search
WebsiteBlogLogin

Collect data from Microsoft Office 365

Most recent version: v0.1.0

circle-info

See the changelog of the Microsoft 365 Listener here.

circle-exclamation

This is a Pull Listener and therefore should not be used in environments with more than one cluster.

hashtag
Overview

Onum supports integration with Office 365 through the Office 365 Management Activity APIarrow-up-right.

Office 365 provides a suite of cloud-based productivity tools and services, including apps like Word, Excel, PowerPoint, and Teams, along with online storage via OneDrive and advanced security features.

You can use the Office 365 Listener to send your Office data to Onum.

hashtag
Prerequisites

Before starting, you must register an application in Microsoft Entra ID (formerly Azure AD).

After registration, you'll need the Application (Client) ID, the Directory (Tenant) ID, and either a Client Secret (password) or a Certificate for authentication.

Then, you must grant the necessary Office 365 Management Activity API permissions:

  • ActivityFeed.Read - Required for reading activity feeds

  • ActivityFeed.ReadDlp - Optional (for DLP events)

  • ServiceHealth.Read - Optional (for service health)

hashtag
Start/stop a subscription

The Office 365 Listener supports the start/stop subscription feature. You can start/stop a subscription using some other Office 365 API or using this curl command:

You should get a response like this:

Use the access_token value to start or stop a subscription. These are the available content values:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • Audit.General

  • DLP.All

These are some of the requests you can perform:

  • Start a subscription to begin receiving notifications and retrieving activity data for a tenant.

  • Stop a subscription to discontinue retrieving data for a tenant:

  • Content type example (this will subscribe you to active directory and exchange):

Herearrow-up-right is the list of all the API requests you can use. Once you start subscription, you can use the Listener to fetch your data.

For easier testing, here is the curl command to fetch the list of updates:

hashtag
Onum Setup

1

Log in to your Onum tenant and click Listeners > New listener.

2

Double-click the Office 365 Listener.

3

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

4

Enter your Office 365 Azure Tenant ID*. Find this in the Azure Active Directory > Overview, or in the Properties pane.

5

The Application (client) ID* is needed when accessing Office 365 through APIs or applications. For applications registered in other directories, the Application (Client) ID is located in the application credentials.

  1. Go to the Azure Portal.

  2. Find Microsoft Entra ID in the left menu.

  3. Click App registrations under the Manage section.

  4. Select the application you registered (or search for it).

  5. Under Essentials, find Application (client) ID.

  6. Click Copy to clipboard to save it.

6

Assign your data a Content Type in the form of reusable columns, document templates, workflows, or behaviors. Click Add element to add the required content types.

These are the available content values:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • Audit.General (includes all other workloads not included in the previous content types)

  • DLP.All (DLP events only for all workloads)

For details about the events and properties associated with these content types, see Office 365 Management Activity API schemaarrow-up-right.

7

The Client Secret (also called Application Secret) is used for authentication in Microsoft Entra ID (formerly Azure AD) when accessing APIs. To get it:

  1. Click App registrations under the Manage section.

  2. Select your registered application.

  3. In the left menu, click Certificates & secrets.

  4. Under Client secrets, check if an existing secret is available. You cannot view it, so you must have it saved somewhere.

  5. If you need a new one, create one and copy the value immediately.

circle-info

Learn more about secrets in Onum in this article.

8

In Onum, open the Secret field and click New secret to create a new one:

  • Give the secret a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the JWT token you generated before. Remember that the token will be added in the Microsoft 365 configuration.

  • Click Save.

You can now select the secret you just created in the corresponding field.

9

Choose your Subscription Plan* from the list. Find this in the Microsoft Account Portal under Billing > Your Products.

10

Enter the Polling Interval* frequency in minutes with which to grab events. The minimum value is 1, and the maximum value is 60.

11

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

circle-info

Learn more about labels in this article.

Click Create listener when you're done.

hashtag
Ports

The Office 365 Listener has two output ports:

  • Default port - Events are sent through this port if no error occurs while processing them.

  • Error port - Events are sent through this port if an error occurs while processing them.

PreviousCollect data from Azure Key VaultNextCollect data using OpenTelemetry

Last updated

Was this helpful?