Microsoft Entra ID v1.0.0 Plugin for Risk Exchange
Microsoft Entra ID v1.0.0 Plugin for Risk Exchange
This plugin is used to fetch risky users from Identity > Protection > Identity Protection > Risky users, and applications from Identity > Applications > App registrations page of the Microsoft Entra ID platform. This plugin supports performing actions such as Add to group, Remove from group, and Confirm compromised actions on the users, and doesn’t support any action on the applications.
Netskope normalization score calculation = RiskLevel low: 875; RiskLevel medium: 625; RiskLevel high: 375. For RiskLevels ‘none’, ‘unknownFutureValue’ and ‘hidden,’ the normalization score value will be blank.
Prerequisites
To complete this integration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances).
- A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
- A Microsoft Entra ID account.
- Access to configuration details like Client (Application) ID, Client Secret ID, and Tenant ID.
- Connectivity to the following host: https://entra.microsoft.com
CE Version Compatibility
Netskope CE v5.1.0
Entra ID Plugin Support
The Risk Exchange Microsoft Entra ID plugin fetches Risky Users, Applications, and their respective details from the Microsoft Entra Platform. This plugin also supports Add to group, Remove from group, and Confirm compromised actions on Users, and supports No action on Applications.
Type of data pulled | Users, Applications |
Actions Supported | Users:
|
Mappings
Mappings are used to view the pulled Users, and Applications details. The Mapped fields used during plugin configuration will be visible on the Records page after the data is pulled. Here are the suggested mappings that should be used while configuring the plugin.
Pull Mappings for Users
Plugin Field Label | Expected Data Type | Suggested Field Label | Aggregate Strategy |
---|---|---|---|
User Email | String | User Email | Unique |
Risk State | String | Risk State | Overwrite |
Risk Level | String | Risk Level | Overwrite |
User Name | String | User Name | Overwrite |
User ID | String | User ID | Overwrite |
Risk Detail | String | Risk Detail | Overwrite |
Netskope Normalized Score | Number | Normalized Score | Overwrite |
Pull Mappings for Applications
Plugin Field Label | Expected Data Type | Suggested Field Label | Aggregate Strategy |
---|---|---|---|
Application ID | String | Application ID | Unique |
Application Name | String | Application Name | Overwrite |
Tags | List | Tags | Overwrite |
Publisher Domain | List | Publisher Domain | Overwrite |
Created Date | Datetime | Date | Overwrite |
Permissions
Refer to Adding Permissions to the configuration parameter for obtaining and providing necessary permissions for Users and Applications. Below are the permissions needed for the CRE Microsoft Entra ID plugin.
- Group.Create
- Group.ReadWrite.All
- GroupMember.Read.All
- IdentityRiskyUser.ReadWrite.All
- User.Read.All
- Application.Read.All
API Details
List of APIs used
API Endpoint | Method | Use Case |
---|---|---|
<tenant_id>/oauth2/v2.0/token | GET | Get OAuth2 token |
/identityProtection/riskyUsers | GET | Fetch Users and Update Records |
/groups | GET | Get all groups |
/groups | POST | Create a new group |
/groups/{group-id}/members/$ref | POST | Add member to group |
/groups/{group-id}/members/{member-id}/$ref | DELETE | Remove member from group |
/identityProtection/riskyUsers/confirmCompromised | POST | Confirm a user as compromised |
/users/{user-mail} | GET | Get user by email |
/applications | GET | Fetch Applications |
Get an Auth Token
API Endpoint: <Base URL>/<tenant_id>/oauth2/v2.0/token
Method: GET
Body:
{ grant_type": "client_credentials", client_id": client_id, client_secret": client_secret, resource": "https://graph.microsoft.com/.default" }
Sample API Response:
{ "token_type": "Bearer", "expires_in": "3599", "ext_expires_in": "3599", "access_token": "eyJ0eXAiOiJKV1Q...." }
Fetch Users and Update Records
API Endpoint: <Base URL>/identityProtection/riskyUsers
Method: GET
Headers:
