Skip to content
Find out how we support MDR.

Microsoft Graph Security


You can integrate Microsoft Graph Security to add alerts to the Sophos Data Lake. This lets you query Microsoft Graph data with Sophos Live Discover.

You must be a Microsoft 365 administrator.

Add an integration

To integrate Microsoft Graph with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click Microsoft - Graph Security API.

    If you've already set up integrations of this type, you see them here.

  3. Click Add.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

  4. In Integration steps, do as follows:

    1. Enter the Integration name and Integration description.
  5. Click Save and continue.

  6. Read the text in Connect to Microsoft 365 then click Continue.

    You're connected to Microsoft 365 to create an application which integrates with Sophos Central.

  7. Enter or select your Microsoft account and sign in.

    Pick an account

  8. You're prompted to give permissions to an app. These permissions let us create a Microsoft app to integrate with Sophos Central. Click Accept.

    Permissions request

  9. If prompted, select the Microsoft account to use.

  10. You're prompted to give permissions to the newly-created Sophos XDR - Security alerts app so that it can run and pass MS Graph Data to Sophos. Click Accept.

    Permissions request

  11. You see confirmation that the app is set up. Click Close.

    Connected successfully message

In Sophos Central, in Integrations > Microsoft - Graph Security API you see the new integration.

After about five minutes, the Microsoft app synchronizes Sophos Data Lake with Microsoft Graph for the first time.

Sophos Data Lake is now receiving Microsoft Graph Security alerts.