WebsiteBlogLogin

Collect data from Microsoft 365

Most recent version: v0.0.3

See the changelog of the Microsoft 365 Listener here.

This is a Pull Listener and therefore should not be used in environments with more than one cluster.

Overview

Onum supports integration with Office 365 through the Office 365 Management Activity API.

Office 365 provides a suite of cloud-based productivity tools and services, including apps like Word, Excel, PowerPoint, and Teams, along with online storage via OneDrive and advanced security features.

Prerequisites

  1. You must register an application in Microsoft Entra ID (formerly Azure AD).

  2. After registration, you'll need the Application (Client) ID, the Directory (Tenant) ID, and either a Client Secret (password) or a Certificate for authentication.

  3. You must grant the necessary Microsoft Graph API permissions (e.g., Mail.Read.All, User.Read.All, Sites.Read.All).

Onum Setup

1

Log in to your Onum tenant and click Listeners > New listener.

2

Double-click the Office 365 Listener.

3

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

4

Enter your Office 365 Azure Tenant ID*. Find this in the Azure Active Directory > Overview, or in the Properties pane.

5

The Application (client) ID* is needed when accessing Office 365 through APIs or applications. For applications registered in other directories, the Application (Client) ID is located in the application credentials.

  1. Go to the Azure Portal.

  2. Find Microsoft Entra ID in the left menu.

  3. Click App registrations under the Manage section.

  4. Select the application you registered (or search for it).

  5. Under Essentials, find Application (client) ID.

  6. Click Copy to clipboard to save it.

6

Assign your data a Content Type in the form of reusable columns, document templates, workflows, or behaviors. Click Add element to add the required content types.

These are the available content values:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • Audit.General (includes all other workloads not included in the previous content types)

  • DLP.All (DLP events only for all workloads)

For details about the events and properties associated with these content types, see Office 365 Management Activity API schema.

7

The Client Secret (also called Application Secret) is used for authentication in Microsoft Entra ID (formerly Azure AD) when accessing APIs. To get it:

  1. Click App registrations under the Manage section.

  2. Select your registered application.

  3. In the left menu, click Certificates & secrets.

  4. Under Client secrets, check if an existing secret is available. You cannot view it, so you must have it saved somewhere.

  5. If you need a new one, create one and copy the value immediately.

Learn more about secrets in Onum in this article.

8

In Onum, open the Secret field and click New secret to create a new one:

  • Give the secret a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the JWT token you generated before. Remember that the token will be added in the Zscaler configuration.

  • Click Save.

You can now select the secret you just created in the corresponding field.

9

Choose your Subscription Plan* from the list. Find this in the Microsoft Account Portal under Billing > Your Products.

10

Enter the Polling Interval* frequency in minutes with which to grab events. The minimum value is 1, and the maximum value is 60.

11

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

Learn more about labels in this article.

Click Create listener when you're done.

PreviousCollect data from Azure Event HubsNextCollect data from Apache Kafka

Last updated

Was this helpful?