Skip to content

Microsoft 365 integration

Basic operation

The Microsoft365 integration is built into the OctoSAM Import Service. It uses the Microsoft Graph Library to connect to Entra ID (formerly Azure AD) and Office 365

Your network infrastructure needs to allow Microsoft Graph API calls to the Microsoft 365 Graph API endpoint.

Register OctoSAM Import Service as an Azure App

Essentials

Register an application OctoSAM Import Service for your organization only.

Microsoft Documentation

Copy the following information:

  • Application (client) ID
  • Directory (tenant) ID
  • The secret

Required API permissions

  • AuditLog.Read.All (Application)
  • Reports.Read.All (Application)
  • Directory.Read.All (Application)
  • UserAuthenticationMethod.Read.All (Application)
  • User.Read.All (Application)
  • User.Read (Delegated)

Info

Usage reports can not be imported if Microsoft 365 is configured to obfuscate user information in reports. Usage reports may not be anonymized if you want to import them into OctoSAM.

Entra

Import of user sign in activtity requires an Entra ID P1 or P2 license

Configure the OctoSAM Import service to connect to Microsoft Graph

See the sample configuration file appsettings.json:

  //
  // Integrated Microsoft 365 / Azure AD Graph Scan
  // ----------------------------------------------
  //
  // Name:     A user defined name to identify the configuration in log an error messages
  //
  // ApplicationId:                  ApplicationId from Azure AD App registration
  // TenantId:                       Azure AD tenant information
  // Secret:                         Secret from Azure AD App registration 
  //                                 (prefer SecretCredentialManagerTarget and store the secret in the Windows Credential Manager)
  // SecretCredentialManagerTarget:  Target name to load secret from the Windows Credential Manager.
  //                                 If this setting is set, the setting for Secret is ignored.
  //
  // ImportSignInActivity            Can be set to false if either the AuditLog.Read.All permission is not given or the tenant does not have a license that allows SignInActivity logging
  //                                 SignInActivity import requires an Entra ID P1 or P2 license.
  //
  // ImportUsageReports              Can be set to false if the Reports.Read.All permission is not given or if the reports are anonymized in Graph
  //

  "MicrosoftGraph": {
    "Scans": [
      {
        "ApplicationId" : "2855c234-88bf-49a5-89ce-2c950715e6b3",
        "TenantId": "a07c4b22-98eb-4586-a599-fa3616d0afbb",
        "SecretCredentialManagerTarget": "msgraph",
        // "ImportSignInActivity": true
        // "ImportUsageReports" : true
      }
    ]
  },

Info

We recommend that you store the secret in the Windows Credential Manager.