TD Website

Microsoft 365 Integration

This guide walks you through enabling Microsoft 365 API access in ThreatDefence SIEM.

Requirements:

  • Access to Microsoft 365 services (Microsoft 365 Compliance Center, Azure Active Directory)

  • Any O365 licensing tier is supported.

Step 1: Enable Auditing in Microsoft 365

To enable auditing, follow standard procedures to turn auditing on or off.

Step 2: Register an Application in Entra ID

  1. Download ThreatDefence's EntraID Integration Certificate: Download Certificate

  2. Sign in to the Entra ID portal.

  3. Navigate to Microsoft Entra ID.

  4. Select App registrations and click New registration.

  5. Fill in the required information and click Register.

  6. Make note of the Application (client) ID and Directory (tenant) ID for later use.

  7. Navigate to Certificates & secrets.

  8. Click Upload Certificate.

  9. Upload the certificate downloaded in step 1 and press Add.

Step 3: Grant API Permissions

  1. After creating the application ID and secret, grant permissions to access the Office 365 Management APIs.

  2. Navigate to API permissions and select Office 365 Management APIs.

  3. Select Application permissions and enable the following:

ActivityFeed.Read
ActivityFeed.ReadDlp

  1. Click Grant admin consent and confirm.

Step 4: Configure ThreatDefence SIEM

  1. Log in to the ThreatDefence SIEM Portal.

  2. Go to Deployments > Integrations.

  3. Click Add and select Microsoft 365.

Step 5: Add Microsoft Graph Integration

For advanced security auditing, Defender event ingestion, and user isolation features, complete the Microsoft Graph API Integration.

PreviousPrerequisitesNextMS365 Graph API

Last updated