Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Microsoft Graph API

    Home FortiSOAR Connectors Microsoft Graph API
    2.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.0

    Microsoft Graph API v2.0.0

    About the connector

    The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.

    This document provides information about the Microsoft Graph API connector, which facilitates automated interactions using Microsoft Graph API. Add the Microsoft Graph API connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all risky users from Microsoft Graph API, searching for messages based on Subject delivered to the user within the organization using Microsoft Graph API, or deleting a specific message from the specific user's mailbox in Azure.

    Version information

    Connector Version: 2.0.0

    Authored By: Fortinet

    Certified: Yes

    FortiSOAR™ Version Tested on: 7.4.1-3167

    Microsoft Graph API Version Tested on: v1

    Release Notes for version 2.0.0

    Following enhancements have been made to the Microsoft Graph API Connector in version 2.0.0:

    • Added support for the Delegate access token type
    • Removed configuration parameter API Version
    • Added a configuration parameter Get Access Token
    • Added Unblock IP Ranges action
    • Added Create IP Named Location action
    • Updated output schema of the following actions:
      • Update Security Alert action
      • Search Message in Users Mailbox

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

    You can also use the yum command as a root user to install the connector:

    yum install cyops-connector-microsoft-graph

    Prerequisites to configuring the connector

    • You must have the Tenant and Client ID for your Azure Active Directory instance to which you will connect and perform automated operations and the Client secret to access that instance.
    • Ensure that host login.microsoftonline.com on port 443 is whitelisted.

    Minimum Permissions Required

    Configuring the connector

    For the procedure to configure a connector, click here

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Microsoft Graph API connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server URL Specify the service-based URI to connect and perform automated operations.
    Tenant ID Specify the ID of the tenant assigned to you by the Azure application registration portal.
    Client ID Specify the Unique Application ID of the Azure Active Directory application to create an authentication token required to access the API. For information on getting authentication tokens, see the Getting Authentication Tokens section.
    Client Secret Specify the Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.
    Get Access Token Select the method using to get authentication tokens used to access the security graph APIs. You can choose from following options:
    • On behalf of User - Delegate Permission: Select this option if the access token is of the type Delegate Permission. Once selected, specify values in the following fields:
      • Authorization Code: Specify the authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the User – Delegate Permission section.
      • Redirect URL: The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal.
    • Without a User - Application Permission
    Verify SSL Specifies whether the SSL certificate for the server is to be verified.
    By default, this option is set to True.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Get Risky Users List Retrieves a list of all risky users from Microsoft Graph API. get_risky_users_list
    Investigation
    Get Risky User Details Retrieve details for a specific risky user from Microsoft Graph API based on the user ID you have specified. get_risky_user_details
    Investigation
    Get All Security Alerts Retrieves a list of alerts from Microsoft Graph API based on the input parameters you have specified. get_all_security_alerts
    Investigation
    Get Security Alert Retrieves details of a specific alert from Microsoft Graph API based on the alert ID you have specified. get_security_alert
    Investigation
    Update Security Alert Updates a specific alert using Microsoft Graph API based on the alert ID, vendor name, provider name, and other input parameters you have specified. update_security_alert
    Investigation
    Get Groups Retrieves a list of groups from Microsoft Graph API. get_groups
    Investigation
    Get Users Within A Group Retrieves a list of users within a specific group from Microsoft Graph API based on the group ID you have specified. get_group_users
    Investigation
    Search Message in Users Mailbox Searches for messages in a user's mailbox within an organization based on the Subject and user list you have specified. search_message
    Investigation
    Delete Message Deletes a specific message from the specific user's mailbox in Azure based on the user ID and message ID you have specified. del_message
    Investigation
    Delete Message Bulk Deletes messages from multiple users mailboxes in Azure based on the comma-separated list of users you have specified. del_message_bulk
    Investigation
    Revoke User Session Invalidates all the refresh tokens issued to applications for a user. revoke_user_sessions
    Remediation
    Get All Named Locations Retrieves a list of named location from Azure based on display name, sort order, and other input parameters that you have specified. get_all_named_locations
    Investigation
    Block New IP Ranges Blocks IPv4 and IPv6 address ranges in specified NamedLocation in Azure. block_new_ips
    Containment
    Unblock IP Ranges Unblocks IPv4 and IPv6 address ranges in specified NamedLocation in Azure. unblock_new_ips
    Remediation
    Create IP Named Location Creates a new IP named location in Azure based on specified input parameter. create_ip_range_location
    Investigation

    operation: Get Risky Users List

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "id": "",
            "isDeleted": "",
            "isProcessing": "",
            "riskLevel": "",
            "riskState": "",
            "riskDetail": "",
            "riskLastUpdatedDateTime": "",
            "userDisplayName": "",
            "userPrincipalName": ""
        }
    ]
}

    operation: Get Risky User Details

    Input parameters

    Parameter Description
    Risky User ID Specify the ID of the risky user whose details you want to retrieve from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "id": "",
    "isDeleted": "",
    "isProcessing": "",
    "riskLevel": "",
    "riskState": "",
    "riskDetail": "",
    "riskLastUpdatedDateTime": "",
    "userDisplayName": "",
    "userPrincipalName": ""
}

    operation: Get All Security Alerts

    Input parameters

    Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.

    Parameter Description
    Vendor Specify the name of the product vendor that provided the alert you want to retrieve using Microsoft Graph API. For example, Microsoft
    Provider Specify the security product that provided the alert you want to retrieve using Microsoft Graph API. For example, Cloud Application Security
    Severity Select the alert severity, set by the vendor or provider, to retrieve alerts using Microsoft Graph API. You can choose from the following options:
    • Unknown
    • Low
    • Medium
    • High
    • Informational
    Search From Select the date and time of alert triggering event(s) to retrieve using Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "id": "",
            "azureTenantId": "",
            "azureSubscriptionId": "",
            "riskScore": "",
            "tags": [],
            "activityGroupName": "",
            "assignedTo": "",
            "category": "",
            "closedDateTime": "",
            "comments": [],
            "confidence": "",
            "createdDateTime": "",
            "description": "",
            "detectionIds": [],
            "eventDateTime": "",
            "feedback": "",
            "incidentIds": [],
            "lastEventDateTime": "",
            "lastModifiedDateTime": "",
            "recommendedActions": [],
            "severity": "",
            "sourceMaterials": [],
            "status": "",
            "title": "",
            "vendorInformation": {
                "provider": "",
                "providerVersion": "",
                "subProvider": "",
                "vendor": ""
            },
            "alertDetections": [],
            "cloudAppStates": [],
            "fileStates": [],
            "hostStates": [],
            "historyStates": [],
            "investigationSecurityStates": [],
            "malwareStates": [],
            "messageSecurityStates": [],
            "networkConnections": [],
            "processes": [],
            "registryKeyStates": [],
            "securityResources": [],
            "triggers": [],
            "userStates": [],
            "uriClickSecurityStates": [],
            "vulnerabilityStates": []
        }
    ]
}

    operation: Get Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique Alert ID to retrieve that alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": [],
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": [],
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": [],
    "eventDateTime": "",
    "feedback": "",
    "incidentIds": [],
    "lastEventDateTime": "",
    "lastModifiedDateTime": "",
    "recommendedActions": [],
    "severity": "",
    "sourceMaterials": [],
    "status": "",
    "title": "",
    "vendorInformation": {
        "provider": "",
        "providerVersion": "",
        "subProvider": "",
        "vendor": ""
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [
        {
            "fqdn": "",
            "isAzureAdJoined": "",
            "isAzureAdRegistered": "",
            "isHybridAzureDomainJoined": "",
            "netBiosName": "",
            "os": "",
            "privateIpAddress": "",
            "publicIpAddress": "",
            "riskScore": ""
        }
    ],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
}

    operation: Update Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique alert ID to update that alert through Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.
    Provider Specify the provider of product or service in Azure to update in the specific alert in Azure. For example, WindowsDefenderATP.
    Vendor Specify the name of the vendor to update in the specific alert in Azure. For example, Microsoft.
    Assigned To (Optional) Specify the name of the analyst to whom you want to assign the specific alert that you want to update for triage, investigation, or remediation in Azure.
    Feedback (Optional) Select the analyst feedback on the alert that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, True Positive, False Positive, or Benign Positive.
    Comments (Optional) Select the analyst comments that you want to update in the specific alert in Azure. You can choose between Closed in MCAS or Closed in IPS.
    Status (Optional) Select the status (life cycle status) that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, New Alert, In Progress, or Resolved.
    Tags (Optional) Specify the JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure. These tags serve as filter conditions, and you can specify multiple tags using comma-based separators.
    Provider Version (Optional) Specify the version of the provider or sub-provider, if it exists, that generated the alert that you want to update in Azure.
    Subprovider (Optional) Specify the name of the sub-provider under the aggregating provider in Azure for the alert t that you want to update in Azure. For example, WindowsDefenderATP.SmartScreen

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": [],
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": [],
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": [],
    "eventDateTime": "",
    "feedback": "",
    "incidentIds": [],
    "lastEventDateTime": "",
    "lastModifiedDateTime": "",
    "recommendedActions": [],
    "severity": "",
    "sourceMaterials": [],
    "status": "",
    "title": "",
    "vendorInformation": {
        "provider": "",
        "providerVersion": "",
        "subProvider": "",
        "vendor": ""
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [
        {
            "fqdn": "",
            "isAzureAdJoined": "",
            "isAzureAdRegistered": "",
            "isHybridAzureDomainJoined": "",
            "netBiosName": "",
            "os": "",
            "privateIpAddress": "",
            "publicIpAddress": "",
            "riskScore": ""
        }
    ],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
}

    operation: Get Groups

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "id": "",
            "deletedDateTime": "",
            "classification": "",
            "createdDateTime": "",
            "creationOptions": [],
            "description": "",
            "displayName": "",
            "expirationDateTime": "",
            "groupTypes": [],
            "isAssignableToRole": "",
            "mail": "",
            "mailEnabled": "",
            "mailNickname": "",
            "membershipRule": "",
            "membershipRuleProcessingState": "",
            "onPremisesDomainName": "",
            "onPremisesLastSyncDateTime": "",
            "onPremisesNetBiosName": "",
            "onPremisesSamAccountName": "",
            "onPremisesSecurityIdentifier": "",
            "onPremisesSyncEnabled": "",
            "preferredDataLocation": "",
            "preferredLanguage": "",
            "proxyAddresses": [],
            "renewedDateTime": "",
            "resourceBehaviorOptions": [],
            "resourceProvisioningOptions": [],
            "securityEnabled": "",
            "securityIdentifier": "",
            "theme": "",
            "visibility": "",
            "onPremisesProvisioningErrors": []
        }
    ]
}

