diff --git a/Packs/MicrosoftExchangeOnline/.pack-ignore b/Packs/MicrosoftExchangeOnline/.pack-ignore index 05d0989770af..2c4a6025b7dc 100644 --- a/Packs/MicrosoftExchangeOnline/.pack-ignore +++ b/Packs/MicrosoftExchangeOnline/.pack-ignore @@ -11,7 +11,7 @@ ignore=PB118 ignore=IN128 [file:SecurityAndComplianceV2.yml] -ignore=IN124 +ignore=IN124,IN145 [file:playbook-Get_Mails_By_Folder_Paths.yml] ignore=PB119 diff --git a/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1 b/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1 index 16282151ed61..77e1de249759 100644 --- a/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1 +++ b/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.ps1 @@ -268,7 +268,7 @@ function ParseSearchActionToEntryContext([psobject]$search_action, [int]$limit = #### OAuth Client - Access Token Management #### class OAuth2DeviceCodeClient { - [string]$application_id = "a0c73c16-a7e3-4564-9a95-2bdf47383716" + [string]$application_id [string]$application_scope = "offline_access%20https%3A//outlook.office365.com/.default" [string]$device_code [int]$device_code_expires_in @@ -279,9 +279,11 @@ class OAuth2DeviceCodeClient { [int]$access_token_creation_time [bool]$insecure [bool]$proxy + [string]$app_secret OAuth2DeviceCodeClient([string]$device_code, [string]$device_code_expires_in, [string]$device_code_creation_time, [string]$access_token, - [string]$refresh_token,[string]$access_token_expires_in, [string]$access_token_creation_time, [bool]$insecure, [bool]$proxy) { + [string]$refresh_token,[string]$access_token_expires_in, [string]$access_token_creation_time, + [bool]$insecure, [bool]$proxy, [string]$application_id, [string]$app_secret) { $this.device_code = $device_code $this.device_code_expires_in = $device_code_expires_in $this.device_code_creation_time = $device_code_creation_time @@ -291,6 +293,8 @@ class OAuth2DeviceCodeClient { $this.access_token_creation_time = $access_token_creation_time $this.insecure = $insecure $this.proxy = $proxy + $this.application_id = $application_id + $this.app_secret = $app_secret <# .DESCRIPTION OAuth2DeviceCodeClient manage state of OAuth2.0 device-code flow described in https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code. @@ -339,10 +343,10 @@ class OAuth2DeviceCodeClient { #> } - static [OAuth2DeviceCodeClient]CreateClientFromIntegrationContext([bool]$insecure, [bool]$proxy){ + static [OAuth2DeviceCodeClient]CreateClientFromIntegrationContext([bool]$insecure, [bool]$proxy, [string]$application_id, [string]$app_secret) { $ic = GetIntegrationContext $client = [OAuth2DeviceCodeClient]::new($ic.DeviceCode, $ic.DeviceCodeExpiresIn, $ic.DeviceCodeCreationTime, $ic.AccessToken, $ic.RefreshToken, - $ic.AccessTokenExpiresIn, $ic.AccessTokenCreationTime, $insecure, $proxy) + $ic.AccessTokenExpiresIn, $ic.AccessTokenCreationTime, $insecure, $proxy, $application_id, $app_secret) return $client <# @@ -366,7 +370,9 @@ class OAuth2DeviceCodeClient { $params = @{ "URI" = "https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode" "Method" = "Post" - "Headers" = (New-Object "System.Collections.Generic.Dictionary[[String],[String]]").Add("Content-Type", "application/x-www-form-urlencoded") + "Headers" = @{ + "Content-Type" = "application/x-www-form-urlencoded" + } "Body" = "client_id=$($this.application_id)&scope=$($this.application_scope)" "NoProxy" = !$this.proxy "SkipCertificateCheck" = $this.insecure @@ -378,7 +384,7 @@ class OAuth2DeviceCodeClient { $this.device_code_creation_time = [int][double]::Parse((Get-Date -UFormat %s)) $this.device_code_expires_in = [int]::Parse($response_body.expires_in) - return $response_body + return $response_body <# .DESCRIPTION @@ -1857,7 +1863,7 @@ function Main { $Demisto.Debug("Command being called is $Command") # Creating Compliance and search client - $oauth2_client = [OAuth2DeviceCodeClient]::CreateClientFromIntegrationContext($insecure, $false) + $oauth2_client = [OAuth2DeviceCodeClient]::CreateClientFromIntegrationContext($insecure, $false, $integration_params.app_id, $integration_params.app_secret) # Executing oauth2 commands switch ($command) { diff --git a/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml b/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml index 48512a13219d..1e91cc8979a0 100644 --- a/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml +++ b/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2.yml @@ -41,7 +41,7 @@ configuration: type: 0 section: Connect advanced: true - hidden: true + hidden: false required: false - display: Trust any certificate (not secure) name: insecure @@ -50,6 +50,12 @@ configuration: section: Connect advanced: true required: false +- display: App Secret + name: app_secret + type: 4 + section: Connect + advanced: true + required: false - display: Tenant ID name: tenant_id type: 0 diff --git a/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2_description.md b/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2_description.md index aa59ce06fbc2..6a89c0286780 100644 --- a/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2_description.md +++ b/Packs/MicrosoftExchangeOnline/Integrations/SecurityAndComplianceV2/SecurityAndComplianceV2_description.md @@ -11,3 +11,76 @@ Supported authentication methods: 1. Fill in the UPN parameter in the integration configuration. 2. Run the ***o365-sc-auth-start*** command and follow the instructions. 