Integrating Infinity Identity with Microsoft Intune and Microsoft Defender

Infinity Identity can query Microsoft Entra ID to get identity information based on sign-in events from Microsoft Intune or Microsoft Defender on endpoint computers. When you export sign-in events to Event Hubs, Infinity Identity retrieves identities in a way that minimizes resource usage, reduces time delays, and ensures reliable access to the necessary data.

Prerequisites:

Configuring Entra ID Query to Send Identities from Microsoft Defender or Intune to Infinity Identity

Watch this video for a full demonstration.

  1. In Infinity Identity, from the left toolbar, click Integrations.

  2. In the Integrations section, click the + (plus sign) button.

  3. Select Identity Integrations.

  4. Select Microsoft Intune or Microsoft Defender. If you want to integrate both of them, it does not matter which one you select.

    The Microsoft Intune or Microsoft Defender integration window opens.

  5. For the Integration Title, enter a tile. After you create the integration, this title appears in the Infinity Identity Integrations section.

  6. Optional - If you want to integrate both Intune and Defender, select the relevant checkbox at the bottom of the window.

    • In a Microsoft Intune window, select Use this configuration to create Microsoft Defender integration as well.

    • In a Microsoft Defender window, select Use this configuration to create Microsoft Intune integration as well.

  7. Keep Infinity Identity open.

 

  1. In a new browser tab, open the Microsoft Entra ID application that you integrated with the Infinity Portal.

  2. In the left menu, expand Manage and click API permissions.

  3. In the Configured permissions section, click Add a permission.

    The Request API permissions window opens.

  4. Select Application permissions.

  5. Add a permission to the application:

    1. In the search bar below Select permissions, search for deviceManage.

    2. Expand DeviceManagementManagedDevices.

    3. Select DeviceManagementManagedDevices.Read.All.

  6. If you are integrating Microsoft Defender, add another permission to the application:

    1. In the search bar below Select permissions, search for threat.

    2. Expand ThreatHunting.

    3. Select ThreatHunting.Read.All.

  7. Click Add permissions.

  8. In the Configured permissions section, click Grant admin consent for Check Point Software Technologies.

  9. In the confirmation window, click Yes.

  1. On the Microsoft AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. homepage, open Event Hubs.

  2. Open the Namespace that you want to use for the application.

  3. Copy the name of the Namespace from Microsoft Azure and paste it into the Namespace Name field in Infinity Identity

  4. In the Event Hub, from the horizontal toolbar, click Consumer group.

    The Create consumer group window opens.

  5. In the Create consumer group window:

    1. Enter a name for the consumer group.

    2. Click Create.

  6. From the left toolbar, click Access control (IAM).

  7. From the top toolbar click Add and then click Add role assignment

    The Add role assignment window opens..

  8. In the Add role assignment window:

    1. In the Roles tab:

      1. In the Job function roles section, search for receiver.

      2. Select Azure Event Hubs Data Receiver.

    2. In the Add role assignment window, in theMembers tab:

      1. For Assign access to, select User, group, or service principal.

      2. Click Select members.

        The Select members window opens.

      3. In the Select members window, search for the Entra ID application you created for Infinity Identity.

      4. In the search results, select the application.

      5. At the bottom of the Select members window, click Select.

    3. In the Add role assignment window, in the Conditions tab, do not change the default configurations.

    4. In the Add role assignment window, in the Review + assign tab, make sure the configuration is correct and then click the Review + assign button at the bottom of the window.

For more information, see Authorize access to Event Hubs with Azure Active Directory in Microsoft documentation.

  1. On the Microsoft Entra ID homepage, in the search bar, search for Storage Account.

  2. In the Services section of the search results, click Storage accounts.

  3. Open the storage account that you want to use for Infinity Identity.

  4. In the storage account window, from the left toolbar, open the Access Control (IAM) tab.

  5. In the storage account window, from the top toolbar, click Add and then click Add role assignment.

    The Add role assignment window opens.

