Global Admins of Microsoft 365 can configure their productivity suite to send security event logs and alerts to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.
Note: Data is collected from the time of a successful integration configuration onward. Past logs are not collected by Blumira.
Before you begin
Verify that your tenant license includes Auditing before continuing with the steps below. Note: Advanced Audit provides the most event data to Blumira and is recommended.
See the list of licenses that meet this requirement in Auditing solutions in Microsoft 365: Licensing Requirements.
Also, before you can add the Microsoft 365 Cloud Connector in Blumira, you must gather three credentials from your Azure Active Directory admin center:
- Application (client) ID
- Directory (tenant) ID
- Client secret value
Complete the following steps in Azure Active Directory to gather the required credentials:
- Confirm that you are a Global Admin in Microsoft 365.
Important: If you are not a Global Admin, you will not be able to send logs to Blumira.
- Enable auditing for your organization in your Microsoft 365 compliance settings, by completing these steps:
Log in to https://compliance.microsoft.com.
In the left navigation pane of the compliance portal, click Audit.
Click Start recording user and admin activity.
Note: It might take up to 60 minutes for the change to take effect.
Reference: See Microsoft's Use the compliance center to turn on auditing for more information.
- Log in to https://aad.portal.azure.com.
- Click Azure Active Directory.
- Navigate to Manage > App registrations.
- Click Register an application or + New registration.
- Type the name (e.g., Microsoft 365 Audit Logs to Blumira).
- Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
- Copy and save the Application (client) ID and the Directory (tenant) ID to be used in later steps.
- In the second-to-left panel, click API permissions.
- Click Add a Permission.
- Click Office 365 Management API.
- Click Application Permissions.
- Expand ActivityFeed, and select the check boxes next to ActivityFeed.Read and ActivityFeed.ReadDlp.
- At the bottom, click Add permissions.
Important: Click Grant admin consent.
- In the Status column, confirm that Admin consent was granted (a green check mark appears):
- Click Certificates & secrets.
- Click New client secret.
- In the Description box, type a descriptive name (e.g., Blumira sensor).
- Select any timeframe that you’re comfortable with (up to 24 months), and then click Add.
Tip: Ensure that you set yourself a reminder to update this when it expires.
- Document the client secret value to be used in later steps.
Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.
- Wait at least one minute after generating the client secret before proceeding with the steps below in Blumira.
Note: There can be approximately one minute of latency between when Microsoft generates a Client secret and when it successfully works in an API request.
Integrating with Microsoft 365 using a Cloud Connector
Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.
To configure your integration with Blumira Cloud Connector:
- In the Blumira app, go to the Cloud Connectors page (Settings > Cloud Connectors).
- Click + Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector that you want to add.
- If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
- Enter the API credentials that you collected in the "Before you begin" section above.
- Click Connect.
- On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.
Note: Sometimes, it can take over 3 hours before Microsoft audit logging (Step 2 of the "Before you begin" section above) is truly enabled. In these instances, you will see an error in the Cloud Connector in Blumira: "Error: Please make sure that Unified Audit Logging is enabled." If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.