After you configure the connection between the AlienApp for Office 365 and the Microsoft Office 365 Management Activity API for a deployed USM Anywhere Sensor, the predefined log collection job performs a query for Office 365 events. When USM Anywhere collects and analyzes the first of these events, the Office 365 dashboards are available in the DASHBOARDS menu (according the type of events that it collects).
Warning: Due to the design of the Office 365 Management Activity API, you may see events being delayed or received out of order. For more information, see Office 365 Event Latency.
This integration requires connectivity between your USM Anywhere Sensor and the Microsoft Office 365 Management Activity API. If you have a Sensor deployed in your Azure subscription, you should use this Sensor to configure the AlienApp. If you use a non-Azure Sensor, you must set your firewall permissions to allow the following ingress/egress connections for the Sensor.
|TCP||443||https://login.windows.net/||Authentication for your Office 365 account|
|TCP||443||https://manage.office.com/api/v1.0/||Queries to retrieve log data from the Microsoft Office 365 Management Activity API|
Before you configure the AlienApp for Office 365, make sure that you have the requirements set up in your Office 365 account for this integration.
The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365. Within an Azure subscription, you define a new app for the Microsoft Office 365 Management Activity API communication with USM Anywhere. Before you create this app, you must have the following items.
- Office 365 subscription from Microsoft
- Azure subscription
- Administrator credentials for the Azure tenant
To set up the app for the Office 365 API
- Access Active Directory in the Azure portal:
Navigate to App registrations and click New application registration.
Define a new app.
In the App registrations list, select the app you just created.
From Settings, click Properties.
At the bottom of the Properties blade, toggle Multi-tenanted to Yes, and then click Save.
Within the Settings blade on the same page, select Required Permissions and click Add.
Click Select an API, select Office 365 Management APIs, and then click the Select button.
Select all of the APPLICATION PERMISSIONS and DELEGATED PERMISSIONS.
Important: You must be sure that all of these permissions are enabled for the application. If the required permissions are not in place, the AlienApp for Office 365 cannot retrieve events for your Office 365 account.
- Click the Select button and then the Done button to complete the API access settings.
Make sure to click Grant Permissions after you add the permissions.
Otherwise, the app won't work and only administrators would be able to execute this action.
Return to the App profile and click Manifest.
In the Edit manifest page, the "keyCredentials" section does not contain a value. When you complete the next task, you will generate the credentials in USM Anywhere and then supply the information here.
After you create the app for the Office 365 API and perform the initial configuration, you're ready to grab the manifest credentials from the AlienApp for Office 365 in USM Anywhere and connect the API app.
To complete the connection to the AlienApp for Office 365
- In USM Anywhere, go to Data Sources > Integrations.
Click the AlienApps tab.
- In the AlienApps page, click the Office 365 tile.
If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.
USM Anywhere AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Choose the sensor that can access the integration endpoint.
Click the Status tab to display the Manifest Credentials JSON, similar to the following example:
Copy the entire JSON code block highlighted above (including the opening and closing brackets) to your clipboard.
- Return to the Edit Manifest page in the Azure web UI and paste it into the manifest within "keyCredentials".
In the app profile, copy the Application ID to a text file.
Go to Azure Active Directory > Properties and copy the Directory ID (Tenant ID), then paste it in the same text file.
- Return to the Office 365 page in USM Anywhere and click the Credentials tab.
Enter the copied IDs in the Tenant ID and Application ID fields.
- Click Save Credentials.