Microsoft Defender for Office 365 Audits
  • 26 Mar 2025
  • 4 Minutes to read
  • Dark
    Light

Microsoft Defender for Office 365 Audits

  • Dark
    Light

Article summary

Microsoft Defender for Office 365 allows you to secure your email and Microsoft Teams with advanced protection against phishing, business email compromise, ransomware, and other cyberthreats. For detailed information, refer to Microsoft’s official documentation.

Integration Method: API

Tables: Data Security Finding (2004), Web Resource Activity (6001), File Hosting Activity (6006), Group Management (3006), Email File Activity (4011), Entity Management (3004)

The integration supports the following events.

Event

Description

Audit.SharePoint

Captures SharePoint Online and OneDrive for Business activities, including file access, sharing, and permission modifications.

DLP.All

Retrieves Data Loss Prevention (DLP) events across all Office 365 workloads, including Exchange, SharePoint, and OneDrive.

Audit.Exchange

Includes Exchange Online audit logs, such as mailbox access, message deletions, and changes to mailbox settings.

This integration supports the following versions.

Microsoft Office 365 management API

v1

Note:

Microsoft defender for Office 365 is a continuously updated cloud service. As of this document preparation, latest release was on February 11,2025

Prerequisites

  • Access to the Azure portal with an account that has the Global Administrator role. 

  • Access to the DataBee console.

Configuration Overview

  1. Create an application with required permissions to fetch the data.

    1. Create an application

    2. Add endpoint access

    3. Create the client secret

  2. Create Microsoft Defender for Office 365 Audits Data Feed in the DataBee console with the required Client credentials.

DataBee Feed Parameter

Azure Parameter

Client Key

Application (client) ID

Client Secret

Client Secret Value

Token URL(<tenant_id>)

Directory (Tenant) ID

Azure Configuration

Create an application

  1. Log on to Azure portal with an account that has the Global Administrator role.  

  2. In the search bar, search for App Registrations and select it.
     Inserting image...

  3. On the App registrations page, select New registration, then Register an application window will appear.
     Inserting image...

  4. On the Register an application window:

    1. Under Name enter your Application Name then click on Register to create the application.
       Inserting image...

       

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     Inserting image... 

Add Endpoint Access  

Once the application is created, three permissions to the Office 365 Management APIs are needed. This section details how to configure and add permissions to the required endpoints.  

Add Permissions  

From the Azure Active Directory portal:  

  1. Select the application registered in the previous step.

  2. Under Manage, click API Permissions and then click Add a Permission, the Request API permissions window will appear. 
       

  3. On Request API permissions window, Click on Microsoft APIs.
      

  4. Scroll down and click on Office 365 Management APls
     

  5. Click on Application Permissions.
      

  6. The following permissions need to be granted for the endpoint to function properly:  

  Endpoints  

Type

  Permission  

ActivityFeed.Read

Application

Read activity data for your organization

ActivityFeed.ReadDlp

Application

Read DLP policy events including detected sensitive data

ServiceHealth.Read

Application

Read service health information for your organization

  1. From the ActivityFeed dropdown, select

    1. ActivityFeed.Read and ActivityFeed.ReadDlp permissions

  2. From the ServiceHealth dropdown, select

    1. ServiceHealth.Read.

  3. Click the Add permissions button after selecting all required permissions.


  4. On the API permissions page, click Grant Admin Consent for <tenant>
     

  5. Click the Yes button on the consent confirmation.
     

  6. The necessary permissions have now been added for the endpoints. After this step, the permissions should include these minimum required permissions shown
     

Creating the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

  1. Select the application created above.

  2. Under Manage, Click Certificates and Secrets, and then Client Secrets
     Inserting image...

  3. Click New client secret. Then Add a client secret window appears. 
     Inserting image... 

  4. On Add a client secret window:

    1. Enter a Description for this client secret and select the desired expiry period from the Expires drop-list.

    2. Then click on Add to create the client secret.
       Inserting image...

      Note:

      The user needs to re-create the client secret when it expires.

  5. Copy Client Secrets Value field for later use.


    Inserting image...

Data Bee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     Inserting image...

  2. Search for Microsoft Defender for Office 365 Audits and select it.
     Inserting image...

  3. Click on the API Ingest.

    Inserting image...

  4. Enter feed contact information and click Next
     Inserting image...

  5. In the configuration page, enter the following:

    • Authorization Method: OAuth2

    • Client Key: paste the Application (Client) ID generated earlier in the Azure portal.

    • Client Secret: paste the Client Secret value generated earlier in the Azure portal.

    • Tenant ID: paste the Directory (Tenant) ID collected earlier in the Azure portal.

    • Token URL: replace <tenant_id> with your Directory (Tenant) ID.

Note:

The URL for the API endpoint that you use is based on the type of Microsoft 365 or Office 365 subscription plan for your organization. Here, we have used the URL for Enterprise plan. You can change the URL as per subscription plan for your organization.

Below are the list of URLs as per the subscription plans. previous

Enterprise plan: https://manage.office.com

GCC government plan: https://manage-gcc.office.com

GCC High government plan: https://manage.office365.us

DoD government plan: https://manage.protection.apps.mil

  1. Click Submit.

Troubleshooting Tips

  • If you encounter an "Invalid client" or "Unauthorized client" error, it may be due to incorrect credentials. Please double-check that the client key, client secret, and Tenant ID are entered correctly. Since the client secret is only visible upon creation, you may need to regenerate it. To avoid any issues, consider pasting it into a text editor to ensure there are no extra spaces or unexpected characters before reconfiguring the  feed.

  • If you receive an "Unauthorized" error, it may be because the client ID and client secret belong to different applications. Kindly verify that you are using credentials from the same application to resolve the issue.

  • If we encounter a 401 response code, it is likely due to missing permissions. Ensure that all required permissions are correctly granted as per the steps outlined above.

    • For example:
      {"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence