Skip to main content

Microsoft Office 365 Log Ingestion

https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion

Prerequisites

  1. Verify that you are a global admin and that your tenant license includes Standard Auditing. 
  2. Ensure Global Audit logging is enabled (see steps below).

For GCC High or other GCC environments:

  • GCC Government, GCC High Government (GCCH), and DoD Government environments are now supported on Cloud to Cloud based deployments. Select the appropriate type under Subscription Plan on the Configure Microsoft Office 365 window. 

Requirements:

Configure Office 365 API Access

Step 1Entra ID.png

  1. Login to https://portal.azure.com with your Office 365 global admin account and search for Microsoft Entra ID
  2. Click Microsoft Entra ID

Step 2

mceclip1.png

  1. Click App registrations on the left navigation menu
  2. Click New Registration

 

Step 3

mceclip2.png

  1. Enter an easily recognizable name for the integration, such as SGN Log Ingestion
  2. Select Accounts in this organizational directory only (YourTenant only - Single Tenant)
  3. Click Register

Step 4

mceclip11.png

  1. Copy the Application (client) ID displayed to a safe location. You will need this value in the Todyl Portal.  (Todyl Portal Configuration Section Application ID Field)
  2. Copy the Directory (tenant) ID displayed to a safe location. You will also need this value in the Todyl Portal.  (Todyl Portal Configuration Section Tenant ID Field)

Step 5

mceclip5.png

  1. Click API permissions in the left navigation menu
  2. Click + Add a permission
  3. Select Office 365 Management APIs from the blade that opens.

Step 6

mceclip0.png

  1. Select the Application permissions tab
  2. Select all the {name}.Read permissions from the list below.

Depending on your Active Directory setup, you may have more options than shown in the screenshot above. While the above example only shows ActivityFeed and ServiceHealth, you may have others, including Activity Reports, Threat Intelligence, and more. Please select all .read options, then click Add Permissions.

Step 7

  1. Stay on the API Permissions page.
  2. Click +Add a permission a second time.
  3. Select Microsoft Graph.

Step 8

  1. Select the Application permissions tab.
  2. Select the Directory.Read.All permission from the list.

Step 9

  1. Take note of the Status here, as if permission is not granted, you'll need to do so.
  2. Click Grant admin consent for {YourTenant}

 

Step 10

mceclip9.png

  1. Click Certificates & secrets from the left navigation menu
  2. Click + New client secret
  3. From the blade that opens, enter a recognizable name such as SGN Log Ingestion
  4. Select an Expiration time

Click Add to close the blade and continue.

Step 11

mceclip10.png

  1. Copy the Value of the newly created secret. It will not be displayed again, so save it to a secure location as you will need to enter this in your Todyl Portal.  (Todyl Portal Configuration Section Client Secret Value)

Step 12

Enable Global Audit Logging:

https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide

Todyl Portal Configuration Steps

In your Todyl Portal, under the Office365 Log Ingestion Configuration, enter the following:

  • Tenant ID:  Copied from Step 4
  • Application ID: Copied from Step 4
  • Client Secret Value: Copied from Step 11
  • Subscription Plan: Select based on your O365 Environment. Enterprise is the default if you are not using a Government Cloud Version.

A screenshot of a computer Description automatically generated

 

Troubleshooting and Error handling (C2C)

Awaiting Data from Microsoft
This is an initial status you may see when you first set up a C2C O365 integration if the tenant was created less than 24 hours ago or if you just enabled Global Audit Logging.

To verify that this is the case, you can double check that Global Audit Logging is enabled by following the steps below and ensuring that you are seeing audit logs within your Microsoft Audit Environment. If that is the case, there is nothing else that you need to do at this time, and this error should self-resolve within 24 hours.

For more information or to ensure that Global Audit Logging is enabled please go to: https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide.

Integration Failed
Something has failed with your O365 Integration, please ensure that Global Audit Logging is enabled and delete and re-add your integration making sure to double check your configurations by following the steps outlined in the Setting up O365 with Cloud-to-Cloud section above for more information and screenshots.
For more information or to ensure that Global Audit Logging is enabled please go to: https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide.

Invalid Credential
The client secret associated with this integration is invalid or expired. To address this
1. Log into your MS admin portal.
2. Search for App Registrations.
3. Click the appropriate App.
4. Click Certificates & secrets from the left navigation menu.
5. Click + New client secret.
6. Generate a new secret.
7. Insert the new key into your Todyl O365 configuration.

For more information and screenshots please see Steps 10 and 11 in the Setting up O365 with Cloud-to-Cloud section above for more information and screenshots.

Expired Credential
The secret key associated with this configuration has expired. Please follow the steps under the Invalid Credential section of this article above to regenerate a new key and insert it into your Todyl O365 configuration.

Insufficient Permissions
Your Integration does not have sufficient permissions. Please go to the API permissions page in your O365 environment and ensure you have provided the appropriate application permissions and admin consent for your instance. See Steps 5-7 in the Setting up O365 with Cloud-to-Cloud section above for more information and screenshots.

No Comments
Back to top