This document provides the steps to configure Microsoft 365 monitoring.
- Throttling may occur if too many requests are made to the Microsoft Graph API. This throttling threshold is reached due to a high volume of requests from multiple applications within a single Azure tenant or from a single application across all Azure tenants. Contention between the Arctic Wolf® service and other applications running in the Azure tenant can affect timely log retrieval. See the Microsoft Graph throttling guidance documentation on the Microsoft website for more information.
- Azure Active Directory sign-in and audit logs may have a reporting latency of up to 8 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See the Azure Active Directory reporting latencies documentation on the Microsoft website for more information.
Complete these procedures in order for each Microsoft 365 tenant that you want Arctic Wolf to monitor:
Note: Depending on your cloud firewall settings, you may need to add firewall exceptions for the Arctic Wolf IP addresses listed under If Arctic Wolf monitors your Cloud Services on the Arctic Wolf IP Addresses page in the Arctic Wolf Portal.
Additional recommended configuration
Arctic Wolf recommends completing this additional configuration: Enabling Exchange Mailbox Auditing
Tip: In general, Exchange mailbox auditing is enabled by default.
Providing credentials to Arctic Wolf
To provide your application credentials to Arctic Wolf:
Sign in to the Arctic Wolf Portal.
Select Connected Accounts in the banner menu to open the Connected Accounts page.
Select + Add Account to open the Add Account form.
Select Cloud Threat Detection as the Account Type.
Select Office 365 from the list of cloud services, and then fill in the form:
Enter a descriptive name for the credentials.
Paste these values into their respective text boxes:
- Application ID
- Directory ID
- Client Key
Note: Arctic Wolf no longer monitors Microsoft 365 Exchange Online. You cannot provide those credentials in the form.
- In the Microsoft Cloud menu, select the type of Microsoft Cloud/Azure AD environment. The default is
Click Submit to CST.
When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team provisions security monitoring for your Microsoft 365 environment, the status of these credentials changes to Connected.