Microsoft Defender for Office 365 Audits

Microsoft Defender for Office 365 allows you to secure your email and Microsoft Teams with advanced protection against phishing, business email compromise, ransomware, and other cyberthreats.

Integration Method: API

Tables: Data Security Finding, Web Resource Activity, File Hosting Activity, Group Management

DataBee connects to APIs for the purpose of getting audit information

Azure Configuration

1. Log on to Azure with a user account that has the Global Administrator role.

2. Navigate to Microsoft Entra ID > App registrations > New registration. The Register an application page window appears.

3. Enter the application's registration information:

   1. In the Name section, enter a meaningful application name that will be displayed to users.

   2. For Supported account types, click the Accounts in any organizational directory option.

   3. Set the Redirect URI to http://localhost.

   4. Click on Register to create the application.

4. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.

Note: Before you can access data through the Office 365 Management Activity API, you must enable unified audit logging for your Office 365 organization. You do this by turning on the Office 365 audit log. For detailed instructions and additional guidance, please consult the latest documentation.

Add Endpoint Access

Once the application is created and audit logging is enabled, appropriate permissions should be provided to get data. The appropriate permissions for the application are needed to configure these endpoints. The following section details how to configure and add permissions to the endpoint.

You will need to provision read API permissions for Office 365 Management APIs.

Add Permissions

To add permissions for the one endpoint outlined above, from the Azure Active Directory portal:

1. Select the application whose logs are to be accessed (generally, the application registered earlier on this page).

2. Click API Permissions, and then click Add a Permission. The Request API permissions window appears.

3. Click on Microsoft APIs and then search for Office 365 Management APIs.

4. Click on Office 365 Management APIs then on Application permissions or Delegated Permissions as Permission type in below table.

5. The following permissions needs to be granted

6. In the Select permissions search bar, enter the permissions shown above, and check the box to include it.

7. Click the Add permissions button after selecting all required permissions.

8. On the API permissions page, click Grant Admin Consent for <tenant>.

9. Click the Yes button on the consent confirmation. The required permissions are now added for the endpoints.

Note: If you found any difficulties while configuring. You can refer to Microsoft's documentation.

Create the Client ID and Client Secret:

To configure the API for OAuth access, we require ClientID and Client Secret.

1. Select Application.

2. Click Certificates & Secrets, and then Client Secrets.

3. Click New client secret. The Add a client secret window appears.

4. Enter a Description for this client secret.

5. Select the desired expiry period from the Expires drop-list.

6. Click Add.

7. Copy the Value and Secret ID. This will be used to configure the DataBee API connection

Note: The API restricts data retrieval to the last 7 days. Data older than this cannot be fetched.

DataBee Configuration

1. Log in to the DataBee console, navigate to the Data tab and click on Add new Datasource.

2. Search for Microsoft Defender for Office 365 Audits and select it.

3. Click on API Ingest.

4. Enter the required details in the contact form.

5. In the configuration dialog boxes, enter the following:

   • Authorization Method: OAuth2

   • Client Key: Paste the Value from previous step

   • Client Secret: Paste the Secret Key from the previous step

   • Token URL: Replace the <tenant_id> placeholders with your tenant id.

6. Click Submit