Microsoft 365
BitLyft AIR® connects directly to Microsoft 365 and Entra ID via the Microsoft Graph API, enabling automated detection and response across identity, email, SharePoint, Teams, and OneDrive — your entire Microsoft environment in a single automated loop.
15+
Detection Policies
8
Response Actions
< 1s
Avg. Response Time
What BitLyft AIR® Does with Microsoft 365
The Microsoft 365 integration is the core of the AIR® platform. Using the Microsoft Graph API, AIR® ingests audit logs from Entra ID, Exchange Online, SharePoint, OneDrive, and Teams — correlating events across all workloads to detect identity compromise, data loss, and administrative abuse in real time.
When a threat is detected, AIR® executes response actions directly against Microsoft 365 — revoking sessions, disabling accounts, removing forwarding rules, and enforcing MFA — without requiring analyst intervention. Detection triggers response. Response executes. Analysts are notified of the outcome.
Identity Protection
Entra ID sign-in risk, MFA fatigue, credential stuffing, impossible travel, admin role abuse.
Email Security
Phishing containment, forwarding rule removal, mailbox audit log monitoring.
Data Loss Prevention
SharePoint and OneDrive exfiltration detection, file sharing anomalies, Teams data leakage.
Conditional Access
Automated policy assignment and enforcement as part of containment workflows.
Automated Response Actions
Revoke User Sign-In Sessions
Immediately terminate all active sessions for a compromised user account.
Disable User Account
Set accountEnabled to false in Entra ID to prevent further access.
Reset User Password
Force a password reset, prompting the user on next login.
Enable MFA for User
Apply a Conditional Access MFA policy to a targeted user.
Assign User to Conditional Access Policy
Add a user to an existing policy scope automatically.
Remove Mailbox Forwarding Rule
Delete attacker-planted forwarding configurations that exfiltrate email.
List Entra ID Risky Users
Retrieve users flagged as risky by Microsoft Identity Protection.
Get User Sign-In Activity
Pull recent sign-in logs for a specific user for investigation.
Out-of-the-Box Detection Policies
Impossible Travel
Sign-ins from geographically impossible locations within a short timeframe.
MFA Fatigue Attack
Repeated MFA push requests targeting a user to approve fraudulent access.
Credential Stuffing
High-volume failed login attempts across multiple accounts.
Admin Role Change
Unexpected modifications to privileged roles or permissions.
Mailbox Forwarding Rule Created
Forwarding rules added to a mailbox — a common BEC indicator.
Suspicious OAuth App Consent
OAuth application granted excessive permissions by a user.
SharePoint Data Exfiltration
Abnormal volume of SharePoint or OneDrive file downloads.
Service Account Anomaly
Service account exhibiting unusual access patterns.
See the release notes
Microsoft 365 coverage was significantly expanded in v1.15 with 15 new detection policies, faster Graph API execution, and improved identity protection.
Read the v1.15 release postReady to automate your Microsoft 365 security?
See how AIR® detects and responds to threats across your entire Microsoft environment — automatically.
Schedule a Demo