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Sample API Response:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityProtection/riskyUsers", "@odata.nextLink": "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$top=1&$skiptoken=*****cbe5460********************4f1442c63a7b211674hdb2850a4421048fc_1", "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET identityProtection/riskyUsers?$select=isDeleted,isProcessing", "value": [ { "id": "f8c8dcb2-21b7-4e20-985c-52**603300d", "isDeleted": false, "isProcessing": false, "riskLevel": "high", "riskState": "confirmedCompromised", "riskDetail": "adminConfirmedUserCompromised", "risk Last Updated DateTime": "2024-03-14T09:59:29.085289Z", "userDisplayName": "User", "userPrincipalName": "user@onmicrosoft.com" } ] }
Get All Groups
API Endpoint: <Base URL>/groups
Method: GET
Headers
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Parameters:
Key | Value |
---|---|
$filter | not groupTypes/any(s:s eq ‘DynamicMembership’) |
$top | 999 |
$orderby | displayName |
$select | id,displayName,groupTypes |
$count | true |
Sample API Response:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(id,displayName,groupTypes)", "@odata.nextLink": "https://graph.microsoft.com/v1.0/groups?$filter=groupTypes%2fany(s%3as+eq+%27DynamicMembership%27)&$top=1&$select=id%2cdisplayName%2cgroupTypes&$count=true&$skiptoken=RFNwdAoAAQAAAA", "value": [ { "id": "826e5e6c-f533-4a93-8420-fc9592ae3ca0", "displayName": "TestDynamic", "groupTypes": [ "DynamicMembership" ] } ] }
Create a New Group
API Endpoint: <Base URL>/groups
Method: POST
Headers:
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Body:
{ "description": "Created group from Netskope Cloud Exchange via Microsoft Azure AD User Risk Exchange plugin.", "displayName": "Group Name", "mailEnabled": true, "mailNickname": "groupname", "securityEnabled": false, "groupTypes": [ "Unified" ] }
Sample API Response:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups/$entity", "id": "6999bb7****************05b4e04155", "deletedDateTime": null, "classification": null, "createdDateTime": "2024-03-16T11:01:45Z", "creationOptions": [], "description": "Created group from Netskope Cloud Exchange via Microsoft Azure AD User Risk Exchange plugin.", "displayName": "Group Name", "expirationDateTime": null, "groupTypes": [ "Unified" ], "isAssignableToRole": null, "mail": "groupname@netskopebd.onmicrosoft.com", "mailEnabled": true, "mailNickname": "groupname", "membershipRule": null, "membershipRuleProcessingState": null, "onPremisesDomainName": null, "onPremisesLastSyncDateTime": null, "onPremisesNetBiosName": null, "onPremisesSamAccountName": null, "onPremisesSecurityIdentifier": null, "onPremisesSyncEnabled": null, "preferredDataLocation": null, "preferredLanguage": null, "proxyAddresses": [ "SMTP:groupname@netskopebd.onmicrosoft.com" ], "renewedDateTime": "2024-03-16T11:01:45Z", "resourceBehaviorOptions": [], "resourceProvisioningOptions": [], "securityEnabled": false, "securityIdentifier": "S-1-12-1-1771682685-1286044974-90333062-1430380724", "theme": null, "uniqueName": null, "visibility": "Public", "onPremisesProvisioningErrors": [], "serviceProvisioningErrors": [] }
Add a Member to a Group
API Endpoint: <Base URL>/groups/{group-id}/members/$ref
Method: POST
Headers:
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Body:
{ "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{id}" }
Sample API Response: (Status Code 204)
{}
Remove a Member from a Group
API Endpoint: <Base URL>/groups/{group-id}/members/{member-id}/$ref
Method: DELETE
Headers:
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Sample API Response: (Status Code 204)
{}
Confirm a User as Compromised
API Endpoint: <Base URL>/identityProtection/riskyUsers/confirmCompromised
Method: POST
Headers:
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Body:
{ "userIds": [ "targeted-userId-1" ] }
Sample API Response: (Status Code 204)
{}
Get a User by Email
API Endpoint: <Base URL>/users/{user-mail}
Method: GET
Headers:
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Sample API Response:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity", "@microsoft.graph.tips": "This request only returns a subset of the resource's properties. Your app will need to use $select to return non-default properties. To find out what other properties are available for this resource see https://learn.microsoft.com/graph/api/resources/user", "businessPhones": [], "displayName": "Crest", "givenName": null, "jobTitle": null, "mail": "user@netskopebd.onmicrosoft.com", "mobilePhone": null, "officeLocation": null, "preferredLanguage": "en-US", "surname": null, "userPrincipalName": "user@netskopebd.onmicrosoft.com", "id": "e0ae0b3b-**********7-cb84372efc52" }