    operation: Get Users Within A Group

    Input parameters

    Parameter Description
    Group ID Specify an ID of the group whose users you want to retrieve from Microsoft Graph.
    Note: To get the Group ID use the Get Groups operation.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "@odata.type": "",
            "id": "",
            "businessPhones": [],
            "displayName": "",
            "givenName": "",
            "jobTitle": "",
            "mail": "",
            "mobilePhone": "",
            "officeLocation": "",
            "preferredLanguage": "",
            "surname": "",
            "userPrincipalName": ""
        }
    ]
}

    operation: Search Message in Users Mailbox

    Input parameters

    Parameter Description
    Subject Specify a subject based on which you want to search messages in Azure.
    User List Specify a comma-separated list of user IDs based on which you want to search messages in Azure.
    Page Size (Optional) Number of messages you want to retrieve per user in this request. Default page size is 10. Page size should be between 1 to 1000
    Offset (Optional) Number of messages you want to skip for each in this request.

    Output

    The output contains the following populated JSON schema:

    {
    "Message_Found_List": [
        {
            "@odata.context": "",
            "value": [
                {
                    "@odata.etag": "",
                    "id": "",
                    "createdDateTime": "",
                    "lastModifiedDateTime": "",
                    "changeKey": "",
                    "categories": [],
                    "receivedDateTime": "",
                    "sentDateTime": "",
                    "hasAttachments": "",
                    "internetMessageId": "",
                    "subject": "",
                    "bodyPreview": "",
                    "importance": "",
                    "parentFolderId": "",
                    "conversationId": "",
                    "conversationIndex": "",
                    "isDeliveryReceiptRequested": "",
                    "isReadReceiptRequested": "",
                    "isRead": "",
                    "isDraft": "",
                    "webLink": "",
                    "inferenceClassification": "",
                    "body": {
                        "contentType": "",
                        "content": ""
                    },
                    "sender": {
                        "emailAddress": {
                            "name": "",
                            "address": ""
                        }
                    },
                    "from": {
                        "emailAddress": {
                            "name": "",
                            "address": ""
                        }
                    },
                    "toRecipients": [
                        {
                            "emailAddress": {
                                "name": "",
                                "address": ""
                            }
                        }
                    ],
                    "ccRecipients": [],
                    "bccRecipients": [],
                    "replyTo": [],
                    "flag": {
                        "flagStatus": ""
                    }
                }
            ],
            "user_id": ""
        }
    ],
    "Message_Not_Found_List": [
        {
            "@odata.context": "",
            "value": [],
            "user_id": ""
        }
    ],
    "Run_Time": "",
    "Total_Users_Processed": ""
}

    operation: Delete Message

    Input parameters

    Parameter Description
    User ID Specify the ID of the user based on which you want to delete the specific message from Azure.
    Message ID Specify the ID of the message that you want to delete from Azure.

    Output

    The output contains the following populated JSON schema:

    {
    "status_code": ""
}

    operation: Delete Message Bulk

    Input parameters

    Parameter Description
    User List Specify a comma-separated list of users' mailboxes, which is a list of JSON objects, based on which you want to delete bulk messages in Azure. The format of the list is as follows: 
        [
        {
            'user_id':"",
            'message_id':""
        },
        {
            'user_id':"",
            'message_id':""
        }
    ]

    Output

    The output contains the following populated JSON schema:

    {
    "Error_List": [
        {
            "error_msg": "",
            "user_id": {
                "user_id": "",
                "message_id": ""
            }
        }
    ],
    "Message_Deleted_List": [
        {
            "msg_deleted": "",
            "user_id": {
                "user_id": "",
                "message_id": ""
            }
        }
    ],
    "Run_Time": "",
    "Total_Users_Processed": ""
}

    operation: Revoke User Session

    Input parameters

    Parameter Description
    User ID or PrincipalName Specify the User ID or PrincipalName of the user whose refresh tokens you want to invalidate (revoke) from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": ""
    }

    operation: Get All Named Locations

    Input parameters

    Parameter Description
    Display Name Specify the display name of the named location to retrieve from Azure.
    Required Fields (Optional) Specify filters properties (columns) to retrieve only specified fields in response from Azure. You can choose one or more from ID, Display Name, Created Date Time and Modified Date Time
    Order By (Optional) Select the sort order criterion to sort the results. Select the sorting order in Sort Order field. You can choose from following options:
    • ID
    • Display Name
    • Created Date Time
    • Modified Date Time
    Sort Order (Conditional - This field appears after selecting an order criterion in Order By field)
    Specify the sort order from the following options:
    • Ascending
    • Descending
    By default it retrieves named locations in ascending order.
    Count Select to retrieve the total count of named locations matched in Azure. By default it is set to false.
    Size (Optional) Specify the number of named locations to retrieve in this request.
    Offset (Optional) Specify the number of named locations you want to skip in this request.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "@odata.type": "",
            "id": "",
            "displayName": "",
            "modifiedDateTime": "",
            "createdDateTime": "",
            "isTrusted": false,
            "ipRanges": [
                {
                    "@odata.type": "",
                    "cidrAddress": ""
                }
            ]
        }
    ]
}

