Skip to main content

NG SIEM - Microsoft 365 Integration

Overview

This integration with Microsoft Office 365 supports the ingestion of user, administrator, system, and policy-related events. It leverages the Office 365 Management Activity API to retrieve activity logs from both Office 365 and Azure Active Directory (Azure AD).

This guide outlines the required steps to integrate with Microsoft Office 365 and Azure AD using the Office 365 Management Activity API. It covers application registration, permission setup, audit log configuration, and retrieval of key credentials for secure API access.

Requirements

Summary of Actions Required:

  1. Register an Application in Microsoft Entra ID (formerly Azure AD) to establish identity and enable API access.

  2. Configure API Permissions for Microsoft Graph and Office 365 Management APIs to authorize required data access.

  3. Grant Admin Consent to ensure permissions are applied tenant-wide.

  4. Collect Key Credentials such as Application ID, Tenant ID, and Client Secret for use in your integration.

  5. Verify if Unified Audit Logging is Enabled in Microsoft 365 to ensure activity data is available via the API.

Action Items Before Proceeding:

  • Ensure you have Global Admin access to your Azure/Microsoft 365 tenant.

  • Prepare to create or use an existing App Registration in Microsoft Entra ID.

  • Confirm that Unified Audit Logging is enabled; otherwise, prepare to activate it via the Microsoft 365 portal or PowerShell.

  • Take note of your admin email address for PowerShell commands if using CLI to manage audit log settings.

Steps to Configure Office 365 Integration for the Client

Step 1: Microsoft Entra ID - App Registration

Register Your Application in Microsoft Entra ID:

  • Log in to your Azure Account, click here -  Azure Portal Link.

  • Navigate to Azure Active Directory > App registrations.

  • Click New Registration.

  • Provide a Name for the application, we can suggest "CyTechAQUILA-Monitoring". 

  • Click Register. 

Step 2: API Permissions

Microsoft Graph API Permissions:

If User.Read permission under Microsoft Graph tile is not added by default, add this permission.

  • Navigate to App registrations in the Azure Portal.

  • Select the App you just created, then go to API Permissions. 

  • Search for Microsoft Graph.
  • Click Add a permission.
  • Select Microsoft Graph > Delegated permissions.
  • Search for and add User.Read. 

Office 365 Management API Permissions: 

  • Search for Office 365 Management APIs and add the required permissions. 

  • In Application Permissions, look for permissions.

  • Under ActivityFeed select: ActivityFeed.Read 

  • Optionally, select ActivityFeed.ReadDLP to read DLP policy events.

Grant Admin Consent: 

  • In API Permissions, click Grant admin consent for <tenant name>.

  • Confirm the action. 

Step 3: Integration Requirements for Office 366

Application (Client) ID: 

  • Go to App registrations > Select your application.

  • Copy the Application (client) ID from the overview page. 

Directory (Tenant) ID: 

  • In the Azure Portal, navigate to Azure Active Directory > Overview.

  • Copy the Directory (tenant) ID. 

Create New Client Secret (Value): 

  • In App registrations > Select your application, go to Certificates & secrets.

  • Click New client secret.

  • Add a description and expiration period, then click Add.

  • Copy the Value (displayed only once). 

Step 4: Verify Unified Audit Logging is Enabled

Unified Audit Logging must be enabled before accessing data via the Office 365 Management Activity API. 

Method 1: Using Microsoft 365 Security & Compliance Center 

  1. Sign in to Microsoft 365:

  1. Access the Security & Compliance Center:

  1. Navigate to Audit Log Search:

    • In the Security & Compliance Center, go to Search in the left-hand menu and click on Audit log search. 

  1. Check Audit Log Status:

    • If you see an option to search the audit log, then audit logging is already enabled.

    • If you see a banner that says "Start recording user and admin activity" or a prompt to enable auditing, it means that audit logging is not yet enabled. 

  1. Enable Audit Logging:

    • If audit logging is not enabled, you can click on the prompt to enable it. This will enable auditing for all activities within your Microsoft 365 environment. The process may take a few hours to be fully operational. 

Please provide the following information to CyTech: 

  • Directory (tenant) ID: 
  • Application (client) ID:
  • Client Secret Value: 

No comments to display

Back to top