Connect data from Office 365 Logs

You can stream audit logs from Office 365 into Azure Sentinel with a single click. You can stream audit logs from multiple tenants to a single workspace in Azure Sentinel. The Office 365 activity log connector provides insight into ongoing user activities. You will get information about various user, admin, system, and policy actions and events from Office 365. By connecting Office 365 logs into Azure Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.

Important

If you have an E3 license, before you can access data through the Office 365 Management Activity API, you must enable unified audit logging for your Office 365 organization. You do this by turning on the Office 365 audit log. For instructions, see Turn Office 365 audit log search on or off. See Office 365 management Activity API reference, for more information.

Prerequisites

  • You must be a global administrator or security administrator on your tenant
  • On your computer, from which you logged into Azure Sentinel to create the connection, make sure that port 4433 is open to web traffic. This port can be closed again after the connection is successfully made.
  • If your tenant does not have an Office 365 E3 or Office 365 E5 license, you must enable unified auditing on your tenant using one of these processes:

Connect to Office 365

  1. In Azure Sentinel, select Data connectors and then click the Office 365 tile.

  2. If you have not already enabled it, under Connection use the Enable button to enable the Office 365 solution. If it was already enabled, it will be identified in the connection screen as already enabled.

  3. Office 365 enables you to stream data from multiple tenants to Azure Sentinel. For each tenant you want to connect to, add the tenant under Connect tenants to Azure Sentinel.

  4. An Active Directory screen opens. You are prompted to authenticate with a global admin user on each tenant you want to connect to Azure Sentinel, and provide permissions to Azure Sentinel to read its logs.

  5. Under Stream Office 365 activity logs, click Select to choose which log types you want to stream to Azure Sentinel. Currently, Azure Sentinel supports Exchange and SharePoint.

  6. Click Apply changes.

  7. To use the relevant schema in Log Analytics for the Office 365 logs, search for OfficeActivity.

Next steps

In this document, you learned how to connect Office 365 to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: