Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Microsoft Office 365

 

The JSA DSM for Microsoft Office 365 collects events from Microsoft Office 365 online services.

The following table describes the specifications for the Microsoft Office 365 DSM:

Table 1: Microsoft Office 365 DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Office 365

RPM file name

DSM-Microsoft

Office365-JSA_version-build

_number
.noarch.rpm

Supported versions

N/A

Protocol

Office 365 REST API

Event format

JSON

Recorded event types

Exchange Audit, SharePoint Audit, Azure Active Directory Audit, Service Communications

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

Microsoft website

To integrate Microsoft Office 365 with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the https://support.juniper.net/support/downloads/ onto your JSA console:

    • Protocol Common RPM

    • Office 365 REST API Protocol RPM

    • Microsoft Office 365 DSM RPM

  2. Configure a Microsoft Office 365 account in the Microsoft Azure portal.

  3. Add a Microsoft Office 365 log source on the JSA console. The following table describes the parameters that require specific values for Microsoft Office 365 event collection:

    Table 2: Microsoft Office 365 Log Source Parameters

    Parameter

    Value

    Log Source type

    Microsoft Office 365

    Protocol Configuration

    Office 365 REST API

    Log Source Identifier

    A unique identifier for the log source.

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have configured multiple Microsoft Office 365 log sources, you might want to identify the first log source as MSOffice365-1, the second log source as MSOffice365-2, and the third log source as MSOffice365-3.

    Client ID

    In your application configuration of Azure Active Directory, this parameter is under Client ID.

    Client Secret

    In your application configuration of Azure Active Directory, this parameter is under Keys.

    Tenant ID

    Used for Azure AD authentication.

    Event Filter

    The type of audit events to retrieve from Microsoft Office.

    • Azure Active Directory

    • Exchange

    • SharePoint

    • Service Communications

    Use Proxy

    For JSA to access the Office 365 Management APIs, all traffic for the log source travels through configured proxies.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, keep the Proxy Username and Proxy Password fields empty.

    EPS Throttle

    The maximum number of events per second.

    The default is 5000.

Configuring a Microsoft Office 365 Account in Microsoft Azure Active Directory

Before you can add a log source in JSA, you must run the Azure Active Directory PowerShell cmdlet and then configure Azure Active Directory for Microsoft Office 365.

  1. Run the Azure Active Directory PowerShell cmdlet. For more information , see How to install and configure Azure PowerShell.
  2. Identify the Tenant ID of the tenant that is subscribed to Microsoft Office 365 by typing the following commands:

    import-module MSOnline

    $userCredential = Get-Credential

    Connect-MsolService -Credential $userCredential

    Get-MsolAccountSku | % {$_.AccountObjectID}

    Use the Tenant ID value for the Tenant ID value when you configure a log source in JSA.

  3. To use Azure Active Directory to register an application, such as Microsoft Excel or Microsoft SharePoint, log in to the Azure Management Portal with the credentials of the tenant that is subscribed to Microsoft Office 365.
    1. From the navigation menu, select Azure Active Directory.

    2. From the Overview pane, select App registrations, and then click New registration.

    3. In the Supported account types section, select the type of account to use the application or to access the API.

    4. In the Redirect URI (optional) section, select Web, and type http://localhost in the Web field

    5. Click Register, and then copy and store the Application (client) ID value. Use this value for the Client ID value when you configure a log source in JSA.

  4. Generate a client secret for the application.
    1. From the Manage pane, select Certificates & secrets > New client secret.

    2. Select an expiry period, and then click Add.

    3. Copy and store your client secret key value because it can't be retrieved later. Use this value for the Client Secret value when you configure a log source in JSA.

  5. Specify the permissions that the Microsoft Azure application must use to access Microsoft Office 365 Management APIs.
    1. From the Manage pane, select API permissions.

    2. Click Add a permission > Delegated permissions, and then select the following options:

      Table 3: Delegated Permissions

      Permission

      Values

      Activity Feed

      ActivityFeed.Read

      ActivityFeed.ReadDlp

      ServiceHealth

      ServiceHealth.Read

    3. Click Application permissions, and then select the following options:

      Table 4: Application Permissions

      Permission

      Values

      Activity Feed

      ActivityFeed.Read

      ActivityFeed.ReadDlp

      ServiceHealth

      ServiceHealth.Read

    4. Click Add permssions.

    5. In the API permissions window, go to the Grant consent section, click Grant admin consent > Yes.

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides sample event messages when using the Office 365 REST API protocol for the Microsoft Office 365 DSM:

Table 5: Microsoft Office 365 Sample Message Supported by the Microsoft Office 365 Service

Event name

Low level category

Sample log message

Update user-fail

Update Activity Failed

{"CreationTime":"2016-05-05T08:53: 46","Id":"xxx-xxxx-xxxx-xxxxxxxxxxxxxxxx"," Operation": "Update user.","OrganizationId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx xxxxx","RecordType":8,"Result Status":"fail","UserKey":"Not Available","UserType":6,"Workload" :"AzureActiveDirectory","ObjectId" :"xxxxxxxxxxxxxxxx","UserId":"xxxxxx- xxxx-xxxx-xxxxxxxxxxxx", "AzureActiveDirectoryEventType" :1,"ExtendedProperties": [{"Name": "MethodExecutionResult.","Value": "Microsoft.Online.Workflows. ValidationException"}],"Actor": [{"ID":"x-xxxx-xxxx-xxxx-xxxxxx xxxxxx","Type":4},{"ID":"xxxxxx_ xxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx xxxx","Type":2}],"ActorContextId" :"xxxxxxxx-xxxx-xxxx-xxxx-xxxxx xxxxxxx","InterSystemsId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx xxxxx","IntraSystemId":"xxxxxxxxxxxx- xxxx-xxxx-xxxxxxxxxxxx", "Target":[{"ID":"x-xxxx-xxxxxxxx- xxxxxxxxxxxx","Type":2}, {"ID":"username@example.com","Type" :1},{"ID":"1706BDBF","Type":3}] ,"TargetContextId":"xxxxxxxxxxxx- xxxx-xxxx-xxxxxxxxxxxx"}

Site permissions modified

Update Activity Succeeded

{"CreationTime":"2015-10 -20T15:54:05","Id":"xxxxxxxx -xxxx-xxxx-xxxx-xxxxxxxxxxxx" ,"Operation":"SitePermissions Modified","OrganizationId": "xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx"," RecordType" :4,"UserKey":"(empty)", "UserType":0,"Workload": "SharePoint","ClientIP": "<IP_address>,”, “ObjectId": "https://example.com/url", "UserId":"SHAREPOINT\\system", "EventSource":"SharePoint", "ItemType":"Web","Site": "xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx"," UserAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/ 20100101 Firefox/38.0"}