Skip to main content

Microsoft Office365

Client Information

Before logs can be pulled from your Microsoft Azure account, some information will need to be gathered. Some of these items may require additional setup within your Microsoft account and are documented in the subsequent sections.

In order to enable log retrieval, the following information will need to be collected:

  • Directory ID - Sometimes referred to as the tenant or account id. This is a UUID string 36 characters in length
  • Application ID - This is a UUID string 36 characters in length
  • Secret Key - A random string approximately 44 characters in length
  • Subscription ID - Applicable only for Azure infrastructure. This is a UUID string 36 characters in length. There may be more than one and should include a distinguishable name.

Additionally, permissions will be required to be set to provide access to the log resources. These permissions are detailed below.

Get the Directory ID

To get the Directory ID perform the following steps

  1. Login to the Microsoft Azure Portal with an administrator account.
  2. Select "Azure Active Directory" from "Favorites" on the left or "All services"
  3. Choose "Properties" under "Manage"
  4. Copy the "Directory ID" using the copy button to the right of the Directory ID
  5. Record this value and denote it as the "Directory ID"

Create an Application Registration

A new app registration must be created in the Azure Portal from which the Application ID and Secret Key will be copied.

  1. In the Microsoft Azure Portal select “Azure Active Directory”
  2. Then select “App Registrations” under "Manage”
  3. Click the “New registration” button at the top
  4. Enter in the Name “ActiveEye Security Monitor”
  5. Under "Supported account types", select "Accounts in this organizational directory only (<Your Organization Here>)"
  6. Leave "Redirect URI (optional)" unmodified
  7. At the bottom, click "Register"

Get the Application ID

You will be redirected to the registered application page for your new application registration. From here:

  1. Hover over "Application (client) ID" and the copy button will appear to the right. Click this button.
  2. Record this value as the "Application ID".
note

The value needed on this page is the Application ID, not the Object ID

Get the Secret Key

  1. From the registered application page where you obtained the Application ID, click "Certificates and secrets" from the left-side menu.
  2. Under "Client secrets", click "New client secret".
  3. For "Description", enter "ActiveEye Security Monitor".
  4. Select "Never", then click "Add".
  5. When the screen refreshes, there will be a new entry under "Client secrets". Under "Value", there will be a copy button. Click this button.
  6. Record this value as the "Secret Key".
note

This is the only time this key will be available. If capturing this key was missed in the process then delete the original and create a new key.

Configure Windows Azure Active Directory Permissions

While in "App registrations" (you will already be there if you are following step-by-step), continue below. If not, select "App registrations", then click on your newly created app. Then:

  1. From the left-side menu, click "API permissions".
  2. From the "API permissions" page, click "Add a permission", then find "Azure Active Directory Graph" and click it.
  3. From the "Azure Active Directory Graph" page, select "Application permissions". After redirecting to the new page, click the "Directory" drop down menu, then check "Directory.Read.All".
  4. Click "Add permissions".

Configure Microsoft Graph API Permissions

Now add permissions for Microsoft Graph.

  1. From the left-side menu, click "API permissions".
  2. From the "API permissions" page, click "Add a permission", then find "Microsoft Graph" and click it.
  3. From the "Microsoft Graph" page, select "Application permissions". After redirecting to the new page, do the following:
  • Click "AuditLog" then check "Auditlog.Read.All"
  • Click "SecurityEvents" then check "SecurityEvents.Read.All"
  • Click "Directory" then check "Directory.Read.All"
  • Click "IdentityRiskEvent" then check "IdentityRiskEvent.Read.All"
  1. Click "Add permissions"

Configure O365 Permissions

note

If your organization does not utilize Office 365, you can skip this section.

Now add permissions for Office 365 Management APIs.

  1. From the left-side menu, click "API permissions".
  2. From the "API permissions" page, click "Add a permission", then find "Office 365 Management APIs" and click it.
  3. From the "Office 365 Management APIs" page, select "Application permissions". After redirecting to the new page, do the following:
  • Click "ActivityFeed" then check both "ActivityFeed.Read" and "ActivityFeed.ReadDlp"
  1. Click "Add permissions"

Grant Permissions

warning

You must be a "Global Administrator" to perform this action. If you are not, you can ask an administrator do to so.

Anytime you make changes to app permissions an administrator must take the additional step to grant those permissions by performing the following steps. This step is critical and if not done event log collection will not function properly.

  1. On the next screen, click the "Grant Permissions" button
  2. Click "Yes" on the confirmation screen
  3. This will authorize the change to permissions that was made
warning

STOP! MAKE SURE TO COMPLETE THIS STEP

Get Subscription ID

  1. Login to the Microsoft Azure Portal with an administrator account.
  2. Select "Subscriptions" from "All services"
  3. There may be multiple subscriptions listed. Select the subscription to monitor.
  4. In the right hand panel, hover over the "Subscription ID" and the copy button will appear to the right. Click this button
  5. Alternatively highlight the Subscription ID UUID and copy the value
  6. Record this value and denote it as the "Subscription ID". Make note of the subscription name as well.

Assign Role Based Access Controls

  1. While viewing the subscription, select "Access control (IAM)" in the middle panel
  2. Click the "Add" button above
  3. In the Role selector choose "Reader". Hint: type the first few letters and the list will auto-filter
  4. In the Assign Access to selection, keep "Azure AD user, group or application"
  5. In the Select box, choose the registered app from the previous section (e.g. "ActiveEye Security Monitor"). Type the first few letters to filter the list
  6. Click the Save button below

Repeat for Additional Subscriptions

If there is more than one Azure subscription to be monitored, repeat the steps above.

Provide Client Information

The Directory ID, Application ID, Secret Key and possibly Subscription IDs and names should now be collected and available to complete the setup and start log collection. Provide these value to your service representative or use them for self service configuration following the "Configuring a new Service Connector for log collection" guide.