    operation: Block New IP Ranges

    Input parameters

    Parameter Description
    IP Named Location's UUID Specify the unique Named Location ID for which you want block the IP addresses.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be blocked in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. e.g. 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in allowable IPv6 format, defined in IETF RFC5962, to be blocked in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. e.g. 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": [
        {
            "@odata.type": "",
            "cidrAddress": ""
        }
    ]
}

    operation: Unblock IP Ranges

    Input parameters

    Parameter Description
    IP Named Location's UUID Specify the unique named location ID for which you want unblock the IP addresses.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be unblocked in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. For example: 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in IPv6 format, as defined in IETF RFC5962, to be unblocked in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. For example: 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": [
        {
            "@odata.type": "",
            "cidrAddress": ""
        }
    ]
}

    operation: Create IP Named Location

    Input parameters

    Parameter Description
    Display Name Specify the display name of the named location to create in Azure.
    Is Trusted Select if the IP Range is trusted.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be added in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. For example: 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in IPv6 format, as defined in IETF RFC5962, to be added in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. For example: 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": []
}

    Included playbooks

    The Sample - Microsoft Graph API - 2.0.0 playbook collection comes bundled with the Microsoft Graph API connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Graph API connector.

    • Block New IP Ranges
    • Create IP Named Location
    • Delete Message
    • Delete Message Bulk
    • Get All Named Locations
    • Get All Security Alerts
    • Get Groups
    • Get Risky User Details
    • Get Risky Users List
    • Get Security Alert
    • Get Users Within A Group
    • Revoke User Session
    • Search Message in Users Mailbox
    • Unblock IP Ranges
    • Update Security Alert

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Getting Access Tokens

    You can get authentication tokens to access the graph APIs using two methods:

    Getting Access Tokens using the On behalf of the User – Delegate Permission method

    1. Ensure that the required permissions are granted for the registration of the application. Select API Permissions > Add permission > Microsoft Graph > Delegated Permissions.
    2. NOTE: The API Permission that should be granted to the registered application is mentioned in the Minimum permissions required for the 'Delegate-type' permission table.
    3. The Redirect URL can be directed to any web application in which to receive responses from Azure AD. If you are unsure about what to set as a redirect URL, you can use https://localhost/myapp.
    4. Copy the following URL and replace the TENANT_ID, CLIENT_ID, and REDIRECT_URI with your tenant ID, client ID, and the following redirect URL:
      https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://graph.microsoft.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
    5. Enter the above link with the replaced values and you will be prompted to grant permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
    6. Copy the AUTH_CODE (without the code= prefix) and paste it in your instance configuration in the Authorization Code parameter.
    7. Enter your client ID in the Client ID parameter field.
    8. Enter your client secret in the Client Secret parameter field.
    9. Enter your tenant ID in the Tenant ID parameter field.
    10. Enter your redirect URL in the Redirect URL parameter field. By default, it is set to https://localhost/myapp.

    Getting Access Tokens using the Without a User – Application Permission method

    1. Ensure that the required permissions are granted for the registration of the application.
      For example, for a Microsoft Graph User: API/Permission name that should be granted is:
      • Directory.Read.All
      • Directory.ReadWrite.All
      • GroupMember.Read.All
      • Group.Read.All
      • Group.ReadWrite.All
      • IdentityRiskyUser.Read.All
      • Mail.ReadBasic.All
      • Mail.Read
      • Mail.ReadWrite
      • SecurityEvents.Read.All
      • SecurityEvents.ReadWrite.All
      • Policy.Read.All
      • Policy.ReadWrite.ConditionalAccess of type Application
    2. Enter your client ID in the Client ID parameter field.
    3. Enter your client secret in the Client Secret parameter field.
    4. Enter your tenant ID in the Tenant ID parameter field.

    Minimum Permissions Table

    To call the Microsoft Graph API, to perform any action, you must be assigned specific permissions as defined in this section. To learn more, including how to choose permissions, see Microsoft Graph's permissions reference.

    Action Name Permission Type Permissions (from least to most privileged)
    Get Risky Users List Delegated IdentityRiskyUser.Read.All
    Application IdentityRiskyUser.Read.All
    Get Risky User Details Delegated IdentityRiskyUser.Read.All
    Application IdentityRiskyUser.Read.All
    Get All Security Alerts Delegated SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Application SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Get Security Alert Delegated SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Application SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Update Security Alert Delegated SecurityEvents.ReadWrite.All
    Application SecurityEvents.ReadWrite.All
    Get Groups Delegated GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Get Users Within A Group Delegated GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Search Messages in Users mailbox Delegated Mail.ReadWrite
    Application Mail.ReadWrite
    Delete Message Delegated Mail.ReadWrite
    Application Mail.ReadWrite
    Delete Messages Bulk Delegated Mail.ReadWrite
    Application Mail.ReadWrite
    Revoke user session Delegated User.ReadWrite.All, Directory.ReadWrite.All
    Application User.ReadWrite.All, Directory.ReadWrite.All
    Get All Named Locations Delegated Policy.Read.All
    Application Policy.Read.All
    Block IP Ranges Delegated Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Application Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Unblock IP ranges Delegated Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Application Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Create IP Named Location Delegated Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Application Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Previous
    Next

    Microsoft Graph API v2.0.0

    About the connector

    The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.

    This document provides information about the Microsoft Graph API connector, which facilitates automated interactions using Microsoft Graph API. Add the Microsoft Graph API connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving a list of all risky users from Microsoft Graph API, searching for messages based on Subject delivered to the user within the organization using Microsoft Graph API, or deleting a specific message from the specific user's mailbox in Azure.

    Version information

    Connector Version: 2.0.0

    Authored By: Fortinet

    Certified: Yes

    FortiSOAR™ Version Tested on: 7.4.1-3167

    Microsoft Graph API Version Tested on: v1

    Release Notes for version 2.0.0

    Following enhancements have been made to the Microsoft Graph API Connector in version 2.0.0:

    Installing the connector

    Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

    You can also use the yum command as a root user to install the connector:

    yum install cyops-connector-microsoft-graph

    Prerequisites to configuring the connector

    Minimum Permissions Required

    Configuring the connector

    For the procedure to configure a connector, click here

    Configuration parameters

    In FortiSOAR™, on the Connectors page, click the Microsoft Graph API connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

    Parameter Description
    Server URL Specify the service-based URI to connect and perform automated operations.
    Tenant ID Specify the ID of the tenant assigned to you by the Azure application registration portal.
    Client ID Specify the Unique Application ID of the Azure Active Directory application to create an authentication token required to access the API. For information on getting authentication tokens, see the Getting Authentication Tokens section.
    Client Secret Specify the Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.
    Get Access Token Select the method using to get authentication tokens used to access the security graph APIs. You can choose from following options:
    • On behalf of User - Delegate Permission: Select this option if the access token is of the type Delegate Permission. Once selected, specify values in the following fields:
      • Authorization Code: Specify the authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the User – Delegate Permission section.
      • Redirect URL: The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal.
    • Without a User - Application Permission
    Verify SSL Specifies whether the SSL certificate for the server is to be verified.
    By default, this option is set to True.

    Actions supported by the connector

    The following automated operations can be included in playbooks and you can also use the annotations to access operations:

    Function Description Annotation and Category
    Get Risky Users List Retrieves a list of all risky users from Microsoft Graph API. get_risky_users_list
    Investigation
    Get Risky User Details Retrieve details for a specific risky user from Microsoft Graph API based on the user ID you have specified. get_risky_user_details
    Investigation
    Get All Security Alerts Retrieves a list of alerts from Microsoft Graph API based on the input parameters you have specified. get_all_security_alerts
    Investigation
    Get Security Alert Retrieves details of a specific alert from Microsoft Graph API based on the alert ID you have specified. get_security_alert
    Investigation
    Update Security Alert Updates a specific alert using Microsoft Graph API based on the alert ID, vendor name, provider name, and other input parameters you have specified. update_security_alert
    Investigation
    Get Groups Retrieves a list of groups from Microsoft Graph API. get_groups
    Investigation
    Get Users Within A Group Retrieves a list of users within a specific group from Microsoft Graph API based on the group ID you have specified. get_group_users
    Investigation
    Search Message in Users Mailbox Searches for messages in a user's mailbox within an organization based on the Subject and user list you have specified. search_message
    Investigation
    Delete Message Deletes a specific message from the specific user's mailbox in Azure based on the user ID and message ID you have specified. del_message
    Investigation
    Delete Message Bulk Deletes messages from multiple users mailboxes in Azure based on the comma-separated list of users you have specified. del_message_bulk
    Investigation
    Revoke User Session Invalidates all the refresh tokens issued to applications for a user. revoke_user_sessions
    Remediation
    Get All Named Locations Retrieves a list of named location from Azure based on display name, sort order, and other input parameters that you have specified. get_all_named_locations
    Investigation
    Block New IP Ranges Blocks IPv4 and IPv6 address ranges in specified NamedLocation in Azure. block_new_ips
    Containment
    Unblock IP Ranges Unblocks IPv4 and IPv6 address ranges in specified NamedLocation in Azure. unblock_new_ips
    Remediation
    Create IP Named Location Creates a new IP named location in Azure based on specified input parameter. create_ip_range_location
    Investigation

    operation: Get Risky Users List

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "id": "",
            "isDeleted": "",
            "isProcessing": "",
            "riskLevel": "",
            "riskState": "",
            "riskDetail": "",
            "riskLastUpdatedDateTime": "",
            "userDisplayName": "",
            "userPrincipalName": ""
        }
    ]
}

    operation: Get Risky User Details

    Input parameters

    Parameter Description
    Risky User ID Specify the ID of the risky user whose details you want to retrieve from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "id": "",
    "isDeleted": "",
    "isProcessing": "",
    "riskLevel": "",
    "riskState": "",
    "riskDetail": "",
    "riskLastUpdatedDateTime": "",
    "userDisplayName": "",
    "userPrincipalName": ""
}

    operation: Get All Security Alerts

    Input parameters

    Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.

