Configuring Microsoft 365 Monitoring

Configuration Guide


This document provides the steps to configure Microsoft 365 monitoring.


Required configuration

Complete these procedures in order for each Microsoft 365 tenant that you want Arctic Wolf to monitor:

Note: Depending on your cloud firewall settings, you may need to add firewall exceptions for the Arctic Wolf IP addresses listed under If Arctic Wolf monitors your Cloud Services on the Arctic Wolf IP Addresses page in the Arctic Wolf Portal.

  1. Configuring an Azure Active Directory Application

  2. Enabling Audit Logging

  3. Providing credentials to Arctic Wolf

Additional recommended configuration

Arctic Wolf recommends completing this additional configuration: Enabling Exchange Mailbox Auditing

Tip: In general, Exchange mailbox auditing is enabled by default.

Providing credentials to Arctic Wolf

To provide your application credentials to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Office 365 from the list of cloud services, and then fill in the form:

    1. Enter a descriptive name for the credentials.

    2. Paste these values into their respective text boxes:

      • Application ID
      • Directory ID
      • Client Key

    Note: Arctic Wolf no longer monitors Microsoft 365 Exchange Online. You cannot provide those credentials in the form.

    1. In the Microsoft Cloud menu, select the type of Microsoft Cloud/Azure AD environment. The default is global.
  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your Microsoft 365 environment, the status of these credentials changes to Connected.