Skip to main content
This guide walks you through connecting RAIDEN to your Microsoft 365 tenant and getting your first detections. The entire process takes around 15 minutes.
Early access — You are using an early access build of RAIDEN. Features are fully functional but some UI polish is still being completed. If you hit anything unexpected, contact your RAIDEN onboarding contact directly.

Before you start

You will need:
  • Your RAIDEN invite link (sent by your RAIDEN onboarding contact) — check your junk or spam folder if it does not arrive within a few minutes
  • A Microsoft 365 tenant
  • A Global Administrator account in that tenant (needed once, for admin consent)

Setup steps

1

Create your account

Click your RAIDEN invite link to open the account creation page.
  • New organisation — If you are setting up a new RAIDEN tenant, you will land on the signup page. Fill in your full name, work email, a secure password, your organisation name, and your invite code (pre-filled). Click Create Account. You will land on the onboarding wizard automatically.
  • Team member invite — If you were invited to join an existing organisation, the page only asks for your name and password. Your email address and role are already set from the invite.
2

Connect Microsoft 365

Connecting M365 is a two-step consent process. Both steps run automatically one after the other — you sign in and accept twice.
You may see an “Unverified publisher” warning from Microsoft. This is expected and safe — RAIDEN is in early access and Microsoft publisher verification is in progress. Click Accept to continue.
Step 2a — Microsoft Graph permissions
  1. Click Connect M365 in the onboarding wizard
  2. You are redirected to Microsoft’s admin consent page
  3. Sign in with a Global Administrator account for the M365 tenant you want to monitor
  4. Review the permissions and click Accept
Step 2b — Audit log feed permissions
  1. After accepting the first consent, Microsoft prompts you to sign in again — this is expected and is not an error
  2. A second consent page appears for the Office Management API
  3. Click Accept
  4. You are redirected back to RAIDEN with a connection confirmation
Why am I asked to sign in twice? RAIDEN needs permissions from two separate Microsoft APIs — Microsoft Graph and the Office Management Activity API. Microsoft does not allow both to be consented on a single screen, so the flow chains them automatically. Both use the same Global Administrator account and take under 30 seconds total.
3

Verify the connection

RAIDEN runs an automatic connectivity test after consent. It checks both the Microsoft Graph API and the audit log feed. The test completes in under 30 seconds.If the connection fails, check the most common causes:
  • Audit logging not enabled — go to Microsoft Purview → Audit → Start recording user and admin activity
  • Insufficient privileges — the consenting account must be a Global Administrator
  • Second consent not completed — go to Settings → Connection and click Reconnect M365
4

See your first detections

RAIDEN starts polling immediately after the connection is verified. The first poll processes the last 24 hours of audit logs. Findings typically appear within 5–10 minutes depending on your tenant activity level.Go to Cases to see grouped investigations, or Alerts to see individual findings.
TermWhat it is
AlertA single detection event — for example, one suspicious sign-in from an unusual location
CaseA group of related alerts for the same user, treated as one investigation
Start with Cases. Each case has an AI-generated investigation report that summarises all evidence. Read that before looking at individual alerts.
5

Invite your team

  1. Go to Settings → Team
  2. Click Invite User
  3. Enter their email address and select a role
  4. Click Send Invite — an invite link is generated, valid for 7 days
  5. Copy the link from the Pending Invites list and send it to them directly
RoleWhat they can do
OwnerFull access — team management, M365 connection, all settings
AdminFull access except owner-only settings — can invite users and change roles
AnalystView and action cases and alerts, mark false positives, export reports
ViewerRead-only access to cases and alerts
6

Set up notifications

RAIDEN sends email alerts when a new High or Critical case is created. Owners, Admins, and Analysts receive these automatically.To adjust notification settings, go to Settings → Notifications.

Getting help

Email support@raidenhq.com. Standard queries receive a response within 1 business day. For active compromise situations, include URGENT in the subject line. When raising a support request, include:
  • Your organisation name or tenant slug (shown in Settings → Account)
  • The Case or Alert ID if asking about a specific detection
  • A brief description of what you expected to see and what you saw instead