Microsoft Entra ID

Infinity XDR Extended Detection & Response/XPR Extended Prevention & Response analyzes the Check Point Identity Next logs from Microsoft Entra ID for malicious or abnormal activity, generates an incident and recommends preventive actions.

Integrating Microsoft Entra ID

1. Access the Infinity XDR/XPR Administrator Portal and go to Settings > Integrations.

2. In the Available integrations section, in the Microsoft Entra ID widget, click Integrate.

   

   The Microsoft Entra ID Integration window appears.

3. Click the link to integrate Microsoft Entra ID with Check Point Infinity Portal.

   

   The Identity & Access page in the Infinity Portal appears.

   
   

4. Set up the Microsoft Entra ID integration with Infinity Portal. For instructions, see SSO authentication with Microsoft Entra ID.

   Important - When integrating Infinity XDR/XPR with Microsoft Entra ID, you must set the Directory Integration (Manual or SCIM). Make sure you perform this step in the SSO authentication procedure above.

5. After successfully setting up the integration with Microsoft Entra ID, in the Microsoft Entra Admin Center, grant API permissions to the Microsoft Entra ID integration you created in the above step:

   1. Log in to Microsoft Entra Admin Center.

   2. Go to Applications > App registrations and select the Microsoft Entra ID integration you created.

   3. Click API permissions.

      

      The API permissions screen appears.

   4. In the Configured permissions section, click + Add a permission.

      The Request API permissions window appears.

   5. In Microsoft APIs, click Microsoft Graph and select Application permissions.

      

   6. In the Select permissions section:

      • Under Group, select Group.Read.All

        

      • Under User, select:

        • User.Read.All

        • User.ReadWrite.All

        • User.RevokeSessions.All

          

   7. Click Add permissions.

   8. In the Configured permissions section, click Grant admin consent for <application name> and confirm in the confirmation window.

      The permission Status changes to green.

      

6. In the Microsoft Entra Admin Center, to allow Infinity XDR/XPR to reset passwords for both users (non-admins) and administrators as a preventive action, grant these permissions:

   1. Go to Roles and administrators > All roles.

   2. In the Administrative roles section, select Global Administrator.

   3. Click + Add assignments.

   4. Select the Microsoft Entra ID integration you created.

      

   5. Click Add.

   6. In the Administrative roles section, select Password Administrator.

   7. Select the Microsoft Entra ID integration you created.

   8. Click Add.

      For more information on roles that are allowed to reset passwords in Microsoft Entra ID, see Privileged roles and permissions.

   After the integration is completed, it is enabled by default. The system displays the Microsoft Entra ID integration card in the Identity & Access page.

   

7. To check if the integration is successful, in the Infinity XDR/XPR Administrator Portal:

   • Go to Settings > Integrations.

     In the Integrated products section, verify if Microsoft Entra ID is listed as Active and shows the roles defined in the Microsoft Entra Admin Center.

     

     Notes - The widget will display Inactive status until Infinity XDR/XPR begins receiving logs from Microsoft Entra ID. If you have integrated Microsoft Entra ID with Infinity Portal but have not set up write permissions in the Microsoft Entra Admin Center, the system shows this card: To set up the write permissions, click Edit and follow the instructions in the pop-window.

   • Go to the Overview page and in the Connectivity widget, verify if Microsoft Entra ID is listed as connected.

     

Deleting the Integration

1. Go to Settings > Integrations.

2. In the Microsoft Entra ID widget, click the icon and then click Delete integration.

3. The Delete Microsoft Entra ID window appears.

   

4. Click the Identity & Access link.

   The Identity & Access page appears.

5. On the Microsoft Entra ID integration card, click the icon and then click Remove.

   

Supported Preventive Actions

When Infinity XDR/XPR detects any malicious activity that involves Microsoft Entra ID, it generates an incident and recommends preventive actions to mitigate it.

The supported preventive actions include resetting the user and administrator passwords and revoking the session through Microsoft Entra ID.

Important - You cannot revert the reset password action.

To view the recommended preventive actions for the incident:

1. Go to Incidents page and click the incident title or hover over the incident and click >.

2. In the incident Overview page, go to Prevention widget.

   The system shows the recommended preventive actions in the Recommendations section.

3. To reset the user password, click Reset.

   

   Note - To ensure security, Infinity XDR/XPR resets password for all the connected identity providers integrated through Identity Next.

4. To view the preventive action taken, see the Prevention History section.

   

   For more information, see Incidents Overview > Prevention.