Setting up ATR for Microsoft 365 Cloud

The documentation below outlines the requirements for Barracuda XDR Cloud Automated Threat Response (ATR).

For additional background, download the following: .

To configure the Microsoft 365 Integration to support remediation actions for Automated Threat Response, you must add additional API permissions to the registered application, by following the instructions below.

Revoking active user sessions

Optionally, you can configure ATR to revoke all active sessions when a user is blocked. To do this, add the User.RevokeSessions.All permission in the Microsoft portal and configure it in the XDR Dashboard.

Add the new permissions in the Microsoft portal

1. Log in to the Microsoft portal.

2. Click Add a permission.

3. Click Microsoft Graph.

4. Select Application permissions (not delegated).

5. Select the following:

   • User.ReadWrite.All

   • User.EnableDisableAccount.All

   • (Optional) User.RevokeSessions.All

6. Click Add permissions to save the changes.
   
   

   Open

   
   Open

   

7. After adding the new permissions, click Grant admin consent.
   This also applies to updates made to previously configured applications.

   Open

   

8. Ensure that the Graph API roles show the following new permissions:

   • Graph API Roles: User.ReadWrite.All, User.EnableDisableAccount.All

   • (Optional) User.RevokeSessions.All

9. Click Save.

To enable ATR in XDR Dashboard

1. Log in to XDR Dashboard.

2. Navigate to ATR Settings > Cloud.

3. In the Cloud table, click the Microsoft 365 row.

4. Click Edit Config.

5. Ensure that the Graph API roles show the following new permissions:

   • Graph API Roles: User.ReadWrite.All, User.EnableDisableAccount.All

   • (Optional) User.RevokeSessions.All

6. If the Graph API roles are correct, select the Auto Remediation Enabled checkbox.

   Open

   

7. Click Save.