When connected with InsightOps, Microsoft Office 365 data provides information about user services, locations, and authentications. For detailed information about the specific data collected, you can read Microsoft's documentation here.
Before You Begin
In order to set up the Microsoft Office 365 event source, you'll need to do the following:
- Configure the collector to reach https://manage.office.com in order to connect to the Office365 Cloud
- Microsoft Office365 Tenant ID
- Microsoft Office Global Administrator account
You can only configure a single Office 365 event source per 0365 tenant ID
However, you can configure multiple event sources of this type.
Configure Microsoft Office365
- Select Data Collection on the left hand menu
- At the top right of the page, select Add Data
- Select the Cloud Service icon from the Security Data section
- Select your collector, and from the list of event source options, choose Office 365
- Optionally choose to send unfiltered logs
- Click "Begin" to start the OAUTH authorization process.
- A new window or tab will open for you to perform an authorization grant with Microsoft
- Log in with your global admin credentials if you haven't already
- Press Accept on the consent screen to grant InsightOps the required permissions.
- You should see a Success confirmation message. Close this tab and return to InsightOps.
It may take a minute or two for the connection to register. During this time, you will see a waiting screen.
When the connection is registered, a green check will appear. Click Save in the Event Source configuration page to finish setting up the Office 365 event source.
Once the registration is complete, you will see the Office 365 logo in the bottom-left Cloud Services panel of the InsightOps dashboard.
Warning: If you use Microsoft ADFS to log into Office 365, this unfortunately jumps through international proxy servers, such as Akamai, which prevents InsightOps from seeing the true source IP of the login. Therefore, ingress activity for Office 365 will not be available on the locations map.
Login Error Page
If you are logged in with a Microsoft account without admin credentials during setup, you will be presented with the following error page:
However, if you have access to an admin account, select the link that says “Have an admin account? Sign in with that account.” Select the option to "Use Another Account" and continue the sign in process.
You can review the state of the O365 connection in the Azure Admin Console.
- From the Azure Dashboard, go to “Enterprise Applications."
- Select or Search for the “InsightOps Connector."
- From the application page, you can check audit logs and confirm that it has the appropriate permissions