Configure Entra ID in a hybrid environment for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform identity-based response actions in your hybrid network using Microsoft Entra ID.

Note:
  • This configuration does not close the on-premises login connection. For example, an interactive active login user connection.
  • Arctic Wolf does not support active response actions in Office 365 Government Community Cloud (GCC) environments.
Microsoft Entra ID, when configured in a hybrid environment, supports these response actions:
  • Close user connections, cloud-based
  • Add/Remove a user from a security group, as long as the group is cloud-sourced, such as the restricted access group configuration

For more information, see Response action descriptions.

These resources are required:

  • A user account with Global Administrator permissions
  • An Owner or User Access Administrator role on the subscription with Microsoft.Authorization/*/Write permissions
  • A Microsoft Entra ID P1 license to configure conditional access groups

  • If you want Arctic Wolf to contain privileged accounts, the user account that you configure must have Privileged Authentication Administrator permissions. For more information, see Privileged Authentication Administrator.

These actions are required:

  • If you are using the security defaults from Microsoft, you need to disable these defaults to be able to create a conditional access policy. We recommend following Microsoft documentation to set up the additional conditional access policies to keep your organization secure. For more information, see Disabling security defaults.
  • Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Register the application for response actions

  1. Sign in to the Microsoft Entra admin center.
  2. Click Entra ID > App registrations.
  3. Click + New registration.
  4. Configure these settings:
    • Name — Enter a name for the application.
    • Supported account types — From the list, select Single tenant only - <your_organization_name>.
    • For all other fields, keep the default values.
  5. Click Register.
    The page for the newly registered application opens.
  6. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
    You will provide them to Arctic Wolf later.

Configure Entra ID permissions for response actions

To configure response actions for Microsoft Entra ID users, you must configure an account with the least privileged permissions. For more information, see Update an app's requested permissions in Microsoft Entra ID.
  1. Sign in to the Microsoft Entra admin center.
  2. Click Entra ID > App registrations.
  3. Click the All registrations tab, and then select the application.
  4. In the navigation menu, click Manage > API permissions .
  5. On the API permissions page, click + Add a permission.
  6. In the Request API permissions pane, click Microsoft APIs.
  7. On the Microsoft APIs tab, click Microsoft Graph.
  8. Click Application Permissions.
  9. Select these checkboxes:
    • Application.Read.All
    • Directory.ReadWrite.All
    • GroupMember.ReadWrite.All
    • Group.ReadWrite.All
    • User.EnableDisableAccount.All
    • User.ManageIdentities.All
    • User-PasswordProfile.ReadWrite.All
  10. Click Add permissions.
    You are redirected to the API permissions page where the new permissions appear in a list.
  11. In the Configured permissions section, click Grant admin consent for <organization_name>, and then click Yes.
  12. In the navigation menu, return to the App registrations page.
  13. Click the All registrations tab, and then select the application.
  14. In the navigation menu, in the Manage section, click Certificates & secrets.
  15. In the Client secrets section, click + New client secret, and then configure these settings:
    • Description — Enter a description for the client secret.
    • Expires — Select an expiration date for the client secret.
  16. Click Add.
  17. On the Client secrets tab, verify that your new client secret appears.

    Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

  18. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
    Note:
    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Create a restricted access group

You can use a Microsoft Conditional Access policy to create a restricted access group. Arctic Wolf recommends creating a new cloud-only group for Active Response.

This group is left intentionally empty upon creation. When Arctic Wolf takes certain response actions against potentially compromised users, the users are added to this group to restrict access to your organizational assets. For more information, see Conditional Access.
  1. Sign in to the Microsoft Entra admin center.
  2. In the navigation menu, click Groups.
  3. Click New group.
  4. Configure these fields:
    • Group type — Select Security.
    • Group name — Enter a descriptive name. For example, ArcticWolfRestrictedAccessGroup, and save this value to a safe, encrypted location. You will provide it to Arctic Wolf later.
    • Group description — (Optional) Enter a description for the restricted access group.
    • Membership type — Make sure that Assigned is selected.
  5. Click Create.
  6. In the navigation menu, click Conditional Access.
  7. Click Create new policy.
  8. Configure the policy:
    1. In the Name field, enter a name for the Conditional Access policy. For example, Arctic Wolf Restrict Access Policy.
    2. In the Users section, click 0 users and groups selected.
    3. On the Include tab, select Select users and groups and then User and groups.
    4. On the Select users and groups page, search for the group that you created.
    5. Select the checkbox for the group, and then click Select.
    6. Optional: On the Exclude tab, select an emergency access or break-glass account.
      For more information, see Exclude users.
    7. In the Target resources section, click No target resources selected.
    8. On the Include tab, select which resources that you want to restrict access to.
      Arctic Wolf recommends selecting All resources, but exercise caution to make sure that you do not lock yourself out. For more information, see Conditional Access: Target resources.
    9. In the Grant section, click 0 controls selected.
    10. Click Block access, and then click Select.
    11. In the Enable policy section, click the toggle to the On position.
      You can use the Report-only setting to test the impact of a Conditional Access policy, but for the response action to work, the toggle must be set to the On position. For more information, see Analyze Conditional Access Policy Impact .
  9. Click Create.

Provide Entra ID Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Microsoft Entra ID.
  5. On the New Active Response Integration page, configure these settings:
  6. Click Save Integration.