Configuring Microsoft 365 Monitoring

Configuration Guide

Updated Jan 31, 2023

Configuring Microsoft 365 Monitoring

Overview Direct link to this section

This document provides the steps to configure Microsoft 365 monitoring.


Requirements Direct link to this section

Depending on your cloud firewall settings, you may need to add firewall exceptions for Arctic Wolf IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under If Arctic Wolf monitors your Cloud Services.

Configure Microsoft 365 monitoring Direct link to this section

Complete these procedures in order for each Microsoft 365 tenant that you want Arctic Wolf to monitor:

  1. Download and extract the Azure AD configuration file

  2. Configure the Azure AD application

  3. Enable auditing

  4. Provide credentials to Arctic Wolf

Step 1: Download and extract the Azure AD configuration file Direct link to this section

  1. Download the file and move it to an easily-accessible folder on your Windows machine.

  2. Right-click the file, and then select Extract All.

  3. In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents, such as the Desktop folder.

    Note: Verify that Show extracted files when complete is selected.

  4. Select Extract to extract the contents of the .zip file to the new awn-office365-azure-configure folder in the selected destination.

Step 2: Configure the Azure AD application Direct link to this section

You use a PowerShell script to create an Azure AD application to access audit logs. For more information on Azure AD applications, such as PowerShell, updating an application, or deleting an application, see Azure AD Application Script.

To configure the Azure AD application:

  1. Open a Powershell window as an administrator.

  2. Run Get-InstalledModule to see a list of installed modules.

  3. If the Azure AD PowerShell for Graph and/or the Azure Resource Manager (AzureRM) modules are missing, run the appropriate command and follow the prompts to install the missing modules:

    • Azure AD — Install-Module AzureAD
    • AzureRM — Install-Module AzureRM

    Note: If you receive an error about NuGet when installing either of these modules, similar to below, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to manually set the security protocol to Tls12, and then try installing again.

    Module error

  4. Run the batch file:

    1. Open the extracted awn-office365-azure-configure folder.

    2. Right-click on the appropriate batch file, and then select Run as administrator to launch the command prompt:

      • Microsoft 365 — ad-application-configure-office365.bat
      • Azure — ad-application-configure-azure.bat
      • O365 GCC High — ad-application-configure-office-365-gcc-high.bat
  5. In the command prompt, select C to create the Azure AD application.

  6. Follow the prompts to create and configure the Azure AD application. You must authenticate to your Azure tenant as a user with administrator permissions.

  7. Save a copy of the transcript file to submit to your CST, for confirmation that the script ran properly.

    The PowerShell configuration script automatically creates the arcticwolf-azure-ad-<target>.zip file in the directory that you ran the script from, where <target> is office365, azure, or combined. This .zip file includes the awn-office365-azure-ad-application-credentials.txt file, containing the application (client) ID, directory (tenant) ID, and secret key values that serve as the credentials for the newly-created application.

  8. Once the PowerShell script finishes creating or updating the Azure AD application, launch the consent URI in your default browser. This looks similar to the image below:

    Tip: The consent URI is recorded in the timestamp-suffixed transcript file in the directory where you ran the batch script. The .txt file is named awn-<target>-ad-application-transcript-&lt;timestamp>.txt, where <target> is office365, azure, or combined and <timestamp> is when the file was created.

    Consent URI

  9. Sign in to your tenant as an administrator and select Accept to grant the requested permissions, which look like the images below.

    Granting the permissions redirects your browser to the Arctic Wolf website.

    Note: You may provide consent at a later time. However, Arctic Wolf is unable to monitor the tenant until consent is granted.

    Microsoft 365 permissions

Step 3: Enable auditing Direct link to this section

Audit logs record user and administrative activity within your organization. For more information, see Turn auditing on or off in the Microsoft documentation.

Tip: In general, mailbox auditing is enabled by default.

  1. Sign in to Microsoft 365 Compliance Portal as an administrator or a user with the Audit Logs role assigned. You can verify your roles on the Permissions page in the Exchange admin center.

  2. In the navigation pane, click Audit.

  3. If no banner displays about turning auditing on to record user and admin activity, verify that audit logging is enabled using PowerShell:

    1. Open PowerShell.

    2. Run this PowerShell command to install the Exchange Online module:

      Install-Module ExchangeOnlineManagement
    3. Run this PowerShell command to connect and authenticate Exchange Online:

      Connect-ExchangeOnline -UserPrincipalName <UPN> [-UseRPSSession] [-ExchangeEnvironmentName <Value>] [-ShowBanner:$false] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]
    4. Run this command in Exchange Online PowerShell to verify if auditing is available:

      Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

      Note: You cannot use Security & Compliance PowerShell to run this command.

  4. If auditing is not enabled, click Start recording user and admin activity.

    The banner updates with information about when searching is available.

  5. (Optional) Click Search to see a list of all activites recorded within the specified time range.

Step 4: Provide credentials to Arctic Wolf Direct link to this section

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Microsoft 365 from the list of cloud services, and then fill in the form:

    1. Enter a descriptive name for the credentials.

    2. Paste these values into their respective text boxes:

      • Application ID
      • Directory ID
      • Client Secret
    3. In the Microsoft Cloud menu, select the type of Microsoft Cloud/Azure AD environment. The default is global.

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.