Office 365
To receive logs from the Microsoft cloud, it is necessary to open a TCP port that will be accessible from the whole Internet (Microsoft does not have defined ranges of IP networks from which it sends logs).
For this purpose TCP port 8443 is ready in Logmanager, on this port is listening only application for receive of O365 events and nothing else is accesible. There is no risk to expose this port to public internet.
Port 8443 located at Logmanager can be propagated to the Internet through your firewall on any available port of your choosing. The service on this port only accepts requests at the endpoint /wh/o365/, and only the HTTP GET and POST methods, it returns HTTP error status code 400 for any other request.
The O365 service is not automaticaly started until the configuration of the application on the MS cloud is set and stored according to the document below.
Authorization Flow
How log collect from O365 works:
- Microsoft will send notify information on port 8443 Logmanager with IDs of audit events. If Logmanager is not available at this time Microsoft will automaticaly try to send this information later.
- Logmanager will take received ID of audit events and download it from Microsoft. If Microsoft site is not available, it will try it automaticaly later.
- Logmanager will automaticaly renew API tokens every month.
For a functioning collection of audit events it is necessary that Logmanager is having unlimited access on port 443 to entire internet! Microsoft unfortunately does not have defined any static IP pools at which events/API tokens may be placed.
See more about Office 365 APIs at https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis
This document describes how to configure Microsoft O365 cloud to send audit events to Logmanager system.
Make sure you have audit logging in Office 365 enabled, you can use this manual https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#enabling-unified-audit-logging-in-office-365. Audit logging should be enabled automaticaly when you start using O365 service. If auditing is not enabled registration from Logmanager will end with following error message from O365 cloud: ‘Tenant <tenantID> does not exist’.
-
Open admin console: https://admin.microsoft.com/Adminportal/#/homepage
-
Open Azure Active Directory from your admin console. In the left panel, click “Show all” and open “Azure Active Directory” (https://aad.portal.azure.com)
-
Next select „Enterprise applications“, then click on „Create your own appication“, fill in with the name of your new app and choose the second option as shown:
Application registration
-
In the next window, select the option to Add your own application, then click on the link „OK, I want to go to App Registration to register my new application“ at https://aad.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade4
-
On this page, select „+ New Registration“
-
Fill in public URL to receive O365 logs in Logmanager O365 component settings (Logmanager inside the network always listens on port 8443, your firewall can promote any port towards the internet. However, you must enter the full domain name of your public IP and the correct external port on which Logmanager will be entered in this field from the Internet). After saving the form, press F5 to reload Logmanager data
-
Copy the value from Logmanager public URLs for receiving logs, and put into the form on the MS website in the box Redirect URI.
-
After you register new app, fill out with your own application name in the next window. Each aplication you are using should have unique name, you will need to fill out this value to the Logmanager UI component O365 registration form. In supported account types, select the second option to allow access of any kind
If you plan to collect logs from more organizations, select option „Accounts in any organizational directory“.If you are planning to collect logs only for your organization choose option „Accounts in this organizational directory“.
Register an application
-
On the same page fill out „Redirect URI“. See above step 7
-
Copy public Logmanager address from GUI Logmanager in the previous step as shown and click on „Register“:
-
Go back to „Enterprise applications“ and now you can see Logmanager apps. Copy in a newly opened page Overview your Application ID and put it to the Logmanager GUI component O365 configuration
Application ID
-
On the Microsoft page click on „Single sign-on“ and choose „logmanager1“ as shown
Single sign-on
-
First it is necessary to add the permissions of the newly created application for reading logs in the MS web console. Click in the left menu on „API permissions“, choose Office 365 Management APIs and click „API permissions“
-
In the newly opened page, check all permissions for „Delegated permissions“ and for „Application permissions“ and add all available permissions there twice (depending on your type of O365 you may see more there, we only see 3 on our 5-user O365 demo account). Once as delegated and the second time as application permissions.