    Parameter Description
    Vendor Specify the name of the product vendor that provided the alert you want to retrieve using Microsoft Graph API. For example, Microsoft
    Provider Specify the security product that provided the alert you want to retrieve using Microsoft Graph API. For example, Cloud Application Security
    Severity Select the alert severity, set by the vendor or provider, to retrieve alerts using Microsoft Graph API. You can choose from the following options:
    • Unknown
    • Low
    • Medium
    • High
    • Informational
    Search From Select the date and time of alert triggering event(s) to retrieve using Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "id": "",
            "azureTenantId": "",
            "azureSubscriptionId": "",
            "riskScore": "",
            "tags": [],
            "activityGroupName": "",
            "assignedTo": "",
            "category": "",
            "closedDateTime": "",
            "comments": [],
            "confidence": "",
            "createdDateTime": "",
            "description": "",
            "detectionIds": [],
            "eventDateTime": "",
            "feedback": "",
            "incidentIds": [],
            "lastEventDateTime": "",
            "lastModifiedDateTime": "",
            "recommendedActions": [],
            "severity": "",
            "sourceMaterials": [],
            "status": "",
            "title": "",
            "vendorInformation": {
                "provider": "",
                "providerVersion": "",
                "subProvider": "",
                "vendor": ""
            },
            "alertDetections": [],
            "cloudAppStates": [],
            "fileStates": [],
            "hostStates": [],
            "historyStates": [],
            "investigationSecurityStates": [],
            "malwareStates": [],
            "messageSecurityStates": [],
            "networkConnections": [],
            "processes": [],
            "registryKeyStates": [],
            "securityResources": [],
            "triggers": [],
            "userStates": [],
            "uriClickSecurityStates": [],
            "vulnerabilityStates": []
        }
    ]
}

    operation: Get Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique Alert ID to retrieve that alert from Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": [],
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": [],
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": [],
    "eventDateTime": "",
    "feedback": "",
    "incidentIds": [],
    "lastEventDateTime": "",
    "lastModifiedDateTime": "",
    "recommendedActions": [],
    "severity": "",
    "sourceMaterials": [],
    "status": "",
    "title": "",
    "vendorInformation": {
        "provider": "",
        "providerVersion": "",
        "subProvider": "",
        "vendor": ""
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [
        {
            "fqdn": "",
            "isAzureAdJoined": "",
            "isAzureAdRegistered": "",
            "isHybridAzureDomainJoined": "",
            "netBiosName": "",
            "os": "",
            "privateIpAddress": "",
            "publicIpAddress": "",
            "riskScore": ""
        }
    ],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
}

    operation: Update Security Alert

    Input parameters

    Parameter Description
    Alert ID Specify the unique alert ID to update that alert through Microsoft Graph API. The alert ID is generated by the provider when an alert is created in Azure.
    Provider Specify the provider of product or service in Azure to update in the specific alert in Azure. For example, WindowsDefenderATP.
    Vendor Specify the name of the vendor to update in the specific alert in Azure. For example, Microsoft.
    Assigned To (Optional) Specify the name of the analyst to whom you want to assign the specific alert that you want to update for triage, investigation, or remediation in Azure.
    Feedback (Optional) Select the analyst feedback on the alert that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, True Positive, False Positive, or Benign Positive.
    Comments (Optional) Select the analyst comments that you want to update in the specific alert in Azure. You can choose between Closed in MCAS or Closed in IPS.
    Status (Optional) Select the status (life cycle status) that you want to update in the specific alert in Azure. You can choose from the following options: Unknown, New Alert, In Progress, or Resolved.
    Tags (Optional) Specify the JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure. These tags serve as filter conditions, and you can specify multiple tags using comma-based separators.
    Provider Version (Optional) Specify the version of the provider or sub-provider, if it exists, that generated the alert that you want to update in Azure.
    Subprovider (Optional) Specify the name of the sub-provider under the aggregating provider in Azure for the alert t that you want to update in Azure. For example, WindowsDefenderATP.SmartScreen

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "id": "",
    "azureTenantId": "",
    "azureSubscriptionId": "",
    "riskScore": "",
    "tags": [],
    "activityGroupName": "",
    "assignedTo": "",
    "category": "",
    "closedDateTime": "",
    "comments": [],
    "confidence": "",
    "createdDateTime": "",
    "description": "",
    "detectionIds": [],
    "eventDateTime": "",
    "feedback": "",
    "incidentIds": [],
    "lastEventDateTime": "",
    "lastModifiedDateTime": "",
    "recommendedActions": [],
    "severity": "",
    "sourceMaterials": [],
    "status": "",
    "title": "",
    "vendorInformation": {
        "provider": "",
        "providerVersion": "",
        "subProvider": "",
        "vendor": ""
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [
        {
            "fqdn": "",
            "isAzureAdJoined": "",
            "isAzureAdRegistered": "",
            "isHybridAzureDomainJoined": "",
            "netBiosName": "",
            "os": "",
            "privateIpAddress": "",
            "publicIpAddress": "",
            "riskScore": ""
        }
    ],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
}

    operation: Get Groups

    Input parameters

    None.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "id": "",
            "deletedDateTime": "",
            "classification": "",
            "createdDateTime": "",
            "creationOptions": [],
            "description": "",
            "displayName": "",
            "expirationDateTime": "",
            "groupTypes": [],
            "isAssignableToRole": "",
            "mail": "",
            "mailEnabled": "",
            "mailNickname": "",
            "membershipRule": "",
            "membershipRuleProcessingState": "",
            "onPremisesDomainName": "",
            "onPremisesLastSyncDateTime": "",
            "onPremisesNetBiosName": "",
            "onPremisesSamAccountName": "",
            "onPremisesSecurityIdentifier": "",
            "onPremisesSyncEnabled": "",
            "preferredDataLocation": "",
            "preferredLanguage": "",
            "proxyAddresses": [],
            "renewedDateTime": "",
            "resourceBehaviorOptions": [],
            "resourceProvisioningOptions": [],
            "securityEnabled": "",
            "securityIdentifier": "",
            "theme": "",
            "visibility": "",
            "onPremisesProvisioningErrors": []
        }
    ]
}

