Skip to main content
Skip table of contents

Office 365 Management Activity API Collection

This document explains how to configure the collection from O365 management activity using the Web Console's cloud-to-cloud functionality. This feature is available only to LRCloud customers.

Prerequisites

Before configuring the collection from O365, do the following:

  • Check if O365 is configured to send logs via Rest API (for more information, see Configure Office 365 Management Activity).
  • Make sure that the customer is an LRCloud customer and has their environment hosted.
  • Ensure that you have the required values for O365 Management Activity: Client Secret and Tenant Domain.

Initialize the Logs Source

  1. Log in to the Web Console as a Restricted Administrator User.
  2. On the top navigation bar, click the Administration icon 
     and select Cloud Log Collection.
  3. At the top of the Cloud Log Collection page, click New Log Source.
    The New cloud log collection dialog box appears.
  4. Select the Office 365 Management Activity SYSMON AGENT tile.
    The Add Office 365 Log Source window appears.

  5. Enter the following details:

    SettingDefault ValueDescription
    NameNot ApplicableEnter the name for this log source.
    Description (Optional) Not ApplicableEnter a description for this log source.
    Management Activity API Host

    manage.office.com

    (Enterprise plan)

    Host name of the Management Activity API. The default value is for Enterprise customers. The following table indicates values for government plans:

    Government PlanValue
    GCC governmentmanage-gcc.office.com
    GCC high governmentmanage.office365.us
    DoD governmentmanage.protection.apps.mil
    Login URLlogin.microsoftonline.com

     Enter the value based on your plan. Following are example values:

    PlanValue
    Enterprisehttps://login.microsoftonline.com
    GCC high governmenthttps://login.microsoftonline.us
    Tenant DomainNot Applicable

    Specify your domain in the following format:

    <YOUR_DOMAIN>.onmicrosoft.com

    Client ID or Application IDNot Applicable

    Enter the Client ID (alternatively known as the Application ID). You can obtain the ClientID from the Azure AD portal. This can be found in your App Registration > Overview screen (for example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe).

    Tenant ID or Directory IDNot Applicable

    Enter the Tenant ID (alternatively known as the Directory ID). You can obtain the TenantID from the Azure AD portal. This can be found in your App Registration > Overview screen (for example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe).

    Client SecretNot ApplicableEnter the client secret value that is generated from the Azure AD portal (for example, a0b2345c-1aa2-ab1c-ab34-abc12345a). For instructions on generating your client secret, see REST API - Obtaining your Client Secret.
    Audit GeneralfalseEnable auditing of General events. Option of false or true.
    Audit Azure Active DirectoryfalseEnable auditing of Azure Active Directory Management events. Option of false or true.
    Audit ExchangefalseEnable auditing of Exchange Management events. Option of false or true.
    Audit SharepointfalseEnable auditing of Sharepoint events. Option of false or true.
    Audit DLPfalseEnable auditing of General events. Option of false or true.
  6. Click Save.
  7. Click the System Monitors tab. 
  8. Select the Action check box corresponding to the (customerid)-dpawc agent. 
  9. Right-click the selection, click Actions and then click Service Restart.

A new active log source is created and accepted in the Client Console with the provided information. Collection should start automatically in few minutes.

The Platform Manager hosts all the log sources. It is recommended to create a new host entity and move the log source to the new host, which is done in the log source properties screen and not from the log source grid.

For security, the values entered are encrypted using LRCrypt.

Default Config Values for O365 Management Activity

SettingDefault Value
Timeout300
LogApiRequestsfalse
MaxBatchSize10
StopCountFetchNewContentIds1000
StopCountCacheFiles50
NumOfBackMinutesData15
CollectionDelay1

Recommendations

Create a Separate Log Source for each Office 365 Event Stream

The Office 365 Management Activity Log Source consists of multiple event streams from within the Office 365 environment. It is recommended to split these streams into separate log sources. This enables ease of analytics and increases log source throughput efficiency.

To create separate log sources, do the following:

  1. Create a different cloud-to-cloud configuration in the Web Console for each events stream within Office 365.
  2. In each configuration file, select one of the events streams to be true and all other events streams to be false. The possible events streams you can enable are:
    • AuditAzureActiveDirectory
    • AuditExchange
    • AuditSharepoint
    • DLPEvents
    • AuditGeneral

  3. Name each log source to correspond to the events stream you selected to be true in that configuration. 

    Example

    Events stream: AuditAzureActiveDirectory

    Configuration file settings:

    • AuditAzureActiveDirectory=true
    • AuditExchange=false
    • AuditSharepoint=false
    • DLPEvents=false
    • AuditGeneral=false

  4. Repeat this process to enable all the remaining events streams.

    The log source type for all the events streams will be API - Office 365 Management Activity.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close