Configure an integration application in Azure Entra ID for the Splunk Add-on for Microsoft Office 365
In order to gather data from the Office 365 Management Activity API and the Office 365 Service Communication API using this add-on, you must first create an integration application in Azure Entra ID. This application securely authenticates the Splunk Add-on for Microsoft Office via the OAuth2 protocol, so that it can access and gather the data according to the services and permission levels that you specify.
In order to create an integration application, you need the following prerequisites:
- A Microsoft Azure account with administrator permissions to delegate roles to the application user. Your Microsoft Azure subscription must be linked with your Office 365 subscription by using the same login id.
- A security token for the Microsoft Cloud Application Security Portal. See the Managing API tokens topic in the Microsoft documentation.
Create an application in Microsoft Azure Entra ID
- Follow the instructions in the Create an Azure Entra ID application topic in the Microsoft documentation to create an integration application.
- When creating your application, make a note of the following parameters. They will be needed to
Configure a Tenant in the Splunk Add-on for Microsoft Office 365.
- Directory ID (Tenant ID)
- Application ID (Client ID)
- Set the Application permissions in the API Permissions > Add a permission pane of the Azure Active Directory Office 365 Management API configuration. These permissions are required for the Splunk Add-on for Microsoft Office 365. To add the ReportingWebService.Read.All permission, see Configure Message Trace Input for the Splunk Add-on for Microsoft Office 365.
API/Permissions name Description API Technology Name ServiceHealth.Read.All Read service health information for your organization.
If upgrading to version 3.0.0 or later, disable
ServiceHealth.Read.Allin Office 365 Management APIs, and enable
ServiceHealth.Read.Allin Microsoft Graph.
Microsoft Graph ServiceMessage.Read.All Read service message information for your organization. Microsoft Graph ActivityFeed.Read Read activity data for your organization Microsoft Office 365 Management AuditLog.Read.All Read all audit log data Microsoft Graph Policy.Read.All Read your organization's policies Microsoft Graph Reports.Read.All Read all usage reports Microsoft Graph Directory.Read.All Read directory data Microsoft Graph ReportingWebService.Read.All Read Message Trace data Microsoft Reporting WebService ActivityFeed.ReadDlp (Optional) Read DLP policy events including detected sensitive data. Microsoft Office 365 Management
Accessing DLP policy events requires an additional Microsoft Azure Active Directory subscription. Refer to the Microsoft Azure Active Directory documentation for more information.
- Click Save after you change permissions.
- Click Grant admin consent for <tenant name>.
- In Certificates & secrets, under Client secrets, create a new client secret.
- In the Value column, make a note of the generated value. This is the Client Secret. If you lose this value, you have to generate a new one.
Install the Splunk Add-on for Microsoft Office 365
Configure a Tenant in the Splunk Add-on for Microsoft Office 365
This documentation applies to the following versions of Splunk® Supported Add-ons: released