  6. In the Add role assignment window:

    1. In the Roles tab:

      1. Select Job function roles.

      2. In the search bar, search for owner.

      3. Click Storage Blob Data Owner.

    2. In the Members tab:

      1. Click + Select members.

        The Select members window opens.

      2. In the Select members window, in the search bar, enter the name of the Microsoft Entra ID application you created for Infinity Identity.

      3. In the search results, select the application.

      4. Click Select.

        The Select members window closes. The application appears in the Members tab in theAdd role assignment window.

    3. In the Conditions tab, do not change default settings.

    4. In the Review + assign tab, make sure the configuration is correct and then click the Review + assign button at the bottom of the window.

You can integrate Intune and/or Microsoft Defender.

  1. In the Azure portal, in the search bar, search for "sign-in".

  2. Click Sign-in logs.

    The Sign-in events window opens.

  3. From the top toolbar, click Export Data Settings.

  4. Click Add diagnostic setting.

  5. Enter a name in the Diagnostic setting name field.

  6. In the Logs section, select SigninLogs.

  7. In the Destination details section, select Stream to an event hub.

  8. For Event hub namespace, select the Namespace that you use for the Infinity Identity application.

  9. In the Diagnostic setting window, from the top toolbar, click Save.

For more information, see How to stream activity logs to an Event Hub in Microsoft documentation.

  1. In a web browser, go to security.microsoft.com and log in to your account.

  2. From the left toolbar, click Settings.

  3. In the table, click Microsoft Defender XDR.

  4. In the General section, click Streaming API.

  5. In the Streaming API section, click + Add.

    The Add new Streaming API settings window opens.

  6. In theName field, enter a name.

  7. Select Forward events to Event Hub.

  8. In a separate browser tab, open the Azure portal and do these steps:

    1. In the search bar, search for "event hubs".

    2. Open the Event Hub that you use for the Microsoft Entra ID application that you created for Infinity Identity.

    3. In the Event Hub window, in the left toolbar, expand Settings and click Properties.

    4. In the Essentials section, copy the IE string.

    5. Keep the Azure portal open.

  9. At security.microsoft.com, in the Add new Streaming API settings window, paste the IE string you copied from the Azure portal into the Event Hub Resource ID field.

  10. In the Azure portal Event Hub window:

    1. From the left toolbar, click Overview.

    2. At the bottom of the screen, in the Event Hubs table, copy the name of the Event Hub that you use for the Microsoft Entra ID application that you created for Infinity Identity.

  11. At security.microsoft.com, in the Add new Streaming API settings window:

    1. Paste the name that you copied from the Azure portal into the Event-Hub name field.

    2. In the Event Types section, expand Devices.

    3. Select DeviceNetworkInfo.

    4. Select DeviceLogonEvents.

    5. Click Submit.

Important - Allow one hour for settings to propagate and take effect.

  1. In Infinity Identity, click Test connectivity to verify the connection between your Infinity Identity account and your Microsoft Entra ID account.

    • If the test passes, then Connectivity test successful shows.

    • If the test fails, a warning message appears that highlights the problematic field in red.

  2. After a successful test, click Save.

    Infinity Identity is integrated with Intune and/or Defender. A card for Microsoft Intune and/or Microsoft Defender appears in the Integrations section.

Finding the Event Hub Namespace, Event Hub Name, Consumer Group Name, and Storage Account Name in Microsoft Azure

  1. Log in to your Microsoft Azure portal.

  2. Navigate to Event Hubs.

  3. In the Event Hubs section, locate and select the specific event hub that you want to configure.

  4. In Event Hub details, you can see the Eventhub Name and the associated Namespace, as shown in this example:

    Note - A Name space in Azure can contain multiple Event Hubs, each serving different event streaming purposes. Ensure that you select the correct Event Hubs for your integration. To create an event hub, see Quickstart: Create an event hub using Azure portal.

  1. Log in to your Microsoft Azure portal.

  2. Navigate to Storage accounts and select the appropriate Storage account from the list.

  3. In the selected Storage Account, go to Containers to view and select the desired Storage Name.