# Microsoft Office 365 Log Ingestion

[https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion)

# Prerequisites

1. <span class="TextRun SCXW40324908 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW40324908 BCX8">Verify that you are a global admin and that your tenant license includes</span><span class="NormalTextRun SCXW40324908 BCX8"> Standard</span><span class="NormalTextRun SCXW40324908 BCX8"> Auditing</span><span class="NormalTextRun SCXW40324908 BCX8">.</span></span><span class="EOP SCXW40324908 BCX8" data-ccp-props="{"134233117":true,"134233118":true,"201341983":0,"335559685":1020,"335559739":160,"335559740":240}"> </span>
2. <span class="wysiwyg-font-size-medium">Ensure Global Audit logging is enabled (see steps below).</span>

## <span class="wysiwyg-font-size-large">For GCC High or other GCC environments:</span>

- <span class="TextRun SCXW50799592 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW50799592 BCX8">GCC Government, GCC High Government (GCCH), and DoD Government environments are now supported on Cloud to Cloud based deployments. Select the </span><span class="NormalTextRun SCXW50799592 BCX8">appropriate type</span><span class="NormalTextRun SCXW50799592 BCX8"> under Subscription Plan on the Configure Microsoft Office 365 window.</span></span><span class="EOP SCXW50799592 BCX8" data-ccp-props="{"134233117":true,"134233118":true,"201341983":0,"335559685":1020,"335559739":160,"335559740":240}"> </span>

## Requirements:

- Global Admin Account
- Tenant License including Standard Auditing: 
    - [https://learn.microsoft.com/en-us/purview/audit-solutions-overview](https://learn.microsoft.com/en-us/purview/audit-solutions-overview)
- The following link shows users and their assigned licenses: 
    - [https://portal.office.com/Adminportal/Home/#/users](https://portal.office.com/Adminportal/Home/#/users)
- The following link shows paid licenses and counts: 
    - [https://portal.office.com/Adminportal/Home/#/licenses](https://portal.office.com/Adminportal/Home/#/licenses)
- Global Audit Logging enabled 
    - [https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide)

# Configure Office 365 API Access

### Step 1![Entra ID.png](https://support.todyl.com/hc/article_attachments/21147651258515)

1. Login to [https://portal.azure.com](https://portal.azure.com/) with your Office 365 global admin account and search for **Microsoft Entra ID**
2. Click **Microsoft Entra ID**

### Step 2

**![mceclip1.png](https://support.todyl.com/hc/article_attachments/4413567828371)**

1. Click **App registrations** on the left navigation menu
2. Click **New Registration**

### Step 3

![mceclip2.png](https://support.todyl.com/hc/article_attachments/4413563317011)

1. Enter an easily recognizable name for the integration, such as **SGN Log Ingestion**
2. Select **Accounts in this organizational directory only (**YourTenant **only - Single Tenant)**
3. Click **Register**

### Step 4

![mceclip11.png](https://support.todyl.com/hc/article_attachments/4413568092307)

1. Copy the **Application (client) ID** displayed to a safe location. You will need this value in the [Todyl Portal](https://portal.todyl.com/portal/integration/o365). (Todyl Portal Configuration Section Application ID Field)
2. Copy the **Directory (tenant) ID** displayed to a safe location. You will also need this value in the [Todyl Portal](https://portal.todyl.com/portal/integration/o365). (Todyl Portal Configuration Section Tenant ID Field)

### Step 5

![mceclip5.png](https://support.todyl.com/hc/article_attachments/4413573840403)

1. Click **API permissions** in the left navigation menu
2. Click + **Add a permission**
3. Select **Office 365 Management APIs** from the blade that opens.

### Step 6

![mceclip0.png](https://support.todyl.com/hc/article_attachments/4413764005651)

1. Select the **Application permissions** tab
2. Select all the {name}.**Read** permissions from the list below.

**\*** Depending on your Active Directory setup, you may have more options than shown in the screenshot above. While the above example only shows ActivityFeed and ServiceHealth, you may have others, including Activity Reports, Threat Intelligence, and more. Please select **all .read** options, then click **Add Permissions.**

### Step 7

![](https://support.todyl.com/hc/article_attachments/28065698685203)

1. Stay on the API Permissions page.
2. Click **+Add a permission** a second time.
3. Select **Microsoft Graph**.

### Step 8

![](https://support.todyl.com/hc/article_attachments/28065668144659)