    operation: Get Users Within A Group

    Input parameters

    Parameter Description
    Group ID Specify an ID of the group whose users you want to retrieve from Microsoft Graph.
    Note: To get the Group ID use the Get Groups operation.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "@odata.type": "",
            "id": "",
            "businessPhones": [],
            "displayName": "",
            "givenName": "",
            "jobTitle": "",
            "mail": "",
            "mobilePhone": "",
            "officeLocation": "",
            "preferredLanguage": "",
            "surname": "",
            "userPrincipalName": ""
        }
    ]
}

    operation: Search Message in Users Mailbox

    Input parameters

    Parameter Description
    Subject Specify a subject based on which you want to search messages in Azure.
    User List Specify a comma-separated list of user IDs based on which you want to search messages in Azure.
    Page Size (Optional) Number of messages you want to retrieve per user in this request. Default page size is 10. Page size should be between 1 to 1000
    Offset (Optional) Number of messages you want to skip for each in this request.

    Output

    The output contains the following populated JSON schema:

    {
    "Message_Found_List": [
        {
            "@odata.context": "",
            "value": [
                {
                    "@odata.etag": "",
                    "id": "",
                    "createdDateTime": "",
                    "lastModifiedDateTime": "",
                    "changeKey": "",
                    "categories": [],
                    "receivedDateTime": "",
                    "sentDateTime": "",
                    "hasAttachments": "",
                    "internetMessageId": "",
                    "subject": "",
                    "bodyPreview": "",
                    "importance": "",
                    "parentFolderId": "",
                    "conversationId": "",
                    "conversationIndex": "",
                    "isDeliveryReceiptRequested": "",
                    "isReadReceiptRequested": "",
                    "isRead": "",
                    "isDraft": "",
                    "webLink": "",
                    "inferenceClassification": "",
                    "body": {
                        "contentType": "",
                        "content": ""
                    },
                    "sender": {
                        "emailAddress": {
                            "name": "",
                            "address": ""
                        }
                    },
                    "from": {
                        "emailAddress": {
                            "name": "",
                            "address": ""
                        }
                    },
                    "toRecipients": [
                        {
                            "emailAddress": {
                                "name": "",
                                "address": ""
                            }
                        }
                    ],
                    "ccRecipients": [],
                    "bccRecipients": [],
                    "replyTo": [],
                    "flag": {
                        "flagStatus": ""
                    }
                }
            ],
            "user_id": ""
        }
    ],
    "Message_Not_Found_List": [
        {
            "@odata.context": "",
            "value": [],
            "user_id": ""
        }
    ],
    "Run_Time": "",
    "Total_Users_Processed": ""
}

    operation: Delete Message

    Input parameters

    Parameter Description
    User ID Specify the ID of the user based on which you want to delete the specific message from Azure.
    Message ID Specify the ID of the message that you want to delete from Azure.

    Output

    The output contains the following populated JSON schema:

    {
    "status_code": ""
}

    operation: Delete Message Bulk

    Input parameters

    Parameter Description
    User List Specify a comma-separated list of users' mailboxes, which is a list of JSON objects, based on which you want to delete bulk messages in Azure. The format of the list is as follows: 
        [
        {
            'user_id':"",
            'message_id':""
        },
        {
            'user_id':"",
            'message_id':""
        }
    ]

    Output

    The output contains the following populated JSON schema:

    {
    "Error_List": [
        {
            "error_msg": "",
            "user_id": {
                "user_id": "",
                "message_id": ""
            }
        }
    ],
    "Message_Deleted_List": [
        {
            "msg_deleted": "",
            "user_id": {
                "user_id": "",
                "message_id": ""
            }
        }
    ],
    "Run_Time": "",
    "Total_Users_Processed": ""
}

    operation: Revoke User Session

    Input parameters

    Parameter Description
    User ID or PrincipalName Specify the User ID or PrincipalName of the user whose refresh tokens you want to invalidate (revoke) from Microsoft Graph API.

    Output

    The output contains the following populated JSON schema:
    {
    "@odata.context": "",
    "value": ""
    }

    operation: Get All Named Locations

    Input parameters

    Parameter Description
    Display Name Specify the display name of the named location to retrieve from Azure.
    Required Fields (Optional) Specify filters properties (columns) to retrieve only specified fields in response from Azure. You can choose one or more from ID, Display Name, Created Date Time and Modified Date Time
    Order By (Optional) Select the sort order criterion to sort the results. Select the sorting order in Sort Order field. You can choose from following options:
    • ID
    • Display Name
    • Created Date Time
    • Modified Date Time
    Sort Order (Conditional - This field appears after selecting an order criterion in Order By field)
    Specify the sort order from the following options:
    • Ascending
    • Descending
    By default it retrieves named locations in ascending order.
    Count Select to retrieve the total count of named locations matched in Azure. By default it is set to false.
    Size (Optional) Specify the number of named locations to retrieve in this request.
    Offset (Optional) Specify the number of named locations you want to skip in this request.

