Quick Links

Integrating with Microsoft 365

Overview

Global Administrators of Microsoft 365, including those with tenancy in Government Community Cloud (GCC) High environments, can configure their productivity suite to send Office 365 Unified Audit logs to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

The Microsoft 365 Cloud Connector in Blumira collects Unified Audit logs, including logs from Microsoft Defender for Office 365 if your Microsoft license includes that service. Collection starts at the time of a successful configuration and may include data from up to 7 days before the setup date.

Note: Due to Microsoft performing daily refreshes in the back-end Microsoft 365 service, logs that Blumira collects can include delayed or replayed events from 5-8 days before the current date.

Before you begin

Before continuing with the configuration, verify that you meet the following requirements:

  • The Microsoft tenant has an active Microsoft license that includes Audit Standard or Audit Premium. In general, this is a license for Microsoft Business Basic or higher, or Office 365 E1 or higher.
    Tip: You can verify licensing and subscriptions from the Microsoft Admin Center and then refer to this feature matrix to see if Audit is included. Audit Premium provides the most event data with higher bandwidth access to the data.
  • You have Global Administrator permissions in Microsoft 365.
  • You have the Administrator role in Blumira.

To successfully configure the Microsoft 365 Cloud Connector integration, you will complete the following:

Step Procedure
1 Verify that audit logging is enabled in Microsoft
Note: Audit must be enabled and actively logging before you continue or you will see failures in the Cloud Connector configuration.
2

Create and gather the required app integration credentials from Microsoft

3 Configure the Blumira Cloud Connector

Verifying that audit logging is enabled in Microsoft

Before making any changes in Blumira, you must verify that audit logs (user and admin activity) are being generated in your Microsoft tenant and are ready to send to Blumira. To verify the status of logging, complete the following steps:

  1. Go here to verify that Unified Audit Logging is enabled for the Microsoft tenant.
  2. If it is off, follow the steps to turn on auditing and note that the "Start recording user and admin activity" button that you must click is a large blue banner across the top of the page.

Screenshot 2024-09-17 at 11.28.34 AM.png

Important: After enabling auditing, it can take 60 minutes for the change to take effect and then up to 72 hours before logs can be retrieved. Audit logs must be searchable before the integration can be configured. Blumira will continue to show an error while the Audit change is processing and if the audit log search options are inactive, like in the image below.
 
Screenshot 2024-09-17 at 10.50.44 AM.png

Gathering your Microsoft credentials

To register the application and gather your credentials for configuring the Blumira Cloud Connector, complete these steps:

  1. Log in to Blumira and navigate to Settings > Cloud Connectors > Add Cloud Connector > Microsoft 365. Keep this window open for later steps.
    Screenshot 2024-05-03 at 4.29.01 PM.png
  2. In a new browser window, log in to Microsoft Entra admin center as a Global Admin.
  3. On the left side menu, under Identity, expand Applications.
  4. Click App Registrations.
  5. Click Register an application or + New registration.
  6. Type a name for the app integration (e.g., Microsoft 365 Audit Logs to Blumira).
  7. Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
  8. Under Essentials, copy and paste the Application (client) ID and the Directory (tenant) ID into the Blumira Cloud Connector window.
    Screenshot 2024-04-30 at 2.28.34 PM.png     paste Client ID and Tenant ID.png
  9. In the second-to-left panel in Entra, click API permissions.
  10. Click Add a Permission.
  11. Click Office 365 Management API.
  12. Grant both the Application Permissions and the Delegated Permissions for the API by doing the following:
    • At the top of the window, click Application Permissions, and then expand ActivityFeed, and select the check boxes next to these permissions:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
    • At the top of the window, click Delegated Permissions, and then expand ActivityFeed, and select the check boxes next to these permissions:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
  13. At the bottom of the window, click Add permissions, ensuring that you have selected all three permission types in the previous steps for both Application Permissions and Delegated Permissions.
    Screenshot 2024-05-15 at 4.54.43 PM.png
  14. In API permissions, click Microsoft Graph.
  15. Click Application Permissions.
  16. In the search box, type User.
  17. Click User to expand the options and select the check box next to User.Read.All.
  18. Click Add permissions.
    Screenshot 2023-09-05 at 1.31.41 PM.png
  19. Under "Configured permissions," click Grant admin consent.
    Greenshot 2024-05-22 12.53.13.png
  20. In the confirmation window that appears, click Yes.
    Greenshot 2024-05-22 12.53.32.png
  21. Verify that the Status shows consent was successfully granted (a green check mark appears in the column).
    Greenshot 2024-05-22 12.53.50.png
  22. Click Certificates & secrets.
  23. Click New client secret.
  24. In the Description box, type a descriptive name (e.g., Blumira sensor).
  25. Next to Expires, select an expiration timeframe up to 24 months for this client secret. 
    Important: The integration will fail when the client secret expires, so ensure that you set a reminder to update it in Microsoft and in Blumira before the chosen expiration date.
    Screenshot 2024-04-30 at 3.06.07 PM.png
  26. Click Add.
  27. Under Client secrets, copy the client secret value and paste it into the Blumira Cloud Connector window.
    Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.
    Screenshot 2024-05-03 at 3.59.52 PM.png

    paste Client Secret Value.png
  28. If the data from Microsoft 365 is hosted in the GCC High environment, click the check box next to My version of M365 is GCC High.
    GCC High acknowledgment.png
  29. Click Connect.

Configuring the Microsoft 365 Cloud Connector

Note: There can be approximately one minute of latency between when Microsoft generates a client secret and when it successfully works in an API request. Wait at least one minute after generating the client secret before proceeding with the steps below in Blumira.

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.

To configure the Blumira Cloud Connector:

  1. In the Blumira app, navigate to Settings > Cloud Connectors.
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector you want to add.
  4. In the Cloud Connector Name box, type a name to help identify the specific integration. 
  5. Enter the credentials that you collected in the previous steps.
  6. Click Connect.

Important: If your logs are in the Government Community Cloud High environment, you must click the check box next to "My version of M365 is GCC High" to ensure the correct API endpoint is used for logging. Do not check this box if your tenant is not hosted in the government cloud.

Screenshot 2024-05-03 at 4.29.01 PM.png

Verifying the integration is successful

In the Cloud Connectors table, under Current Status, you can view the configuration’s progress. A green dot appears when the integration is successful and indicates the connector is online and logging.

Note: It can take over 3 hours before Microsoft audit logging fully functions. In these instances, you will see an error in the Cloud Connector in Blumira: "Error: Please make sure that Unified Audit Logging is enabled." If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.

Screenshot 2024-05-03 at 4.53.47 PM.png

Testing detections

After your Cloud Connector is configured, wait at least 15 minutes for detection rules to automatically be deployed to your account, then use our testing procedures to trigger test detections that you can resolve in the app. See Testing Microsoft 365 detections for steps.