Skip to content

Adding delegated auth documentation to Defender doc #859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ianhelle merged 13 commits into from
Oct 31, 2025
Merged

Adding delegated auth documentation to Defender doc #859

ianhelle merged 13 commits into from
Oct 31, 2025

Conversation

@ianhelle
Copy link
Contributor

@ianhelle ianhelle commented Oct 16, 2025
edited
Loading

This pull request updates the documentation for the Microsoft Defender data provider to reflect recent changes in supported APIs, clarify authentication options, and improve guidance for configuring and connecting to Microsoft Defender data sources. The most important changes are grouped below by theme.

API and Provider Naming Updates:

  • Updated all references from "Microsoft 365 Defender" and "M365D" to "Microsoft Defender" and clarified the distinction between supported APIs (M365DGraph, MDE/MDATP) and deprecated ones (M365D). The documentation now recommends using "M365DGraph" and explains fallback behavior for legacy provider names. [1] [2]
  • Removed outdated references to the deprecated M365D API and updated table and notes to reflect that M365DGraph is the recommended data environment, with MDE/MDATP maintained for backward compatibility.

Authentication and Configuration Guidance:

  • Added comprehensive instructions for delegated (user) authentication, including configuration examples, support for multiple tenants, and token caching options. Also clarified the difference between delegated and application authentication, and updated configuration section names. [1] [2]
  • Improved documentation on connecting to Microsoft Defender, including examples for both delegated and application authentication, and clarified parameter usage (e.g., username triggers delegated auth). [1] [2]

Connection and Endpoint Selection:

  • Updated instructions for selecting the appropriate cloud endpoint, including new tables for MDE endpoints and clarifying that M365DGraph endpoints are automatically selected for government clouds. Provided updated code examples for connecting to both M365DGraph and MDE.

General Documentation Improvements:

  • Improved clarity and consistency throughout the documentation, including correcting terminology, updating section headers, and enhancing example code blocks for connecting and authenticating. [1] [2]
  • Updated references to related documentation and notebooks to match new naming conventions and API support.

ryan-detect-dot-dev
ryan-detect-dot-dev approved these changes Oct 16, 2025
View reviewed changes
Copy link
Collaborator

@ryan-detect-dot-dev ryan-detect-dot-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ianhelle
Fix for removal of Defender XDR endpoint
2182cd5 
- also fixing datetime formatting change for AzureMonitor
- removing spurious warning when using Default MicrosoftDefender configuration in msticpyconfig.yaml
@ianhelle
Fixing pylint errors from new pylint version
1bb76ce 
Fixing aiagents

# Conflicts:
#	conda/conda-reqs-pip.txt
#	requirements-all.txt
#	setup.py
@ianhelle
Adding space to warning message
bebb54f
@ianhelle
Updating .gitignore to exclude Guardian analysis files
d2be821
@ianhelle
Fixing pylint errors
0e3859a
@ianhelle
Fixing some M365D queries
ff6c9b2
FlorianBracq
FlorianBracq approved these changes Oct 25, 2025
View reviewed changes
Copy link
Collaborator

@FlorianBracq FlorianBracq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok for me too!

@ianhelle ianhelle changed the title Adding federated auth docs to Defender doc Adding delegated auth documentation to Defender doc Oct 31, 2025
@ianhelle ianhelle merged commit 2e550de into main Oct 31, 2025
11 checks passed
@ianhelle ianhelle deleted the ianhelle/M365-fed-auth-docs-2025-10-16 branch October 31, 2025 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FlorianBracq FlorianBracq FlorianBracq approved these changes

@ryan-detect-dot-dev ryan-detect-dot-dev ryan-detect-dot-dev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ianhelle @FlorianBracq @ryan-detect-dot-dev