Skip to content
Find out how we support MDR.

Microsoft integrations

You can integrate Microsoft software and services with Sophos Central.

Configure integrations

To configure an integration, click Threat Analysis Center > Integrations > Marketplace, and click the integration name.

For details of how to configure each integration, see the following pages:

How the integrations work

The Sophos XDR platform integrates with Microsoft using the Microsoft Management Activity API and the Microsoft Graph Security API. Sophos uses both APIs independently to detect threats in the Microsoft 365 environment.

M365 Management Activity

Using the Management Activity API, the Sophos XDR platform ingests raw events occurring in the Microsoft 365 environment. Sophos uses these events both for threat detection and for collecting additional supporting information for analysts during an investigation. These raw events are available to all Microsoft 365 customers, regardless of the licensing used in their environment.

The Sophos detection engineering team regularly creates detection rules based on these raw events from Microsoft. These rules allow analysts to investigate scenarios that could indicate Account Compromise or Business Email Compromise (BEC). Example indicators include inbox rule manipulation, session token theft, Man-in-the-Middle attacks, malicious application consent, and more.

You can see Sophos-based detections on the Detections page in Sophos Central. The detections are labeled as SAAS-M365-xxxxx and have the detection type "compound_detections", as seen in this example:

A SAAS-M365 type detection.

With the Microsoft Management Activity API events stored in the Sophos Data Lake, analysts can use these logs when investigating in an environment. For example, a user's sign-ins can be reviewed to confirm or identify suspicious sign-in events, or to review account activity in the Microsoft 365 environment while the account was compromised.

For more information on which data Microsoft provides via the Management Activity API, see Office 365 Management APIs overview.

MS Graph Security

Using the Graph Security API, Sophos ingests detection events generated by Microsoft, based on telemetry observed in the Microsoft ecosystem. Depending on the severity of these Microsoft detection events, cases are created for analysts to investigate and respond to.

The components, or "providers", that generate detection events to the Graph Security API are as follows:

  • Entra ID Protection
  • Defender for Office 365
  • Defender for Endpoint
  • Defender for Identity
  • Defender for Cloud Apps
  • Defender for Cloud
  • Microsoft Sentinel

You can see detection events received by the Microsoft Graph Security API on the Detections page in Sophos Central. The detections are labeled MS-SEC-GRAPH-xxxxx, as seen in this example:

MS-SEC-GRAPH type detections.

The specific Microsoft detection events generated by these products and available for ingestion via the Graph Security API depend on the Microsoft 365 licensing used in the environment. This can include the individual per-user plan, and any additional add-ons or bundles added to users or the Microsoft 365 tenancy.

We recommend that you consult your Microsoft 365 licensing specialist to understand which providers, detection events, and alerts are included in each plan, add-on or bundle. However, we can provide the following guidance:

  • The Microsoft 365 E5 plan or E5 Security Add-on includes all Microsoft detection events that are used to create cases to be investigated.
  • For Entra ID Protection-based identity alerts, you need Entra ID P2 plans (bundled with the E5 plans mentioned above).
  • For other components, consult your Microsoft licensing expert to understand which Microsoft bundles or individual SKUs you need to access those components and their Graph Security detection events.

For more information about the Graph Security API and alerts generated by specific providers, see Alerts and incidents.