Office 365 collector
Generate credentials in Azure AD
- Begin by creating and registering your application within Azure AD. Give it a name of your choice to identify it, such as devo-integration. The Redirect URI field may be left blank. Make note of the application's Client Id as well as the Tenant Id. Learn more here.
- Move to the API Permissions section on the left menu, then click Add a permission in the main pane. You will need to find the Office 365 Management APIs section and click on it. Then click application permissions, and enable the appropriate permissions, at least the two under ActivityFeed. Then click Add permissions. After you have added the permissions you will need to grant admin consent to the application, you should see a message confirming Successfully granted admin consent for the requested permissions. Learn more here.
The permissions that need to be set are as follows:
- Read activity data from your organization
- Read service health information from your organization
- Read DLP policy events including detected sensitive data (only if pulling “DLP.All” from Management Activity)
- Generate a new key (also called a client secret for your application) and copy/record it for later use. This is done in the left-hand menu under Certificates & secrets and can be done by clicking Add a new secret. Learn more here.
Azure only displays the client secret at the time you initially generate it. You cannot navigate back to this page and retrieve the client secret later.
Choose data types
The Office 365 Collectors allows you to collect 3 types of logs: Management Activity, Service Status Snapshots, and Service Messages. Details about each type are below.
This data type collects actions and events from The Office 365 Management Activity API. The content types available are:
More details on the Office 365 Management Activity API can be found here.
Service Status Snapshot
This data type will take periodic snapshots of the current status of all services and any related incidents from the previous 24 hours. In order to run this data type, you must specify the frequency at which you would like to capture snapshots.
More details on the Office 365 Service Communications API for Current Status can be found here.
This data type includes all service messages from the communications center, including messages of type Service Incident, Planned Maintenance, and Message Center messages.
More details on the Office 365 Service Communications API for Messages can be found here.
Fully managed solution
To deploy the Office 365 Collector in the Devo-managed Collector Server, please contact your account representative and/or the Professional Services team, and provide the configuration for your data type(s) as specified above. This final configuration will need a tenant id, a client id, a client secret, and a list of the content types you would like to pull.