Fetch Applications
API Endpoint: <Base URL>/applications
Method: GET
Headers
Key | Value |
---|---|
Content-Type | application/json |
Accept | */* |
Authorization | Bearer <auth_token> |
Sample API Response:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications", "@odata.count": 15, "@odata.nextLink": "https://graph.microsoft.com/v1.0/applications?$count=true&$top=1&$skiptoken=m~ZDVhNjM3NjJiMTQ0MGQ1OzswOzA7Ow", "value": [ { "id": "37aa9bd8-279e-9293-bd5a-63762b1440d5", "deletedDateTime": null, "appId": "1dee8834-bb87-4238-jf99-6254767e28ed", "applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621", "disabledByMicrosoftStatus": null, "createdDateTime": "2024-07-16T06:55:21Z", "displayName": "Netskope-5.0.1abc", "description": null, "groupMembershipClaims": null, "identifierUris": [ "https://10.50.3.32/api/metadata" ], "isDeviceOnlyAuthSupported": null, "isFallbackPublicClient": false, "signInAudience": "AzureADMyOrg", "tags": [], defaultRedirectUri": "https://10.50.3.32/api/ssoauth?acs=true", api": { "acceptMappedClaims": null, "knownClientApplications": [], "requestedAccessTokenVersion": null, "oauth2PermissionScopes": [ { "adminConsentDescription": "kaskm.", "adminConsentDisplayName": "Access jsdkl", "id": "403f11e5-c023-4a8c-af8e-9e35ac9342c8", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application to access.", "userConsentDisplayName": "Access Netskope-5.0.1abc", "value": "user_impersonation" } ], "preAuthorizedApplications": [] }, "appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "msiam_access", "displayName": "msiam_access", "id": "b9632174-c057-4f7e-951b-be3adc52bfe6", "isEnabled": true, "origin": "Application", "value": null } ], "info": { "logoUrl": null, "marketingUrl": null, "privacyStatementUrl": null, "supportUrl": null, "termsOfServiceUrl": null }, "keyCredentials": [], "parentalControlSettings": { "countriesBlockedForMinors": [], "legalAgeGroupRule": "Allow" }, } ] }
Performance Matrix
These performance readings are conducted on a Large CE Stack with these VM specifications by pulling 500K Users and Applications records each from Microsoft Entra ID plugin.
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Time take to store the pulled and updated User records | ~45 mins |
Time take to store the pulled Applications records | ~7 mins |
User Agent
netskope-ce-5.1.0-cre-microsoft-entra-id-v1.0.0
Workflow
- Get your Client Secret, Tenant ID, and Client (Application ID)
- Add Permissions to the configuration.
- Configure the Microsoft Entra ID plugin.
- Add a Business Rule
- Add an Action.
- Validate the plugin.
Click play to watch a video.
Get your Client Secret, Tenant ID, and Client (Application ID)
- Go to https://entra.microsoft.com/ and log in with your credentials.
- Expand Applications on the left panel and click App registrations.
- Click New Registration.
- Provide the name for the application and click Register.
- Copy the Application (Client ID), which is the Client (Application) ID in Netskope; Directory (tenant) ID, which is the tenant ID in Netskope. Click Certificates & Secrets.
- Click New client secret.
- Provide the Description, select the Expires as per your needs, and click Add.
- Copy the value; this is the Client Secret needed for the plugin configuration.
Add Permissions to the Configuration
- On the left panel, click API permissions.
- Click Add a permission.
- Click Microsoft Graph.
- Click Application permissions.
- Search for the group and select these permissions:
Group.Create
Group.ReadWrite.All - Search for groupmember and select this permission:
GroupMember.Read.All - Search for IdentityRiskyUser and select this permission:
IdentityRiskyUser.ReadWrite.All - Search for User, select this permission, and then click Add Permissions.
User.Read.All - Search for Application, select this permission, and then click Add Permissions.
Application.Read.All - Click Grant admin consent for Contoso, and select Yes in the Confirmation box.
- After providing the permissions, this page should look like this image.
Configure the Microsoft Entra ID Plugin
- In Cloud Exchange, go to Settings > Plugins. Search for and select the Microsoft Entra ID plugin box.
- Enter a plugin configuration name, change the sync interval (if needed), and then click Next.
- Enter the Configuration Parameters:
- Client (Application) ID: The Application ID for Entra ID.
- Client Secret: The Secret value of Client (Application) ID for Entra ID.
- Tenant ID: The Tenant ID of your Microsoft Account.
- Click Next. Select the Entity from the Entity dropdown. The Entity fields can be created from the Schema Editor page, or using the + Add Field option from the field dropdown. Provide the field mapping. For the suggested mapping, refer to the Mappings section above.
Note that the User Email field will be required to perform action on the Users. - Click the Applications tab in Entity Sources. Select Entity from the Entity dropdown, and then provide the field mappings per your needs for Applications.
- Click Save.
Add a Risk Exchange Business Rule for Entra ID
- Go to Risk Exchange > Business Rules.
- Click on Create New Rule in the top right corner (or edit an existing business rule).
- Enter the Rule Name. Select the Entity for which Fields have been configured for the Microsoft Entra ID plugin, and configure the query based on your requirements. This example fetches all the Users fetched from the Microsoft Entra ID plugin.
This example fetches all the Applications fetched from the Microsoft Entra ID plugin. - Click Save.
Add Risk Exchange Actions for Entra ID
The Microsoft Entra ID plugin supports following actions for Users:
- The Add to Group action that will add Users to a selected group.
- The Remove from Group action will remove Users from a selected group.
- The Confirm Compromised action will confirm that Users that are added to the risky user status are actually risky users, and change the Risk State of those users to Confirm Compromised.
- The No Action action will not perform any action on Users.
To configure these actions, proceed to the following sections.
Notes
- Users will be able to perform actions on the fields mapped with the email field of Entra ID plugin.
- If you want to perform any of the Netskope plugins actions on the Applications and User pulled from Entra ID, refer to the Netskope plugin guide.
Add to Group
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule, and for Configuration, select the name of your configured plugin.
- Select Add to Group from the Actions dropdown.
- For Action Parameters, select the Email option (if users need to filter out users using business rules, or provide static a email.
- On the Groups dropdown, select the existing group for which you want to add Users, or select Create new group to create a new group, and then add Users.
- On the New Group Name dropdown, provide the name of the new group (if you have selected Create new group in the Groups dropdown).
- Select the Group type.
- Enable the Require Approval radio button if Approval is needed before performing action on the users.
- Click Save.
- Click Sync. Enter the days, click Fetch to see the number of Users that will be affected by this action. Click Sync to perform actions manually.
Remove from Group
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule, and for Configuration, select the name of your configured plugin.
- Select Remove from Group from the Actions dropdown.
- For Action Parameters, select the Email option (if users need to filter out users using business rules, or provide static a email.
- Select the Group on the Groups dropdown for which Users need to be removed.
- Enable the Require Approval radio button if Approval is needed before performing action on the Users.
- Click Save.
- Click Sync. Enter the days, click Fetch to see the number of Users that will be affected by this action. Click Sync to perform actions manually.
Confirm Compromised
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule, and for Configuration, select the name of your configured plugin.
- Select Confirm compromised on the Actions dropdown.
- For Action Parameters, select the Email option (if users need to filter out users using business rules, or provide static a email.
- Enable the Require Approval radio button if Approval is needed before performing action on the Users.
- Click Save.
- Click Sync. Enter the days, click Fetch to see the number of Users that will be affected by this action. Click Sync to perform actions manually.
No Action for Users
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule, and for Configuration, select the name of your configured plugin.
- Select No actions on the Actions dropdown. Enable the Generate Alert toggle to generate alerts in the CTO module.
- Enable the Require Approval radio button if Approval is needed before performing action on the Users.
- Click Save.
The Microsoft Entra ID plugin supports following actions for Applications:
No Action will not perform any action on Applications.
No Action for Applications
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select a Business rule, and for Configuration, select the name of your configured plugin.
- Select No actions on the Actions dropdown. Enable the Generate Alert toggle to generate alerts in the CTO module.
