Skip to content
Find out how we support MDR.

Microsoft 365 Response Actions

You can integrate Microsoft 365 Response Actions with Sophos Central. This lets you use these actions to address detected issues.

This is an API-based integration.

When you complete integration, you'll be able to take the following actions:

  • Block or allow user sign-in. This helps stop unauthorized access to your systems.
  • Disconnect or revoke all current sessions​. This helps isolate compromised accounts and stops lateral movement of threats.
  • Turn off inbox rules for the user. This helps stop malicious forwarding of sensitive emails, security evasion tactics, deletion of evidence, and more.

MDR customers

Whatever permissions you set here, Sophos Central will enforce the Threat Response option you selected in the MDR settings page. For example, if you selected Collaborate, MDR analysts can't take action without your authorization.

Requirements

You must be a Microsoft 365 administrator to configure this integration.

There are no Microsoft license requirements for this integration.

Recommendation

If you configure Microsoft 365 response actions, we recommend that you also configure the Microsoft 365 Management Activity and Microsoft Graph Security v2 data ingest integrations. These generate detections and enrich investigations, helping you respond to events in your Microsoft estate.

Configure an integration

You can only configure a response actions integration for one Microsoft 365 environment. We recommend you pick your primary or largest environment.

To configure a Microsoft 365 Response Actions integration with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click Microsoft 365 - Response Actions.

    The Response Actions page opens. If an integration is already configured, it's shown here and you won't be able to add another.

  3. Click Add Configuration.

  4. On the Add Response Action page, enter the Integration name and Integration description.
  5. Click Save and Continue.
  6. Read the text in Connect to Microsoft 365 then click Continue.

    You're connected to Microsoft 365 to create an application which integrates with Sophos Central.

  7. Enter or select your Microsoft account and sign in.

    Pick an account.

  8. You're prompted to give permissions to an app. These permissions let us create a Microsoft app to integrate with Sophos Central. Click Accept.

    Permissions requested for creation of an app for integration.

  9. You're prompted to give permissions to the newly-created Sophos Central Integration app so that it can take response actions as required. Click Accept.

    Permissions requested for the Sophos Central integration app.

You're returned to Sophos Central where you see your integration configured.

Run response actions

You can now run Microsoft 365 response actions from the Respond tab in a case's details page in Sophos Central. See Respond to cases.

Troubleshoot response actions

This section lists issues that might occur when you run response actions.

The "Disable individual inbox rule" action fails.

Make sure that the inbox rule name is correct. For the purposes of this action, the inbox rule name is case-sensitive.

The "Block user sign-in" action fails to permanently disconnect an Entra ID account

If your environment is in a hybrid Entra ID configuration using Microsoft Entra Connect Sync, the on-premises environment takes precedence during synchronization. If you use Microsoft 365 Response Actions to disconnect an Entra ID account, Entra Connect Sync might connect it again at a later time which is out of our control.