Skip to main content

Integrating with Microsoft 365

  • Updated

Overview

Global Administrators of Microsoft 365 can configure their productivity suite to send Office 365 unified audit logs to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

You can configure Microsoft 365 logging via App Registration inside of Azure Active Directory (AD) to send compliance and activity logs to Blumira. This integration is not dependent on other Microsoft and Blumira integrations. It is a native API integration from which you will be able to log, report, and detect security threats within Blumira.

Important: This integration requires Basic or Advanced Purview licensing for each user. Users without a Purview license are excluded from logging. Some Blumira detections rely on data that require Office 365 E3 licensing or Office 365 Business Premium and our Event Hubs integration with Azure Active Directory. Advanced Purview licensing provides greater visibility than Basic. Additionally, Microsoft has different versioning per tenant which can result in some logs being categorized differently, e.g.: security logs being categorized as compliance logs.

Note: Data is collected from the time of a successful integration configuration onward and includes data from up to 7 days prior to the integration.

Before you begin

Verify that your tenant license includes Auditing before continuing with the steps below.

Reference: See the list of licenses that meet this requirement in Auditing solutions in Microsoft 365: Licensing Requirements. Advanced Audit provides the most event data to Blumira.

Before you can add the Microsoft 365 Cloud Connector in Blumira, you must gather three credentials from your Azure Active Directory admin center:

  • Application (client) ID
  • Directory (tenant) ID
  • Client secret value

Complete the following steps in Azure Active Directory to gather the required credentials:

  1. Confirm that you are a Global Admin in Microsoft 365.
    Important: If you are not a Global Admin, you will not be able to send logs to Blumira.
  2. Enable auditing for your organization in your Microsoft 365 compliance settings, by completing these steps:

    1. Log in to https://compliance.microsoft.com.

    2. In the left navigation pane of the compliance portal, click Audit.

    3. Click Start recording user and admin activity.
      Note: It might take up to 60 minutes for the change to take effect.

      Banner on Audit page.

      Reference: See Microsoft's Use the compliance center to turn on auditing for more information.

  3. Log in to https://aad.portal.azure.com.
  4. Click Azure Active Directory.
  5. Navigate to Manage > App registrations.



  6. Click Register an application or + New registration.
  7. Type the name (e.g., Microsoft 365 Audit Logs to Blumira).
  8. Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
  9. Copy and save the Application (client) ID and the Directory (tenant) ID to be used in later steps.
  10. In the second-to-left panel, click API permissions.
  11. Click Add a Permission.
  12. Click Office 365 Management API.
  13. Click Application Permissions.
  14. Expand ActivityFeed, and select the check boxes next to ActivityFeed.Read and ActivityFeed.ReadDlp.



  15. At the bottom, click Add permissions.
    Important: Click Grant admin consent.
  16. In the Status column, confirm that Admin consent was granted (a green check mark appears):

    ms365 new.png

  17. Click Certificates & secrets.
  18. Click New client secret.
  19. In the Description box, type a descriptive name (e.g., Blumira sensor).
  20. Select any timeframe that you’re comfortable with (up to 24 months), and then click Add.
    Tip: Ensure that you set yourself a reminder to update this when it expires.
  21. Document the client secret value to be used in later steps.
    Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.

    0365-6-1024x731.png

  22. Wait at least one minute after generating the client secret before proceeding with the steps below in Blumira.
    Note: There can be approximately one minute of latency between when Microsoft generates a Client secret and when it successfully works in an API request.

Configuring the Microsoft 365 Cloud Connector

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.

To configure your integration with Blumira Cloud Connector:

  1. In the Blumira app, go to the Cloud Connectors page (Settings > Cloud Connectors).
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
  5. Enter the API credentials that you collected in the "Before you begin" section above.
  6. Click Connect.
  7. On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
    Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.

Note: Sometimes, it can take over 3 hours before Microsoft audit logging (Step 2 of the "Before you begin" section above) is truly enabled. In these instances, you will see an error in the Cloud Connector in Blumira: "Error: Please make sure that Unified Audit Logging is enabled." If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.

Running a log test with Microsoft 365

Check to see that Blumira is successfully receiving your Microsoft 365 logs by running a simple test: create a new rule in Outlook 365. Whenever a new Outlook rule is created, Blumira will generate a new finding in your account and trigger an alert.

Follow these steps to run a test:

  1. Log in to Microsoft 365.
  2. Navigate to Outlook 365.
  3. Click Settings in the left sidebar.
  4. Click Add New Rule.
  5. Create a new rule and call it something like "Test Blumira."
  6. Refresh your Blumira Summary Dashboard.
  7. Locate and work the finding.
Was this article helpful?
7 out of 7 found this helpful
Return to top

Related articles