3. For testing completion of authorization process run the ***o365-sc-auth-test*** command. + +## Security and Compliance Integration Changes + +### Overview +In response to Microsoft's deprecation of the App ID, the following changes to app registration in Azure are required: +1. Add the `Exchange.Manage` delegated permissions. +2. Enable "Allow public client flows" in the authentication section. +3. Add an app secret to the app registration. +4. Enable the app for Multi-Tenant access. + +### Step-by-Step Instructions + +#### 1. Add Exchange.Manage Delegated Permissions + +1. **Navigate to Azure Portal:** + Go to the [Azure Portal](https://portal.azure.com/) and sign in with your administrator account. + +2. **Access App Registrations:** + In the left-hand navigation pane, select **Azure Active Directory**. Then, under **Manage**, select **App registrations**. + +3. **Select Your App:** + Find and select the app registration you are working on. + +4. **Add Permissions:** + - Under **Manage**, select **API permissions**. + - Click on **Add a permission**. + - Select **APIs my organization uses**. + - Type "Office" in the search bar and select **Office 365 Exchange Online**. + - Choose **Delegated permissions**. + - Search for `Exchange.Manage` and check the corresponding box. + - Click on **Add permissions**. + - Ensure the permissions are granted for your organization by selecting **Grant admin consent for [Your Organization]** and confirming the action. + +#### 2. Enable "Allow Public Client Flows" + +1. **Navigate to Authentication Settings:** + From your app registration, under **Manage**, select **Authentication**. + +2. **Enable Public Client Flows:** + - Scroll down to the **Advanced settings** section. + - Locate the setting **Allow public client flows** and set it to **Yes**. + - Click **Save** at the top to apply the changes. + +#### 3. Add an App Secret + +1. **Navigate to Certificates & Secrets:** + From your app registration, under **Manage**, select **Certificates & secrets**. + +2. **Add a Client Secret:** + - Click on **New client secret**. + - Provide a description for the client secret. + - Choose an expiration period that meets your organization's security policy. + - Click **Add**. + - After the secret is created, copy the value immediately as it will not be displayed again. Store this secret securely, as it will be used in your application to authenticate. + +#### 4. Enable the App for Multi-Tenant Access + +1. **Navigate to Authentication Settings:** + From your app registration, under **Manage**, select **Authentication**. + +2. **Enable Multi-Tenant Access:** + - Scroll down to the **Supported account types** section. + - Ensure that **Accounts in any organizational directory (Any Azure AD directory - Multitenant)** is selected. + - Click **Save** at the top to apply the changes. + - If prompted, confirm the change by selecting **Yes**. + +### Additional Resources +- [Azure Active Directory App Registrations](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) +- [API Permissions in Microsoft Graph](https://docs.microsoft.com/en-us/graph/permissions-reference) +- [Configure Authentication in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) +- [Add a Client Secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret) + +These steps will ensure your app registration is updated correctly to maintain the necessary functionality after Microsoft's deprecation of the App ID. If you have any questions or run into issues, please refer to the provided documentation links or contact your Azure support team. \ No newline at end of file diff --git a/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.json b/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.json new file mode 100644 index 000000000000..f55671cdce1e --- /dev/null +++ b/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.json @@ -0,0 +1 @@ +{"breakingChanges":true,"breakingChangesNotes":"Instances of Security and Compliance which are already configured, will need to have the command ***o365-sc-auth-start*** ran in order to authenticate the account. This version will require a change to the App registration in Azure. Please refer to the description of the integration for detailed instructions."} \ No newline at end of file diff --git a/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.md b/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.md new file mode 100644 index 000000000000..8c97348dd284 --- /dev/null +++ b/Packs/MicrosoftExchangeOnline/ReleaseNotes/1_3_12.md @@ -0,0 +1,10 @@ + +#### Integrations + +##### O365 - Security And Compliance - Content Search v2 + +- Fixed an issue where MFA accounts would authenticate using a deprecated application id. +- ***Breaking Change*** - Instances of Security and Compliance which are already configured, +will need to have the command ***o365-sc-auth-start*** ran in order to authenticate the account. +This version will require a change to the App registration in Azure. Please refer to the description +of the integration for detailed instructions. \ No newline at end of file diff --git a/Packs/MicrosoftExchangeOnline/pack_metadata.json b/Packs/MicrosoftExchangeOnline/pack_metadata.json index 8cda09ba8124..4989a2934348 100644 --- a/Packs/MicrosoftExchangeOnline/pack_metadata.json +++ b/Packs/MicrosoftExchangeOnline/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Microsoft Exchange Online", "description": "Exchange Online and Office 365 (mail)", "support": "xsoar", - "currentVersion": "1.3.11", + "currentVersion": "1.3.12", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",