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "value": [
        {
            "@odata.type": "",
            "id": "",
            "displayName": "",
            "modifiedDateTime": "",
            "createdDateTime": "",
            "isTrusted": false,
            "ipRanges": [
                {
                    "@odata.type": "",
                    "cidrAddress": ""
                }
            ]
        }
    ]
}

    operation: Block New IP Ranges

    Input parameters

    Parameter Description
    IP Named Location's UUID Specify the unique Named Location ID for which you want block the IP addresses.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be blocked in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. e.g. 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in allowable IPv6 format, defined in IETF RFC5962, to be blocked in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. e.g. 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": [
        {
            "@odata.type": "",
            "cidrAddress": ""
        }
    ]
}

    operation: Unblock IP Ranges

    Input parameters

    Parameter Description
    IP Named Location's UUID Specify the unique named location ID for which you want unblock the IP addresses.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be unblocked in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. For example: 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in IPv6 format, as defined in IETF RFC5962, to be unblocked in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. For example: 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": [
        {
            "@odata.type": "",
            "cidrAddress": ""
        }
    ]
}

    operation: Create IP Named Location

    Input parameters

    Parameter Description
    Display Name Specify the display name of the named location to create in Azure.
    Is Trusted Select if the IP Range is trusted.
    IPv4 Ranges Specify IP address ranges in IPv4 CIDR format (1.2.3.4/32) to be added in the specified named location. You can specify multiple IPv4 ranges as comma-separated values. For example: 10.10.10.10/14, 10.10.10.10/13, 10.10.10.10/09
    IPv6 Ranges Specify IP address ranges in IPv6 format, as defined in IETF RFC5962, to be added in the specified named location. You can specify multiple IPv6 ranges as comma-separated values. For example: 2001:db8::/43, 2001:db8::/47

    Output

    The output contains the following populated JSON schema:

    {
    "@odata.context": "",
    "@odata.type": "",
    "id": "",
    "displayName": "",
    "modifiedDateTime": "",
    "createdDateTime": "",
    "isTrusted": "",
    "ipRanges": []
}

    Included playbooks

    The Sample - Microsoft Graph API - 2.0.0 playbook collection comes bundled with the Microsoft Graph API connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Graph API connector.

    Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

    Getting Access Tokens

    You can get authentication tokens to access the graph APIs using two methods:

    Getting Access Tokens using the On behalf of the User – Delegate Permission method

    1. Ensure that the required permissions are granted for the registration of the application. Select API Permissions > Add permission > Microsoft Graph > Delegated Permissions.
    2. NOTE: The API Permission that should be granted to the registered application is mentioned in the Minimum permissions required for the 'Delegate-type' permission table.
    3. The Redirect URL can be directed to any web application in which to receive responses from Azure AD. If you are unsure about what to set as a redirect URL, you can use https://localhost/myapp.
    4. Copy the following URL and replace the TENANT_ID, CLIENT_ID, and REDIRECT_URI with your tenant ID, client ID, and the following redirect URL:
      https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://graph.microsoft.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
    5. Enter the above link with the replaced values and you will be prompted to grant permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
    6. Copy the AUTH_CODE (without the code= prefix) and paste it in your instance configuration in the Authorization Code parameter.
    7. Enter your client ID in the Client ID parameter field.
    8. Enter your client secret in the Client Secret parameter field.
    9. Enter your tenant ID in the Tenant ID parameter field.
    10. Enter your redirect URL in the Redirect URL parameter field. By default, it is set to https://localhost/myapp.

    Getting Access Tokens using the Without a User – Application Permission method

    1. Ensure that the required permissions are granted for the registration of the application.
      For example, for a Microsoft Graph User: API/Permission name that should be granted is:
      • Directory.Read.All
      • Directory.ReadWrite.All
      • GroupMember.Read.All
      • Group.Read.All
      • Group.ReadWrite.All
      • IdentityRiskyUser.Read.All
      • Mail.ReadBasic.All
      • Mail.Read
      • Mail.ReadWrite
      • SecurityEvents.Read.All
      • SecurityEvents.ReadWrite.All
      • Policy.Read.All
      • Policy.ReadWrite.ConditionalAccess of type Application
    2. Enter your client ID in the Client ID parameter field.
    3. Enter your client secret in the Client Secret parameter field.
    4. Enter your tenant ID in the Tenant ID parameter field.

    Minimum Permissions Table

    To call the Microsoft Graph API, to perform any action, you must be assigned specific permissions as defined in this section. To learn more, including how to choose permissions, see Microsoft Graph's permissions reference.

    Action Name Permission Type Permissions (from least to most privileged)
    Get Risky Users List Delegated IdentityRiskyUser.Read.All
    Application IdentityRiskyUser.Read.All
    Get Risky User Details Delegated IdentityRiskyUser.Read.All
    Application IdentityRiskyUser.Read.All
    Get All Security Alerts Delegated SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Application SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Get Security Alert Delegated SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Application SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
    Update Security Alert Delegated SecurityEvents.ReadWrite.All
    Application SecurityEvents.ReadWrite.All
    Get Groups Delegated GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Get Users Within A Group Delegated GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
    Search Messages in Users mailbox Delegated Mail.ReadWrite
    Application Mail.ReadWrite
    Delete Message Delegated Mail.ReadWrite
    Application Mail.ReadWrite
    Delete Messages Bulk Delegated Mail.ReadWrite
    Application Mail.ReadWrite
    Revoke user session Delegated User.ReadWrite.All, Directory.ReadWrite.All
    Application User.ReadWrite.All, Directory.ReadWrite.All
    Get All Named Locations Delegated Policy.Read.All
    Application Policy.Read.All
    Block IP Ranges Delegated Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Application Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Unblock IP ranges Delegated Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Application Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Create IP Named Location Delegated Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Application Policy.Read.All and Policy.ReadWrite.ConditionalAccess
    Previous
    Next