles and Administrators.
   
4. Search for and select Security Reader.
5. From the assignments section, click Add assignments.
6. Search for the Red Canary Security Group.
7. Click Add.