The Microsoft Single Tenant multi-connection allows a single Microsoft OAuth authorization to be recognized as multiple security controls within Cork, specifically:

• RMM: Microsoft Intune
• EDR: Defender for Endpoint
• Email: Microsoft M365
• MFA: Microsoft Authenticator
• Email Security: Defender for M365 

The connection must be authorized by an account who has privileges to install applications within the tenant.

Note: If the tenant does not use Defender for Endpoint, there is a checkbox that will set the OAuth connection up with different permissions. This is only necessary if the tenant specifically does not have the WindowsDefenderATP service principal.

The following permissions for each service principal are requested:

• Microsoft Graph (RMM, Email, MFA, Email Security)
  • Application.Read.All
    
  • AuditLog.Read.All
  • Device.Read.All
  • DeviceManagementManagedDevices.Read.All
    
    
  • Directory.Read.All
  • Domain.Read.All
  • Mail.ReadBasic.All
    
    • Note: This permission allows us to read properties for a mailbox, it does not allow Cork to read emails.
  • MailboxSettings.Read
    
  • Policy.Read.All
  • SecurityEvents.Read.All
  • User.Read
  • UserAuthenticationMethod.Read.All
    
• WindowsDefenderATP (EDR)
  • Alert.Read.All
  • Machine.Read.All
  • RemediationTasks.Read.All
    
  • Score.Read.All
  • SecurityConfiguration.Read.All
    • Allows the app to read all security configurations

• • SecurityRecommendation.Read.All
  • Software.Read.All
    
  • Vulnerability.Read.All