1. Select the **Application permissions** tab.
2. Select the **Directory.Read.All** permission from the list.

### Step 9

**![](https://support.todyl.com/hc/article_attachments/28065698722835)**

**![](https://support.todyl.com/hc/article_attachments/28066014540947)**

1. Take note of the **Status** here, as if permission is not granted, you'll need to do so.
2. Click **Grant admin consent for {YourTenant}**

### Step 10

**![mceclip9.png](https://support.todyl.com/hc/article_attachments/4413563634323)**

1. Click **Certificates &amp; secrets** from the left navigation menu
2. Click **+ New client secret**
3. From the blade that opens, enter a recognizable name such as **SGN Log Ingestion**
4. Select an **Expiration time**

Click **Add** to close the blade and continue.


### Step 11

![mceclip10.png](https://support.todyl.com/hc/article_attachments/4413568079763)

1. Copy the **Value** of the newly created secret. It will not be displayed again, so save it to a secure location as you will need to enter this in your [Todyl Portal](https://portal.todyl.com/portal/integration/o365). (Todyl Portal Configuration Section Client Secret Value)

### Step 12

Enable Global Audit Logging:

[https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide)

# Todyl Portal Configuration Steps

In your Todyl Portal, under the Office365 Log Ingestion Configuration, enter the following:

- **Tenant ID:**  Copied from [Step 4](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion#h_01HB77EAA3B9MT5CKQ09Q29YKQ)
- **Application ID:** Copied from [Step 4](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion#h_01HB77EAA3B9MT5CKQ09Q29YKQ)
- **Client Secret Value:** Copied from [Step 11](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion#h_01HB77EAA30ZM85A4PCCVRPGN1)
- **Subscription Plan:** Select based on your O365 Environment. Enterprise is the default if you are not using a Government Cloud Version.

<span class="SCXW25713335 BCX8"><span class="WACImageContainer NoPadding DragDrop BlobObject CommentStart CommentBlobHighlightClicked SCXW25713335 BCX8" role="presentation">![A screenshot of a computer

Description automatically generated](https://support.todyl.com/hc/article_attachments/24935317965459)</span></span>

# Troubleshooting and Error handling (C2C)

**Awaiting Data from Microsoft**  
This is an initial status you may see when you first set up a C2C O365 integration if the tenant was created less than 24 hours ago or if you just enabled Global Audit Logging.

To verify that this is the case, you can double check that Global Audit Logging is enabled by following the steps below and ensuring that you are seeing audit logs within your Microsoft Audit Environment. If that is the case, there is nothing else that you need to do at this time, and this error should self-resolve within 24 hours.

For more information or to ensure that Global Audit Logging is enabled please go to: [https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide.](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide)

**Integration Failed**  
Something has failed with your O365 Integration, please ensure that Global Audit Logging is enabled and delete and re-add your integration making sure to double check your configurations by following the steps outlined in the [Setting up O365 with Cloud-to-Cloud](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion#h_01HB77EAA3E9NTW62TBBSB82MK) section above for more information and screenshots.  
For more information or to ensure that Global Audit Logging is enabled please go to: [https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide.](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide)

#### **Invalid Credential**  
The client secret associated with this integration is invalid or expired. To address this  
1. Log into your MS admin portal.  
2. Search for App Registrations.  
3. Click the appropriate App.  
4. Click Certificates &amp; secrets from the left navigation menu.  
5. Click + New client secret.  
6. Generate a new secret.  
7. Insert the new key into your Todyl O365 configuration.

For more information and screenshots please see [Steps 10 and 11](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion#h_01HB77EAA30FP2MYX917NM948D) in the Setting up O365 with Cloud-to-Cloud section above for more information and screenshots.

#### **Expired Credential**  
The secret key associated with this configuration has expired. Please follow the steps under the [Invalid Credential](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion#h_01HWB6V9PK492WC50QHVAZGMF8) section of this article above to regenerate a new key and insert it into your Todyl O365 configuration.

**Insufficient Permissions**  
Your Integration does not have sufficient permissions. Please go to the API permissions page in your O365 environment and ensure you have provided the appropriate application permissions and admin consent for your instance. See [Steps 5-7](https://support.todyl.com/hc/en-us/articles/4413461476883-Microsoft-Office-365-Log-Ingestion#h_01HB77EAA39RES057QYBB7SJGR) in the Setting up O365 with Cloud-to-Cloud section above for more information and screenshots.