- Enable the Require Approval radio button if Approval is needed before performing action on the Users.
- Click Save.
- Click Sync. Enter the days, click Fetch to see the number of Users that will be affected by this action. Click Sync to perform actions manually.
Validate the Entra ID Plugin
The Users are pulled from Home > Identity Protection > Risky users in the Microsoft Entra admin center.
The Applications are pulled from Home > Identity > app registrations in the Microsoft Entra admin center.
In CE, to validate the pulling, follow the below steps.
- In Risk Exchange, go to Records. Select the Entity that was selected while configuring the field mapping for Users to view the pulled Users.
- Select the Entity that is selected while configuring the field mapping for Applications to view the pulled Applications.
Validate the Action
Add to Group
- Go to the Actions and select the Add to group Action.
- Click Sync.
- Go to Logging to check logs, and you can see that the group has been created successfully, and the User has been added to the group successfully.
- To validate in the Entra platform, log in to the Entra platform https://entra.microsoft.com/ and click Groups > All groups.
- In the Entra platform, go to Groups > All Groups. Search for the group name that is provided while configuring the action, and click on the group name. Click Members. The user on which the action was performed would be added successfully to the group.
Remove from Group
- In the Entra platform, go to Groups > All Groups. Search for the group name that was entered while configuring the action, and click on the group name. Click Members. The user on which the action was performed would be removed successfully to the group.
Confirm Compromised
- Go to Logging to check logs, and you can see that the action has been performed on the User successfully.
- To validate in Entra platform, log in to the Entra platform https://entra.microsoft.com/ and click Protection > Identity Protection > Risky users, and you can see that for the user kdawg@M365x37738005.OnMicrosoft.com, previously the Risk State was Confirmed safe as shown in the below image, and now it has been changed to Confirmed compromised.
Troubleshooting the Entra ID Plugin
Unable to configure the CRE Microsoft Entra ID plugin.
If you are unable to configure the CRE Microsoft Entra ID plugin, it could be due to one of these reasons.
-
- Provided Incorrect Client (Application ID), Client Secret, Tenant ID.
- Provided Credentials don’t have sufficient permissions.
To resolve these issues, follow these steps:
-
- To get the Client (Application ID), Client Secret, Tenant ID, follow the steps in the Get your Client Secret, Tenant ID, and Client (Application ID) section above.
- To provide proper permissions to the configuration parameter, follow the steps in the Get your Client Secret, Tenant ID, and Client (Application ID) section above.
Unable to pull Users
If you are unable to pull users from the CRE Microsoft Entra ID plugin, it could be due to no Users being present on the Entra platform.
To resolve this, check in the Entra platform to see if the User exists or not.
Unable to pull Applications
If you are unable to pull applications from the CRE Microsoft Entra ID plugin, it could be due to no Applications present on the Entra platform.
To resolve this, check in the Entra platform to see if an Application exists or not.
Unable to View User details on the Record
If you are unable to view User details on the record table, it could be due to one of these reasons:
- Mappings for all the Entra fields is not provided in the CRE Microsoft Entra ID plugin.
- Users are pulled, but in Records, the Users are displayed in a row with comma-separated values.
To resolve these issues, follow these steps:.
- Make sure to provide the needed mappings while configuring the plugin.
- Make sure that the fields created in an entity are marked as unique.
Unable to View Applications details on the Record
If you are unable to view Application details on the record table, it could be due to one of these reasons:
- Mapping for all the Entra fields for application is not provided in the CRE Microsoft Entra ID plugin.
- Applications are pulled, but in Records, the Applications are displayed in a row with comma-separated values.
To resolve these issues, follow these steps:
- Make sure to provide the needed Application mapping while configuring the plugin.
- Make sure that the fields created in an entity for Application are marked as unique.
Unable to perform an action on Users
If you are unable to perform action on the Users, it could be due to one of these reasons:
- The User already exists in the group, or the User doesn’t exist in the group.
- The correct field was not selected when adding an action configuration.
To resolve these issues, follow these steps:
- Check the logs on CE, and make sure that User is not already present on the group while performing the Add to group action, and make sure that the User is present on the group while performing the Remove from group action.
- Make sure to select the field that is required for performing an action.