Before you begin
Verify that your tenant license includes Auditing before continuing with the steps below. Note: Advanced Audit provides the most event data to Blumira and is recommended.
See the list of licenses that meet this requirement in Auditing solutions in Microsoft 365: Licensing Requirements.
Also, before you can add the Microsoft 365 Cloud Connector in Blumira, you must gather three credentials from your Azure Active Directory admin center:
- Application (client) ID
- Directory (tenant) ID
- Client secret value
Complete the following steps in Azure Active Directory to gather the required credentials:
- Confirm that you are a Global Admin in Microsoft 365.
Important: If you are not a Global Admin, you will not be able to send logs to Blumira.
- Enable auditing for your organization in your Microsoft 365 compliance settings, by completing these steps:
- Log in to https://compliance.microsoft.com.
- In the left navigation pane of the compliance portal, click Audit.
- Click Start recording user and admin activity.
Note: It might take up to 60 minutes for the change to take effect.
Reference: See Microsoft’s Use the compliance center to turn on auditing for more information.
- Log in to https://aad.portal.azure.com.
- Click Azure Active Directory.
- Navigate to Manage > App registrations.
- Click Register an application or + New registration.
- Type the name (e.g., Microsoft 365 Audit Logs to Blumira).
- Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
- Copy and save the Application (client) ID and the Directory (tenant) ID to be used in later steps.
- In the second-to-left panel, click API permissions.
- Click Add a Permission.
- Click Office 365 Management API.
- Click Application Permissions.
- Expand ActivityFeed, and select the check boxes next to ActivityFeed.Read and ActivityFeed.ReadDlp.
- At the bottom, click Add permissions.
Important: Click Grant admin consent.
- In the Status column, confirm that Admin consent was granted (a green check mark appears):
- Click Certificates & secrets.
- Click New client secret.
- In the Description box, type a descriptive name (e.g., Blumira sensor).
- Select any timeframe that you’re comfortable with (up to 24 months), and then click Add.
Tip: Ensure that you set yourself a reminder to update this when it expires.
- Document the client secret value to be used in later steps.
Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.
- Wait at least one minute after generating the client secret before proceeding with the steps below in Blumira.
Note: There can be approximately one minute of latency between when Microsoft generates a Client secret and when it successfully works in an API request.
Integrating with Microsoft 365 using a Cloud Connector
Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration’s configuration parameters, you can then enable Blumira to collect your logs.
To configure your integration with Blumira Cloud Connector:
- In the Blumira app, go to the Cloud Connectors page (Settings > Cloud Connectors).
- Click + Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector that you want to add.
- If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
- Enter the API credentials that you collected in the “Before you begin” section above.
- Click Connect.
- On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.
Note: Sometimes, it can take over 3 hours before Microsoft audit logging (Step 2 of the “Before you begin” section above) is truly enabled. In these instances, you will see an error in the Cloud Connector in Blumira: “Error: Please make sure that Unified Audit Logging is enabled.” If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.