Skip to content
Find out how we support MDR.

Microsoft 365 audit logs

API

You can add Microsoft 365 audit log data to the Data Lake. This lets you query Microsoft Graph data with Sophos Live Discover.

Prerequisites

You must be a Microsoft 365 administrator.

You must have auditing turned on in Microsoft 365. If you don't, you're prompted to turn it on during setup.

In the properties for your Microsoft Office 365 Management APIs you must have Enabled for users to sign-in? set to Yes. To check and change this, see Manage Microsoft Office 365 APIs.

Configure an integration

To integrate Microsoft 365 data with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click Microsoft - Office 365 Management Activity API.

    The Microsoft - Office 365 Management Activity API page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

  4. In Integration steps, if Microsoft 365 auditing isn't already turned on, you can click Turn on Microsoft 365 auditing.

    This takes you to Microsoft 365. Turn on auditing, then return to Sophos Central. See Turn auditing on or off.

    You may be asked to authenticate by Microsoft to turn on auditing.

    Note

    It can take up to 12 hours for Microsoft 365 audit log data to appear after you have turned on auditing.

  5. Click Save and continue.

  6. Read the text in Connect to Microsoft 365 then click Proceed.

    You are connected to Microsoft 365 to create an application which integrates with Sophos Central.

    Pick an account.

  7. Enter or select your Microsoft account and sign in.

  8. You're prompted to give permissions to an app. These permissions let us create a Microsoft app to integrate with Sophos Central. Click Accept.

    Permissions request.

    You might be asked to authorize again, depending on your Microsoft 365 environment.

    The connection might take a few minutes.

  9. You see confirmation that the app is set up. Click Close.

    Connected successfully message.

In Sophos Central, in Integrations > Microsoft - Office 365 Management Activity you see the new integration.

In Live Discover > Query, a new category Microsoft 365 audit data appears. You can run the queries in this category on your Microsoft 365 data.

Manage Microsoft Office 365 APIs

In the properties for this API you must have Enabled for users to sign-in? set to Yes. To check and change this, do as follows.

  1. In your Microsoft Azure Portal, go to Azure Active Directory > Enterprise Applications > All applications.
  2. In All Applications, filter by Application type == Microsoft Applications.

    Filter applications.

  3. Click Office 365 Management APIs.

  4. In Office 365 Management APIs | Properties, set Enabled for users to sign-in? to Yes.

    Set parameter in properties.

  5. Click Save.