Configure O365 Management Activity

The following steps are required to configure O365 Message Tracking in the Microsoft Entra portal so that an O365 Management Activity collector can be setup in Axon.

Create an Application in the Microsoft Entra Portal

To open the Entra Portal and create an application:

1. From the Azure Services homepage, click Microsoft Entra ID.
   

   

2. (Optional.) If you have more than one directory, select the correct directory name.
3. On the directory page, click App Registrations in the menu on the left.
   

   

4. In the top menu, click New Registrations.
   

   

5. Complete the fields on the right side of the page:
   • Name the application.
   • Select a support account type.
   • Configure a Redirect URI:
     • Platform: Web
     • Provide a sign-on URL (for example, https://localhost/).
       

       

6. Click Register.
   Your new application appears under the Display Name header.
   

   

7. Copy the Application (client) ID and Directory (tenant) ID into a text document for later use.
8. Under the Manage menu on the left, click Certificates & secrets.
   

   

9. Click New client secret.
   

   

10. Enter a detailed Description and select an Expires period, and then click Add.
    

    

11. Copy the Value into a text document for later use.

    

    This value is not accessible once the window is closed. Be sure to copy it now for later use.

Add O365 Management Activity API Permissions

To add O365 Management Activity API permissions, from the directory page:

1. Search for your created application under All applications on the App registrations page.
2. Click the name of your application.
   

   

3. In the left-hand menu, click API permissions.
   

   

4. Click Add a permission.
   

   

5. In the Request API permissions pane, on the Microsoft APIs tab, select Office 365 Management API.
   

   

   
   

   

   
   
6. Click Application permissions.
   

   

7. Under Application Permissions, search for ActivityFeed.Read, ActivityFeed.ReadDlp, and ServiceHealth.Read.
   Check the box for each permission as it appears.
   

   

   

   The Office 365 Management Activity API aggregates actions and events based on content types:

   • Audit.AzureActiveDirectory

   • Audit.Exchange

   • Audit.SharePoint

   • Audit.General

   • DLP.All (DLP events only for all workloads)

   ActivityFeed.ReadDlp is required for DLP.ALL events only.

8. Click Add permissions.
9. Verify that your changes have been saved on the API permissions page.
   

   

10. Click Grant admin consent for <Organization name> to apply the Application Permissions selected above.
    

    

11. Select Yes to continue.
    

    

    
    A successful confirmation appears.