Request API permissions
-
Next step it is necessary to grant permission access. Click at the bottom of the screen „Grant admin consent“ as shown:
API permissions
-
After you grant the access of all permissions, they should turn green as shown:
Configured permissions
-
Then go back to Microsoft page and click on „Certificates & secrets“ and add a new „New client secret“.
Certificates & secrets
-
Copy the generated secret code value and paste it into Logmanager into the application key field
-
Save the form in Logmanager and refresh the page. Then click on „Test if Logmanager is available from the internet.“, a new web page will be opened to verify that the O365 component is accessible from the Internet via the manufacturer’s web server
The service is available only after saving the complete configuration of ID, key and public URL. If the test website tells you that the component is not available, please verify that you have entered the correct URL, Firewall penetration, filled in all form values. -
It is also necessary to register a new tenant for reading logs from MS (please continue only if you passed test of Logmanager public component availabilty from the Internet!). In the GUI Logmanager just click the button „Register a new tenant at Microsoft“.
If the test website tells you that the component is invalid, refresh the Logmanager website using control-F5.It should look similar like this:
O365 Tenant Configuration
or in JSON format command:
{ "content": [ { "contentType": "Audit.AzureActiveDirectory", "webhook": { "expiration": "", "status": "enabled", "address": "https://demo.logmanager.cz:8443/wh/o365/", "authId": "o365_logmanager_H4SB13" }, "status": "enabled" }, { "contentType": "Audit.Exchange", "webhook": { "expiration": "", "status": "enabled", "address": "https://demo.logmanager.cz:8443/wh/o365/", "authId": "o365_logmanager_H4SB13" }, "status": "enabled" }, { "contentType": "Audit.General", "webhook": { "expiration": "", "status": "enabled", "address": "https://demo.logmanager.cz:8443/wh/o365/", "authId": "o365_logmanager_H4SB13" }, "status": "enabled" }, { "contentType": "Audit.SharePoint", "webhook": { "expiration": "", "status": "enabled", "address": "https://demo.logmanager.cz:8443/wh/o365/", "authId": "o365_logmanager_H4SB13" }, "status": "enabled" }, { "contentType": "DLP.All", "webhook": { "expiration": "", "status": "enabled", "address": "https://demo.logmanager.cz:8443/wh/o365/", "authId": "o365_logmanager_H4SB13" }, "status": "enabled" } ], "msg": "Tenant registration result tenant_id: 6a98b5da-7b3c-4486-bb0b-66a048c6da62", "registeredContent": { "Audit.AzureActiveDirectory": "enabled", "Audit.SharePoint": "enabled", "Audit.General": "enabled", "Audit.Exchange": "enabled", "DLP.All": "enabled" }, "result_subscribe_content": [ { "Audit.AzureActiveDirectory": "OK" }, { "Audit.Exchange": "OK" }, { "Audit.SharePoint": "OK" }, { "Audit.General": "OK" }, { "DLP.All": "OK" } ], "status": "OK" } -
Upon successful registration you will see a page with the text output of the registration process (unfortunately it is output from the MS website, so it is not fully readable)
-
After registration you need to manually set your organization name/domain at Logmanager menu Sources => O365. Edit newly created tenant without any domain and set it to your domain name
O365 tenant edit
-
In the end you should see also the new tenant in Logmanager menu and have access to view last O365 logs
O365 tenants
Setting your domain name will automatically add this information to all logs received from O365 tenant to field meta.src.host.
If, when trying to register a new tenant (new domain), it gives a permission error, it is necessary to verify that the created application has the correct permissions set in such a way that other tenants can read data through it. This can only be found at the following link (the new MS Web UI does not provide this information): https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/ where application ID is required. On this page, look for: Supported account types, which must be filled in: All Microsoft Account Users.
Other O365 audit options can be found here: https://docs.microsoft.com/cs-cz/microsoft-365/compliance/enable-mailbox-auditing
See the following links for more details:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
- https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#azure-application-permissions
You can limit source IP addresses that comunicate to Logmanager from internet, using this guide from Microsoft.