Microsoft Office 365

When connected with InsightIDR, Microsoft Office 365 data provides information about user services, locations, and authentications. For detailed information about the specific data collected, you can read Microsoft's documentation here: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US#PickTab=Activities.

Before You Begin

In order to set up the Microsoft Office 365 event source, you'll need to do the following:

You can only configure a single Office 365 event source per 0365 tenant ID

However, you can configure multiple event sources of this type.

How to Configure This Event Source

To configure Microsoft 365 and InsightIDR:

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Service icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally choose to send unfiltered logs.
  6. Click the "Begin" button to start the OAUTH authorization process.
  7. A new window or tab will open for you to perform an authorization grant with Microsoft.
  8. Login to Microsoft and click Allow.

Make sure to enable popups in order to authenticate Office365.

  1. Log in with your global admin credentials.
  1. Press Accept on the consent screen to grant InsightIDR the required permissions. A success message will appear.
  1. Close this tab and return to InsightIDR. It may take a minute or two for the connection to register. During this time, you will see a waiting screen.
  1. When the connection is registered, a green check will appear. Click Save to finish setting up the Office 365 event source.

Once the registration is complete, you will see the Office 365 logo in the bottom-left Cloud Services panel of the InsightIDR dashboard.

  1. On your homepage, click on the Cloud Service card and select Office 365. Ingress activity will appear.
  1. To view Microsoft Admin activity, go to Users & Accounts > Admin Accounts > Admin Activity and select Office 365 Admin Activity. You will see information and activity such as the following:
  • Add user
  • Edit user
  • Delete user
  • Update group
  • Reset user password
  • Change user password
  • GroupAdded
  • GroupRemoved
  • SitePermissionsModified
  • SiteCollectionAdminAdded

You can also see this activity on the User Details page of the Office 365 Admin.

Read more about Admin Accounts and activity.

You will not see Ingress Activity if Using ADFS

If you use Microsoft ADFS to log into Office 365, this unfortunately jumps through international proxy servers, such as Akamai, which prevents InsightIDR from seeing the true source IP of the login. Therefore, ingress activity for Office 365 will not be available on the locations map.

Troubleshooting

Enable Popups

Some of the above steps require a second window or tab to load during the process. If you do not enable popups, you will not be able to complete the authentication process.

Login Error Page

If you are logged in with a Microsoft account without admin credentials during setup, you will be presented with the following error page:

However, if you have access to an admin account, select the link that says “Have an admin account? Sign in with that account.” Select the option to "Use Another Account" and continue the sign in process.

Debugging Tips

If you need to debug O365, you can do so in the Azure Admin console.

To review the state of the O365 connection in the Azure Admin Console:

  1. From the Azure Dashboard, go to Enterprise Applications on the left menu.
  1. Select or Search for the “InsightIDR Connector."
  2. Click InsightIDR Connection to open the application page.
  1. From the application page, select Permissions on the left menu. From here you can check audit logs and confirm that it has the appropriate permissions.