Microsoft Defender for Office 365 allows you to secure your email and Microsoft Teams with advanced protection against phishing, business email compromise, ransomware, and other cyberthreats. For detailed information, refer to Microsoft’s official documentation.

Integration Method: API

Tables: Data Security Finding (2004), Web Resource Activity (6001), File Hosting Activity (6006), Group Management (3006), Email File Activity (4011), Entity Management (3004)

The integration supports the following events.

This integration supports the following versions.

Note:

Microsoft defender for Office 365 is a continuously updated cloud service. As of this document preparation, latest release was on February 11,2025

Prerequisites

• Access to the Azure portal with an account that has the Global Administrator role. 

• Access to the DataBee console.

Configuration Overview

1. Create an application with required permissions to fetch the data.

   1. Create an application

   2. Add endpoint access

   3. Create the client secret

2. Create Microsoft Defender for Office 365 Audits Data Feed in the DataBee console with the required Client credentials.

Azure Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator role.  

2. In the search bar, search for App Registrations and select it.
    

3. On the App registrations page, select New registration, then Register an application window will appear.
    

4. On the Register an application window:

   1. Under Name enter your Application Name then click on Register to create the application.
       
      
       

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     

Add Endpoint Access  

Once the application is created, three permissions to the Office 365 Management APIs are needed. This section details how to configure and add permissions to the required endpoints.  

Add Permissions  

From the Azure Active Directory portal:  

1. Select the application registered in the previous step.

2. Under Manage, click API Permissions and then click Add a Permission, the Request API permissions window will appear. 
      

3. On Request API permissions window, Click on Microsoft APIs.
     

4. Scroll down and click on Office 365 Management APls
    

5. Click on Application Permissions.
     

6. The following permissions need to be granted for the endpoint to function properly:  

1. From the ActivityFeed dropdown, select

   1. ActivityFeed.Read and ActivityFeed.ReadDlp permissions

2. From the ServiceHealth dropdown, select

   1. ServiceHealth.Read.

      

3. Click the Add permissions button after selecting all required permissions.

   
   

4. On the API permissions page, click Grant Admin Consent for <tenant>. 
    

5. Click the Yes button on the consent confirmation.
    

6. The necessary permissions have now been added for the endpoints. After this step, the permissions should include these minimum required permissions shown
    

Creating the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

1. Select the application created above.

2. Under Manage, Click Certificates and Secrets, and then Client Secrets. 
    

3. Click New client secret. Then Add a client secret window appears. 
     

4. On Add a client secret window:

   1. Enter a Description for this client secret and select the desired expiry period from the Expires drop-list.

   2. Then click on Add to create the client secret.
       

      Note:

      The user needs to re-create the client secret when it expires.

5. Copy Client Secrets Value field for later use.

   
   

Data Bee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for Microsoft Defender for Office 365 Audits and select it.
    

3. Click on the API Ingest.
   
   

4. Enter feed contact information and click Next
    
   

5. In the configuration page, enter the following:

   • Authorization Method: OAuth2

   • Client Key: paste the Application (Client) ID generated earlier in the Azure portal.

   • Client Secret: paste the Client Secret value generated earlier in the Azure portal.

   • Tenant ID: paste the Directory (Tenant) ID collected earlier in the Azure portal.

   • Token URL: replace <tenant_id> with your Directory (Tenant) ID.

Note:

The URL for the API endpoint that you use is based on the type of Microsoft 365 or Office 365 subscription plan for your organization. Here, we have used the URL for Enterprise plan. You can change the URL as per subscription plan for your organization.

Below are the list of URLs as per the subscription plans. previous

Enterprise plan: https://manage.office.com

GCC government plan: https://manage-gcc.office.com

GCC High government plan: https://manage.office365.us

DoD government plan: https://manage.protection.apps.mil

6. Click Submit.

Troubleshooting Tips

• If you encounter an "Invalid client" or "Unauthorized client" error, it may be due to incorrect credentials. Please double-check that the client key, client secret, and Tenant ID are entered correctly. Since the client secret is only visible upon creation, you may need to regenerate it. To avoid any issues, consider pasting it into a text editor to ensure there are no extra spaces or unexpected characters before reconfiguring the  feed.

• If you receive an "Unauthorized" error, it may be because the client ID and client secret belong to different applications. Kindly verify that you are using credentials from the same application to resolve the issue.

• If we encounter a 401 response code, it is likely due to missing permissions. Ensure that all required permissions are correctly granted as per the steps outlined above.

  • For example:
    {"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}