O365 Security and Compliance Auth Fix (#34896)

* Fixed an issue where the authentication would use a deprecated app id
demisto · Jun 20, 2024 · 063a1c0 · 063a1c0
1 parent 77597ab
commit 063a1c0
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 10 deletions.
diff --git a/Packs/MicrosoftExchangeOnline/.pack-ignore b/Packs/MicrosoftExchangeOnline/.pack-ignore
@@ -11,7 +11,7 @@ ignore=PB118
 ignore=IN128
 
 [file:SecurityAndComplianceV2.yml]
-ignore=IN124
+ignore=IN124,IN145
 
 [file:playbook-Get_Mails_By_Folder_Paths.yml]
 ignore=PB119

diff --git a/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1 b/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1
@@ -268,7 +268,7 @@ function ParseSearchActionToEntryContext([psobject]$search_action, [int]$limit =
 
 #### OAuth Client - Access Token Management ####
 class OAuth2DeviceCodeClient {
-    [string]$application_id = "a0c73c16-a7e3-4564-9a95-2bdf47383716"
+    [string]$application_id
     [string]$application_scope = "offline_access%20https%3A//outlook.office365.com/.default"
     [string]$device_code
     [int]$device_code_expires_in
@@ -279,9 +279,11 @@ class OAuth2DeviceCodeClient {
     [int]$access_token_creation_time
     [bool]$insecure
     [bool]$proxy
+    [string]$app_secret
 
     OAuth2DeviceCodeClient([string]$device_code, [string]$device_code_expires_in, [string]$device_code_creation_time, [string]$access_token,
-                            [string]$refresh_token,[string]$access_token_expires_in, [string]$access_token_creation_time, [bool]$insecure, [bool]$proxy) {
+                            [string]$refresh_token,[string]$access_token_expires_in, [string]$access_token_creation_time,
+                           [bool]$insecure, [bool]$proxy, [string]$application_id, [string]$app_secret) {
         $this.device_code = $device_code
         $this.device_code_expires_in = $device_code_expires_in
         $this.device_code_creation_time = $device_code_creation_time
@@ -291,6 +293,8 @@ class OAuth2DeviceCodeClient {
         $this.access_token_creation_time = $access_token_creation_time
         $this.insecure = $insecure
         $this.proxy = $proxy
+        $this.application_id = $application_id
+        $this.app_secret = $app_secret
         <#
             .DESCRIPTION
             OAuth2DeviceCodeClient manage state of OAuth2.0 device-code flow described in https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code.
@@ -339,10 +343,10 @@ class OAuth2DeviceCodeClient {
         #>
     }
 
-    static [OAuth2DeviceCodeClient]CreateClientFromIntegrationContext([bool]$insecure, [bool]$proxy){
+    static [OAuth2DeviceCodeClient]CreateClientFromIntegrationContext([bool]$insecure, [bool]$proxy, [string]$application_id, [string]$app_secret) {
         $ic = GetIntegrationContext
         $client = [OAuth2DeviceCodeClient]::new($ic.DeviceCode, $ic.DeviceCodeExpiresIn, $ic.DeviceCodeCreationTime, $ic.AccessToken, $ic.RefreshToken,
-                                                $ic.AccessTokenExpiresIn, $ic.AccessTokenCreationTime, $insecure, $proxy)
+                                                $ic.AccessTokenExpiresIn, $ic.AccessTokenCreationTime, $insecure, $proxy, $application_id, $app_secret)
 
         return $client
         <#
@@ -366,7 +370,9 @@ class OAuth2DeviceCodeClient {
         $params = @{
             "URI" = "https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode"
             "Method" = "Post"
-            "Headers" = (New-Object "System.Collections.Generic.Dictionary[[String],[String]]").Add("Content-Type", "application/x-www-form-urlencoded")
+            "Headers" = @{
+                "Content-Type" = "application/x-www-form-urlencoded"
+            }
             "Body" = "client_id=$($this.application_id)&scope=$($this.application_scope)"
             "NoProxy" = !$this.proxy
             "SkipCertificateCheck" = $this.insecure
@@ -378,7 +384,7 @@ class OAuth2DeviceCodeClient {
         $this.device_code_creation_time = [int][double]::Parse((Get-Date -UFormat %s))
         $this.device_code_expires_in = [int]::Parse($response_body.expires_in)
 
-        return $response_body
+    return $response_body
 
         <#
             .DESCRIPTION
@@ -1857,7 +1863,7 @@ function Main {
         $Demisto.Debug("Command being called is $Command")
 
         # Creating Compliance and search client
-        $oauth2_client = [OAuth2DeviceCodeClient]::CreateClientFromIntegrationContext($insecure, $false)
+        $oauth2_client = [OAuth2DeviceCodeClient]::CreateClientFromIntegrationContext($insecure, $false, $integration_params.app_id, $integration_params.app_secret)
 
