Skip to main content

Integrating with Microsoft 365

  • Updated

Overview

Global Administrators of Microsoft 365 can configure their productivity suite to send Office 365 unified audit logs to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

Note: Data is collected from the time of a successful integration configuration onward and includes data from up to 7 days prior to the integration.

Before you begin

Verify that your tenant license includes Auditing before continuing with the steps below.

Reference: See the list of licenses that meet this requirement in Auditing solutions in Microsoft Purview. Audit Premium provides the most event data to Blumira.

Before you can add the Microsoft 365 Cloud Connector in Blumira, you must gather three credentials from your Azure Active Directory admin center:

  • Application (client) ID
  • Directory (tenant) ID
  • Client secret value

You can gather these credentials by either running the script provided in Step 5, below, or completing the manual procedure in Manually gathering your credentials.

Enabling auditing and gathering your Microsoft credentials

To enable auditing and quickly gather your credentials for the Blumira Cloud Connector, complete the following steps:

  1. Verify that you are a Global Admin in Microsoft 365.
    Important: If you are not a Global Admin, you will not be able to send logs to Blumira.
  2. Log in to https://compliance.microsoft.com.
  3. In the left navigation pane of the compliance portal, click Audit.
  4. To enable auditing, click Start recording user and admin activity.
    Note: It might take up to 60 minutes for the change to take effect. Banner on Audit page.
    Reference: See Microsoft's Use the compliance center to turn on auditing for more information.
  5. To automatically register the application and gather the credentials you need for your Blumira Cloud Connector, run the script below in an elevated PowerShell window and ensure that you replace "5aa4588c-xxxx-xxxx-xxxx-xxxxxxxxxx" with your Tenant ID, which you can find in the Azure AD portal, and "domain.com" with your organization's domain. 
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; . { iwr -useb http://dl.blumira.com/m365_az_setup_app.ps1 }| iex; Blumira-M365-Installer -tenantId 5aa4588c-xxxx-xxxx-xxxx-xxxxxxxxxx -domain "domain.com"
    Note: If you are unable to run this script, you can instead complete the steps in Manually gathering your Microsoft credentials, below.
  6. After the script is done running, you can copy these values from the script's output and paste them into Blumira's Add Cloud Connector window:
    • Client ID
    • Tenant ID
    • Client Secret

 

Manually gathering your Microsoft credentials

If you cannot use the script provided above to automatically register the application and gather your credentials, you can instead complete these manual steps in your Microsoft admin center:

  1. Ensure that you have completed Steps 1 - 4 above.
  2. Log in to Microsoft Entra admin center.
  3. On the left side menu, under Identity, expand Applications.
  4. Click App Registrations.
  5. Click Register an application or + New registration.
  6. Type the name (e.g., Microsoft 365 Audit Logs to Blumira).
  7. Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
  8. Copy and save the Application (client) ID and the Directory (tenant) ID to be used in later steps.
  9. In the second-to-left panel, click API permissions.
  10. Click Add a Permission.
  11. Click Office 365 Management API.
  12. Click Application Permissions.
  13. Expand ActivityFeed, and select the check boxes next to ActivityFeed.Read and ActivityFeed.ReadDlp.
  14. At the bottom, click Add permissions.
  15. In API permissions, click Microsoft Graph.
  16. Click Application Permissions.
  17. In the search box, type User.
  18. Click User to expand the options and select the check box next to User.Read.All.
  19. Click Add permissions.
    Screenshot 2023-09-05 at 1.31.41 PM.png
  20. Important: Click Grant admin consent below Configured permissions.
    Screenshot 2023-09-05 at 1.31.53 PM.png
  21. In the Status column, confirm that Admin consent was granted (a green check mark appears):
  22. Click Certificates & secrets.
  23. Click New client secret.
  24. In the Description box, type a descriptive name (e.g., Blumira sensor).
  25. Select any timeframe that you’re comfortable with (up to 24 months), and then click Add.
    Tip: Ensure that you set yourself a reminder to update this when it expires.
  26. From the Value column under Client secrets, copy the client secret value to be used in later steps.
    Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.
    Screenshot 2023-09-05 at 1.32.02 PM.png

Configuring the Microsoft 365 Cloud Connector

Note: There can be approximately one minute of latency between when Microsoft generates a Client secret and when it successfully works in an API request. Wait at least one minute after generating the client secret before proceeding with the steps below in Blumira.

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.

To configure the Blumira Cloud Connector:

  1. In the Blumira app, navigate to Settings > Cloud Connectors.
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the connector, type the new name in the Cloud Connector Name box.
  5. Enter the credentials that you collected in the previous steps.
  6. Click Connect.
  7. On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).

Important: If you previously deployed a sensor module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.

Screenshot 2023-09-05 at 1.40.56 PM.png

Note: Sometimes, it can take over 3 hours before Microsoft audit logging (Step 2 of the "Before you begin" section above) is truly enabled. In these instances, you will see an error in the Cloud Connector in Blumira: "Error: Please make sure that Unified Audit Logging is enabled." If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.

Running a log test with Microsoft 365

Check to see that Blumira is successfully receiving your Microsoft 365 logs by running a simple test: create a new rule in Outlook 365. Whenever a new Outlook rule is created, Blumira will generate a new finding in your account and trigger an alert.

Follow these steps to run a test:

  1. Log in to Microsoft 365.
  2. Navigate to Outlook 365.
  3. Click Settings in the left sidebar.
  4. Click Add New Rule.
  5. Create a new rule and call it something like "Test Blumira."
  6. Refresh your Blumira Summary Dashboard.
  7. Locate and work the finding.
Was this article helpful?
10 out of 10 found this helpful
Return to top

Related articles