Connect data from Office 365 Logs

You can stream audit logs from Office 365 into Azure Sentinel with a single click. You can stream audit logs from your Office 365 into your Azure Sentinel workspace on the same tenant. The Office 365 activity log connector provides insight into ongoing user activities. You will get information about various user, admin, system, and policy actions and events from Office 365. By connecting Office 365 logs into Azure Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.

Important

If you have an E3 license, before you can access data through the Office 365 Management Activity API, you must enable unified audit logging for your Office 365 organization. You do this by turning on the Office 365 audit log. For instructions, see Turn Office 365 audit log search on or off. See Office 365 management Activity API reference, for more information.

Prerequisites

Connect to Office 365

  1. In Azure Sentinel, select Data connectors and then click the Office 365 tile.

  2. If you have not already enabled it, you can do so by going to Data Connectors blade and selecting Office 365 connector. Here you can click the Open Connector Page and under configuration section labeled Configuration select all the Office 365 activity logs you want to connect to Azure Sentinel.

    Note

    If you already connected multiple tenants in a previously supported version of the Office 365 connector in Azure Sentinel, you will be able to view and modify which logs you collect from each tenant. You will not be able to add additional tenants, but you can remove previously added tenants.

  3. To use the relevant schema in Log Analytics for the Office 365 logs, search for OfficeActivity.

Next steps

In this document, you learned how to connect Office 365 to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: