Setting up ATR for Azure
Overview
These instructions outline the requirements for Barracuda XDR Azure Cloud Automated Threat Response (ATR).
These instructions are for customers using the Microsoft Azure Integration.
To configure the Microsoft Azure Integration to support remediation actions for Automated Threat Response, you must add additional API permissions to the registered application, by following the instructions below.
About User Blocking
There is typically a slight delay in user blocking because Microsoft does not allow immediate termination of active sessions. Existing tokens remain valid until the user is required to re-authenticate against the cloud, at which point the block takes effect and they will be unable to sign in.
Tenants with Azure AD Premium P1 can use the Conditional Access group blocking feature, which is our primary blocking mechanism. Conditional Access blocking is suggested for hybrid and cloud-only tenants because it isn’t affected by on-prem AD sync, and users consistently remain blocked.
Tenants without Azure AD Premium P1 must rely on user account suspension as the next-best containment method. Group membership changes are still applied, but they have no blocking effect without a P1 license. User disable and enable operations take place as expected.
Tenants without Azure AD Premium P1 that also have on-prem AD sync enabled cannot use this ATR effectively. Because on-prem Active Directory is the source of authority, the cloud-side suspension is overwritten by the next AD Connect sync which is typically before the block takes effect.
Setting up ATR for Azure
Part 1: Create the App Registration and Client Secret
To Create the App Registration
Sign in to the Microsoft Azure portal (https://portal.azure.com) as a Global Administrator or Application Administrator.
Select Microsoft Entra ID > Add > App registration.
Enter the following:
Name:
Barracuda-XDR-Azure-ATRSupported account types: Single tenant only (Accounts in this organizational directory)
Redirect URI: Leave blank
Select Register.
From the app's Overview page, copy and save the following IDs in a safe place to use in Part 5: Enable ATR in the XDR Dashboard.
Application (client) ID
Directory (tenant) ID
To Create the Client Secret
On the same page go to Client credentials: Add a certificate or secret
Select Client secrets > New client secret.
Enter the following:
Description: The Barracuda XDR Azure ATR secret
Expires: Set an expiration that fits your organization's policy (12 or 24 months is typical)
Click Add.
Immediately copy the Value column (not the Secret ID) and save as it will never be shown again after you leave this page.
The secret must be rotated before it expires.
Part 2: Grant the Microsoft Graph API Permissions
On the Certificates & secrets page, select Manage > API permissions > Add a permission > Microsoft Graph > Application permissions.
Select these four permissions, then select Add permissions.
Permission | Purpose |
|---|---|
User.Read.All | Look up the user's Object ID and determine if onPremisesSync is enabled |
GroupMember.ReadWrite.All | Add/remove the user from the Conditional Access blocking group |
User.EnableDisableAccount.All | Disable/Enable the user account |
User.RevokeSessions.All | Revokes the user's sign in sessions |
After adding all four, select Grant admin consent for <tenant> at the top of the permissions list. The Status column turns into a green "Granted for <tenant>" check for all four.
Part 3: Create the Blocking Security Group
Head back to Microsoft Entra ID: Add → Group
Enter the following:
Group type: Security
Group name: Barracuda-XDR-ATR-Azure-Blocked-Users
Group description: Members are blocked from sign-in by Conditional Access policy
Membership type: Assigned
Select Create.
Search for and open the new group > Overview > copy and save the Object ID.
Part 4: Create the Conditional Access Policy
This policy denies sign-in to anyone in the blocking group. Requires an Azure AD Premium P1 license, otherwise this part should be skipped.
Go to Microsoft Entra Conditional Access → Create new policy.
Fill in:
Name: Barracuda XDR Azure ATR — Block Users
Assignments > Users:
Include: Select users and groups > Users and groups > Barracuda-XDR-ATR-Azure-Blocked-Users
Exclude: Optionally, it is recommended to add at least one admin account (so a secure administrator account cannot be locked out)
Target resources > Cloud apps:
Include: All resources (formerly 'All cloud apps')
Conditions: leave defaults (applies to all client apps, locations, platforms).
Access controls > Grant:
Select Block access > Select
Enable policy: Set to On.
Select Create.
Part 5: Enable ATR in the XDR Dashboard
In this procedure, you need the following credentials you saved:
Tenant_id and Client_id in Part 1: Create the App Registration and Client Secret, To Create the App Registration
Client_secret in Part 1: Create the App Registration and Client Secret, To Create the Client Secret
Group_id in Part 3: Create the Blocking Security Group
Log in to XDR Dashboard.
Select Cloud Security > Cloud ATR.
In the Cloud table, select the Microsoft Azure row.
Select Edit Config.
Ensure that the Graph API roles show the following new permissions:
Graph API Roles: User.Read.All, GroupMember.ReadWrite.All, User.EnableDisableAccount.All, User.RevokeSessions.All
If the Graph API roles are correct, select the Auto Remediation Enabled checkbox.
Enter the following:
Tenant_id
Client_id
Client_secret
Group_id
Click Save.