Configure Microsoft 365 for Arctic Wolf monitoring manually

You can manually configure Microsoft 365® to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

Complete these steps for each tenant that you want Arctic Wolf to monitor.

These resources are required:

  • An account in the Microsoft Azure Portal with a role that can register an application, such as the Application Administrator role.

    For more information, see Microsoft Entra built-in roles.

  • Based on your cloud firewall settings, add firewall exceptions for Arctic Wolf IP addresses if necessary. To see all the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

Register the application

  1. Sign in to the Microsoft Azure portal.
  2. In the portal menu, click Microsoft Entra ID.
    Note: If Microsoft Entra ID is not in your portal menu, click All services, and then click Hybrid + multicloud. Locate the entry for Microsoft Entra ID, and then click to add it as a favorite.
  3. In the navigation menu, click Manage > App registrations.
  4. Click + New registration.
  5. Configure these settings:
    • Name — Enter a name for the application.
    • Supported account types — From the list, select Single tenant only - <your_organization_name>.
    • For all other fields, keep the default values.
  6. Click Register.
    The page for the newly registered application opens.
  7. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
    You will provide them to Arctic Wolf later.
  8. In the navigation menu, in the Manage section, click Certificates & secrets.
  9. In the Client secrets section, click + New client secret, and then configure these settings:
    • Description — Enter a description for the client secret.
    • Expires — Select 730 days (24 months).
  10. Click Add.
  11. On the Client secrets tab, verify that your new client secret appears.

    Screenshot of the Certificates and Secrets page on the Microsoft Azure Portal. The Value field and text is highlighted by an orange box.

  12. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
    Note:
    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Assign permissions to the application

  1. On the application page, in the navigation menu, click Manage > API permissions.
  2. Remove the User.Read permission for Microsoft Graph:
    1. In the Microsoft Graph section, click Menu next to the User.Read permission, and then select Remove permission.
    2. In the resulting dialog, click Yes, remove.
  3. Add Office 365 Management API permissions:
    1. On the API permissions page, click + Add a permission.
    2. In the Request API permissions pane, click Microsoft APIs.
    3. Click Office 365 Management APIs.
    4. Click Application Permissions.
    5. Select these checkboxes:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
    6. Click Add permissions.
  4. Add Microsoft Graph permissions:
    1. On the API permissions page, click + Add a permission.
    2. In the Request API permissions pane, click Microsoft APIs.
    3. On the Microsoft APIs tab, click Microsoft Graph.
    4. Click Application Permissions.
    5. Select these checkboxes:
      • AuditLog > AuditLog.Read.All
      • Directory > Directory.Read.All
      • Group > Group.Read.All
      • IdentityRiskEvent > IdentityRiskEvent.Read.All
      • IdentityRiskyUser > IdentityRiskyUser.Read.All
      • Organization > Organization.Read.All
      • User > User.Read.All
      Tip:

      You can use the search bar to find these permissions faster.

    6. Click Add permissions.
  5. Click Grant admin consent for <tenant>, where <tenant> is your tenant name, and then click Yes in the resulting dialog.

Enable auditing

Audit logs record user and administrative activity within your organization. For more information, see Turn auditing on or off.

Note:

  • By default, only users with E5/A5/G5 licenses have audit events in the Microsoft Purview compliance portal or Office 365 (O365) Management Activity API. For more information, see Manage mailbox auditing.

  • Auditing can take up to 24 hours to update in the Microsoft 365 environment.

  1. Sign in to the Microsoft Purview compliance portal as an administrator or a user with the Audit Logs role assigned.

    You can verify your roles on the Permissions page in the Exchange admin center.

  2. In the navigation menu, click Solutions > Audit.
  3. Do one of these actions, based on if a banner:
    • Displays — Auditing is not enabled. On the banner, click Start recording user and admin activity.
    • Does not display — Auditing is already enabled. If you want to confirm that it is enabled, you can use Exchange Online PowerShell:
      Note: You cannot use Security & Compliance PowerShell to run these commands.
      1. Open PowerShell.
      2. Run this command to install the Exchange Online module:
        POWERSHELL 
        Install-Module ExchangeOnlineManagement
      3. Run this command to connect and authenticate Exchange Online:
        SHELL 
        Connect-ExchangeOnline
      4. Run this command in Exchange Online PowerShell to verify that auditing is available:
        POWERSHELL 
        Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

        If auditing is enabled, the expected output is similar to UnifiedAuditLogIngestionEnabled: True.

      5. If auditing is not enabled, run this command:
        CODE 
        Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

        Auditing is enabled.

  4. (Users without E5/A5/G5 licenses) Run the appropriate command in Exchange Online PowerShell to retrieve audit log events for current user mailboxes:
    Note: You must rerun the appropriate command to retrieve audit log events for new user mailboxes created in the future.
    Option Description

    For an individual user

    		 Run this command:
    POWERSHELL 
    Set-Mailbox -Identity <user_mailbox> -AuditEnabled $true

    Where:

    • user_mailbox is the user principal name associated with the mailbox.

    For all users
    1. Run this command:
      POWERSHELL 
      Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
    2. Run this command to update the global default settings:
      POWERSHELL 
      Set-OrganizationConfig -AuditDisabled $false

      Users created after this configuration inherit the proper auditing settings.
  5. Optional: Click Search to see a list of all activities recorded within the specified time range.

Provide Microsoft 365 credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Office 365 Graph.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Application (client) ID — Enter the application (client) ID value from Register the application.
    • Directory (tenant) ID — Enter the directory (tenant) value from Register the application.
    • Client Secret Value — Enter the client secret value from Register the application.
    • Microsoft Cloud list — Select either global or gcc. The value you select should match your Microsoft Cloud or Microsoft Entra ID environment type.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

    • To exclude polling for non-interactive user sign-in data, select the Exclude non-interactive user data checkbox.
      Note: By default, Arctic Wolf polls for all non-interactive user sign-in data. If you do not select this checkbox, we will continue to poll for all non-interactive user sign-in data.
  6. Click Test and submit credentials.