MICROSOFT OFFICE 365

Instructions for forwarding Microsoft Office 365 logs to your Log Management device

PREREQUISITES

Microsoft Office 365
  • Office 365 Portal
  • Administrator Credentials to access the Office 365 portal
Clone Systems Log Management Device
  • The IP Address for the Clone Systems Log Management device
Instructions

1. Enable Office 365 Auditing: The following procedures detail the steps for enabling Office 365 auditing.

1. Navigate a browser to the Office 365 Portal. a browser to the Duo Admin panel.

https://portal.office.com

2. On the Sign in screen of your Office 365 Portal login with your administrator account.

Login name: Your Admin email

Click Next.

Password: Your Admin password

Click Sign in

If prompted to Stay Signed in click No.

3. Note: If you are not on the Admin Center page you will need to click the App Launcher located in the top left corner and select the Admin app.

On the left-side menu of the Admin center page, select Security & Compliance located under the Admin centers menu.

Locate the left-side menu on the Admin center page.

Click Admin centers

Under Admin centers click Security & Compliance.

4. On the Audit log search page click the link to start recording user and admin activities.

Note: If you do not see a link that says Start recording user and admin activities then Auditing may already be enabled. You can click the Search button at the bottom of the screen and see if results are returned. If you see results you can skip the remaining steps in this section.

On the Audit log search page navigate to the link below the heading.

Click the Start recording user and admin activities link.

5. On the Start recording user and admin activities dialog box turn on recording for user and admin activities.

On the Start recording user and admin activities dialog box.

Click Turn on

6. A Security & Compliance dialog box may appear requiring you to update your organization.

If the Security & Compliance dialog box appears requiring you to update your organization.

Click Yes

7. The Auditing will begin within the next couple of hours. You can click the Search button at the bottom of the screen to see if results are returned.

Note: Be sure that you are seeing results before you proceed to the next section on registering the Clone Systems Appliance with Azure Active Directory.

On the Audit log search page.

Click Search

Confirm that Results are returned and displayed on the page.

2. Registering the Clone Systems Appliance with Azure Active Directory

The following procedures detail the steps for registering the Clone Systems Clone Guard® Log Management device.

1. Note: If you are not on the Admin Center page you will need to click the App Launcher located in the top left corner and select the Admin app.

On the left-side menu of the Admin center page, select Azure Active Directory located under the Admin centers menu

Locate the left-side menu on the Admin center page.

Click Admin centers

Under Admin centers click Azure Active Directory.

2. On the left-side menu of the Azure Active Directory admin center page, select Azure Active Directory. A menu will appear to the right of the left-side menu and you should select App registrations.

Locate the left-side menu on the Azure Active Directory admin center page.

Click Azure Active Directory

A menu will appear to the right of the left-side menu.

Click App registrations

3. On the App Registrations page click the View all applications button to display the Applications. If you do not have a CGLOGM application configured, click the New application registration button in the top menu.

The App Registrations page will appear on the right.

Click View all applications

Confirm that you do not have a CGLOGM application in the list.

Click New application registration

4. On the Create window enter the information for the Clone Systems Clone Guard® Log Management appliance and create the App registration.

Note: Record the Application ID assigned to CGLOGM.

For the Name field enter CGLOGM

For Application type drop down keep the Web app / API selection.

For the Sign-on URL field enter https://www.clone-systems.com

Click the Create button

A message box will display in the top right corner indicating: Successfully created application CGLOGM.

Click the View all applications button and you should see CGLOGM in the list of App registrations.

Note: Copy the string in the Application ID column to notepad and label it Application ID as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

5. Click CGLOGM in the Display Name column to bring up the registered app settings then click the Settings cog and when the Settings section is displayed select Required permissions under the API Access heading.

In the Display Name column click CGLOGM

Click the Settings cog in the menu below the CGLOGM Registered app heading.

The Settings section will appear, then locate the API Access section.

Click Required permissions

6. On the Required permissions section click Add to bring up the Add API access section. Click Select and API to display the Select an API section and then click Office 365 Management APIs.

The Required permissions section will appear.

Click Add

The Add API Access section will appear.

Click Select an API

The Select an API section will appear

Click Office 365 Management APIs

Click the Select button

7. On the Enable Access section locate the Application Permissions and then select the checkboxes noted in the detail sections of this step.

On the same section locate the Delegated Permissions and then select the checkboxes noted in the detail sections of this step.

On the Add API access section click the Done button.

The Enable Access section will appear.

Under Application Permissions select the following checkboxes.

  • Read DLP policy events including detected sensitive data
  • Read activity data for your organization
  • Read service health information for your organization

Under Delegated Permissions select the following checkboxes.

  • Read DLP policy events including detected sensitive data
  • Read activity data for your organization
  • Read service health information for your organization

Click the Select button

The Add API access section will appear

Click the Done button

A message box will display in the top right corner indicating: Successfully added application Office 365 Management APIs’s permissions.

8. On the Required permissions section click Windows Azure Active Directory.

On the Enable Access section locate the Application Permissions and then select the checkbox noted in the detail sections of this step.

On the Required permission section.

Click Windows Azure Active Directory

The Enable Access section will appear.

Under Application Permissions select the following checkbox.

  • Read directory data

Click the Save button

A message box will display in the top right corner indicating: Updating application Windows Azure Active Directory’ permissions.

9. On the Required permissions section click the Grant Permissions button. Then click Yes to Grant the permissions.

On the Required permission section.

Click Grant Permissions

Click Yes

A message box will display in the top right corner indicating: Successfully granted permissions for application CGLOGM.

10. On the Settings section select Keys under the API Access heading.

To the Left of the Required permission section is the Settings section.

Locate the API Access heading

Click Keys

11. On the Keys section enter a name for the Key and an Expiration duration.

Note: Record the Key Value assigned to CGLOGM as you will not be able to access it after you leave this section.

For the Key Description field enter CGLOGM

For Duration drop down select Never expires

Click Save

A message box will display in the top right corner indicating: Successfully updated application CGLOGM keys

Note: Copy the string in the Key Value column to notepad and label it Key Value as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

12. Using another tab in your browser, grant admin consent to the CGLOGM app so that it can access your logs.

Replace the following text below <REPLACE-THE-BRACKETS-<->-AND-THIS-TEXT-WITH-APPLICATION-ID> with the Application ID recorded in step 4.

https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fmanage.office.com&client_id=<REPLACE-THE-BRACKETS-<->-AND-THIS-TEXT-WITH-APPLICATION-ID>&redirect_uri=https%3A%2F%2Fwww.clone-systems.com&prompt=admin_consent

Copy the URL and then paste into a new tab in your browser.

You may be prompted to Pick a login account and if so, select your Office 365 Administrator account.

Click Accept

You will then be redirected to the Clone Systems home page.

13. Navigate back to the Browser tab that you used to configure the CGLOGM app.

On the left-side menu of the Azure Active Directory admin center page, select Azure Active Directory. A menu will appear to the right of the left-side menu and you should select Custom domain names. Identify the Primary domain name as it will have a check mark in the Primary column.

Note: Record the primary Domain Name located in the Name column.

Locate the left-side menu on the Azure Active Directory admin center page.

Click Azure Active Directory

A menu will appear to the right of the left-side menu.

Click Custom domain names

Note: Copy the string in the Name column for the Domain Name that has a check mark in the Primary column to notepad and label it Domain Name as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

14. On the left-side menu of the Azure Active Directory admin center page, select Azure Active Directory. A menu will appear to the right of the left-side menu and you should select Properties. Identify the Directory ID field and copy the value.

Note: Record the value in the Directory ID field.

Locate the left-side menu on the Azure Active Directory admin center page.

Click Azure Active Directory

A menu will appear to the right of the left-side menu.

Click Properties

Note: Copy the string in the Directory ID column to notepad and label it Directory ID as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

15. Please provide the following values to Clone Systems to complete the configuration for forwarding Microsoft Office 365 logs to your Log Management device:

  • The Application ID assigned to CGLOGM
  • The Key Value assigned to CGLOGM
  • The primary Domain Name
  • The Directory ID