         # Executing oauth2 commands
         switch ($command) {

diff --git a/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml b/.../MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml
@@ -41,7 +41,7 @@ configuration:
   type: 0
   section: Connect
   advanced: true
-  hidden: true
+  hidden: false
   required: false
 - display: Trust any certificate (not secure)
   name: insecure
@@ -50,6 +50,12 @@ configuration:
   section: Connect
   advanced: true
   required: false
+- display: App Secret
+  name: app_secret
+  type: 4
+  section: Connect
+  advanced: true
+  required: false
 - display: Tenant ID
   name: tenant_id
   type: 0

diff --git a/...ine/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2_description.md b/...ine/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2_description.md
@@ -11,3 +11,76 @@ Supported authentication methods:
     1. Fill in the UPN parameter in the integration configuration.
     2. Run the ***o365-sc-auth-start*** command and follow the instructions.
     3. For testing completion of authorization process run the ***o365-sc-auth-test*** command.
+
+## Security and Compliance Integration Changes
+
+### Overview
+In response to Microsoft's deprecation of the App ID, the following changes to app registration in Azure are required:
+1. Add the `Exchange.Manage` delegated permissions.
+2. Enable "Allow public client flows" in the authentication section.
+3. Add an app secret to the app registration.
+4. Enable the app for Multi-Tenant access.
+
+### Step-by-Step Instructions
+
+#### 1. Add Exchange.Manage Delegated Permissions
+
+1. **Navigate to Azure Portal:**
+   Go to the [Azure Portal](https://portal.azure.com/) and sign in with your administrator account.
+
+2. **Access App Registrations:**
+   In the left-hand navigation pane, select **Azure Active Directory**. Then, under **Manage**, select **App registrations**.
+
+3. **Select Your App:**
+   Find and select the app registration you are working on.
+
+4. **Add Permissions:**
+   - Under **Manage**, select **API permissions**.
+   - Click on **Add a permission**.
+   - Select **APIs my organization uses**.
+   - Type "Office" in the search bar and select **Office 365 Exchange Online**.
+   - Choose **Delegated permissions**.
+   - Search for `Exchange.Manage` and check the corresponding box.
+   - Click on **Add permissions**.
+   - Ensure the permissions are granted for your organization by selecting **Grant admin consent for [Your Organization]** and confirming the action.
+
+#### 2. Enable "Allow Public Client Flows"
+
+1. **Navigate to Authentication Settings:**
+   From your app registration, under **Manage**, select **Authentication**.
+
+2. **Enable Public Client Flows:**
+   - Scroll down to the **Advanced settings** section.
+   - Locate the setting **Allow public client flows** and set it to **Yes**.
+   - Click **Save** at the top to apply the changes.
+
+#### 3. Add an App Secret
+
+1. **Navigate to Certificates & Secrets:**
+   From your app registration, under **Manage**, select **Certificates & secrets**.
+
+2. **Add a Client Secret:**
+   - Click on **New client secret**.
+   - Provide a description for the client secret.
+   - Choose an expiration period that meets your organization's security policy.
+   - Click **Add**.
+   - After the secret is created, copy the value immediately as it will not be displayed again. Store this secret securely, as it will be used in your application to authenticate.
+
+#### 4. Enable the App for Multi-Tenant Access
+
+1. **Navigate to Authentication Settings:**
+   From your app registration, under **Manage**, select **Authentication**.
+
+2. **Enable Multi-Tenant Access:**
+   - Scroll down to the **Supported account types** section.
+   - Ensure that **Accounts in any organizational directory (Any Azure AD directory - Multitenant)** is selected.
+   - Click **Save** at the top to apply the changes.
+   - If prompted, confirm the change by selecting **Yes**.
+
+### Additional Resources
+- [Azure Active Directory App Registrations](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
+- [API Permissions in Microsoft Graph](https://docs.microsoft.com/en-us/graph/permissions-reference)
+- [Configure Authentication in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow)
+- [Add a Client Secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret)
+
+These steps will ensure your app registration is updated correctly to maintain the necessary functionality after Microsoft's deprecation of the App ID. If you have any questions or run into issues, please refer to the provided documentation links or contact your Azure support team.
diff --git a/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.json b/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.json
@@ -0,0 +1 @@
+{"breakingChanges":true,"breakingChangesNotes":"Instances of Security and Compliance which are already configured, will need to have the command ***o365-sc-auth-start*** ran in order to authenticate the account. This version will require a change to the App registration in Azure. Please refer to the description of the integration for detailed instructions."}
diff --git a/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.md b/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.md
@@ -0,0 +1,10 @@
+
+#### Integrations
+
+##### O365 - Security And Compliance - Content Search v2
+
+- Fixed an issue where MFA accounts would authenticate using a deprecated application id.
+- ***Breaking Change*** - Instances of Security and Compliance which are already configured,
+will need to have the command ***o365-sc-auth-start*** ran in order to authenticate the account. 
+This version will require a change to the App registration in Azure. Please refer to the description
+of the integration for detailed instructions.
diff --git a/Packs/MicrosoftExchangeOnline/pack_metadata.json b/Packs/MicrosoftExchangeOnline/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft Exchange Online",
     "description": "Exchange Online and Office 365 (mail)",
     "support": "xsoar",
-    "currentVersion": "1.3.11",
+    "currentVersion": "1.3.12",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",