Configure Entra ID in a cloud environment for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform identity-based response actions in your cloud network using Microsoft Entra ID.

Microsoft Entra ID, when configured in a cloud environment, supports these response actions:
  • Disable/Enable a user
  • Close user connections
  • Add/Remove a user from a security group
  • Force a password reset
  • Add/Remove user from MFA requirement
    Note: The Conditional Access policy created by Arctic Wolf in Entra ID is required for this response action. The policy is called Require multifactor authentication for risky sign-ins, and it requires the Microsoft Entra ID P2 license, which includes Microsoft Entra ID Protection signals. Do not modify the policy.

For more information, see Response action descriptions.

Note: Arctic Wolf does not support active response actions in Office 365 Government Community Cloud (GCC) environments.

These resources are required:

  • A user account with Global Administrator permissions
  • An Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write permissions

  • If you want Arctic Wolf to contain privileged accounts, the user account that you configure must have Privileged Authentication Administrator permissions. For more information, see Privileged Authentication Administrator.

  • If you want to Add/Remove user from MFA requirement, a Microsoft Entra ID P2 license is required.
  • Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Register the application for response actions

  1. Sign in to the Microsoft Entra admin center.
  2. Click Entra ID > App registrations.
  3. Click + New registration.
  4. Configure these settings:
    • Name — Enter a name for the application.
    • Supported account types — From the list, select Single tenant only - <your_organization_name>.
    • For all other fields, keep the default values.
  5. Click Register.
    The page for the newly registered application opens.
  6. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
    You will provide them to Arctic Wolf later.

Configure Entra ID permissions for response actions

To configure response actions for Microsoft Entra ID users, you must configure an account with the least privileged permissions. For more information, see Update an app's requested permissions in Microsoft Entra ID.
  1. Sign in to the Microsoft Entra admin center.
  2. Click Entra ID > App registrations.
  3. Click the All registrations tab, and then select the application.
  4. In the navigation menu, click Manage > API permissions .
  5. On the API permissions page, click + Add a permission.
  6. In the Request API permissions pane, click Microsoft APIs.
  7. On the Microsoft APIs tab, click Microsoft Graph.
  8. Click Application Permissions.
  9. Select these checkboxes:
    • Application.Read.All
    • Directory.ReadWrite.All
    • GroupMember.ReadWrite.All
    • Group.ReadWrite.All
    • User.EnableDisableAccount.All
    • User.ManageIdentities.All
    • User-PasswordProfile.ReadWrite.All
    • Policy.Read.All — Only required if Require multifactor authentication for risky sign-ins is enabled.
    • Policy.ReadWrite.ConditionalAccess — Only required if Require multifactor authentication for risky sign-ins is enabled.
  10. Click Add permissions.
    You are redirected to the API permissions page where the new permissions appear in a list.
  11. In the Configured permissions section, click Grant admin consent for <organization_name>, and then click Yes.
  12. In the navigation menu, return to the App registrations page.
  13. Click the All registrations tab, and then select the application.
  14. In the navigation menu, in the Manage section, click Certificates & secrets.
  15. In the Client secrets section, click + New client secret, and then configure these settings:
    • Description — Enter a description for the client secret.
    • Expires — Select an expiration date for the client secret.
  16. Click Add.
  17. On the Client secrets tab, verify that your new client secret appears.

    Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

  18. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
    Note:
    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Provide Entra ID Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Microsoft Entra ID.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> Entra ID Active Response Integration.
    • Base URL — Enter https://graph.microsoft.com/v1.0 in the field.
    • Client ID — Enter the client ID from Register the application for response actions.
    • Client Secret — Enter the client secret value that you created in Configure Entra ID permissions for response actions.
    • Tenant ID — Enter the tenant ID from Register the application for response actions.
    • Restricted Access Group Name — Keep this field blank.
    • Require multifactor authentication for risky sign-ins — (Optional) Select the checkbox to enable this response action.
      Note: To enable this response action, you must also have the required permissions and Entra ID P2 license.
  6. Click Save Integration.