Office 365 management solution in Azure (Preview)
Important
Solution update
This solution has been replaced by the Office 365 General Availability solution in Microsoft Sentinel and the Azure AD reporting and monitoring solution. Together they provide an updated version of the previous Azure Monitor Office 365 solution with an improved configuration experience. You can continue to use the existing solution until October 31, 2020.
Microsoft Sentinel is a cloud native Security Information and Event Management solution that ingests logs and provides additional SIEM functionality including detections, investigations, hunting and machine learning driven insights. Using Microsoft Sentinel will now provide you with ingestion of Office 365 SharePoint activity and Exchange management logs.
Azure AD reporting provides a more comprehensive view of logs from Azure AD activity in your environment, including sign in events, audit events, and changes to your directory. To connect Azure AD logs, you can use either the Microsoft Sentinel Azure AD connector or configure Azure AD logs integration with Azure Monitor.
The collection of Azure AD log is subjected to Azure Monitor pricing. See Azure Monitor pricing for more information.
To use the Microsoft Sentinel Office 365 solution:
- Using Office 365 connector in Microsoft Sentinel affects the pricing for your workspace. For more information, see Microsoft Sentinel pricing.
- If you are already using the Azure Monitor Office 365 solution, you must first uninstall it using the script in the Uninstall section below.
- Enable the Microsoft Sentinel solution on your workspace.
- Go to the Data connectors page in Microsoft Sentinel and enable the Office 365 connector.
Frequently asked questions
Q: Is it possible to on-board the Office 365 Azure Monitor solution between now and October 31?
No, the Azure Monitor Office 365 solution onboarding scripts are no longer available. The solution will be removed on October 31.
Q: Will the tables and schemas be changed?
The OfficeActivity table name and schema will remain the same as in the current solution. You can continue using the same queries in the new solution excluding queries that reference Azure AD data.
The new Azure AD reporting and monitoring solution logs will be ingested into the SigninLogs and AuditLogs tables instead of OfficeActivity. For more information, see how to analyze Azure AD logs, which is also relevant for Microsoft Sentinel and Azure Monitor users.
Following are samples for converting queries from OfficeActivity to SigninLogs:
Query failed sign-ins, by user:
OfficeActivity
| where TimeGenerated >= ago(1d)
| where OfficeWorkload == "AzureActiveDirectory"
| where Operation == 'UserLoginFailed'
| summarize count() by UserId
SigninLogs
| where ConditionalAccessStatus == "failure" or ConditionalAccessStatus == "notApplied"
| summarize count() by UserDisplayName
View Azure AD operations:
OfficeActivity
| where OfficeWorkload =~ "AzureActiveDirectory"
| sort by TimeGenerated desc
| summarize AggregatedValue = count() by Operation
AuditLogs
| summarize count() by OperationName
Q: How can I on-board Microsoft Sentinel?
Microsoft Sentinel is a solution that you can enable on new or existing Log Analytics workspace. To learn more, see Microsoft Sentinel on-boarding documentation.
Q: Do I need Microsoft Sentinel to connect the Azure AD logs?
You can configure Azure AD logs integration with Azure Monitor, which is not related to the Microsoft Sentinel solution. Microsoft Sentinel provides a native connector and out-of-the box content for Azure AD logs. For more information, see the question below on out-of-the-box security-oriented content.
Q: What are the differences when connecting Azure AD logs from Microsoft Sentinel and Azure Monitor?
Microsoft Sentinel and Azure Monitor connect to Azure AD logs based on the same Azure AD reporting and monitoring solution. Microsoft Sentinel provides a one-click, native connector that connects the same data and provides monitoring information.
Q: What do I need to change when moving to the new Azure AD reporting and monitoring tables?
All queries using Azure AD data, including queries in alerts, dashboards, and any content that you created using Office 365 Azure AD data, must be recreated using the new tables.
Microsoft Sentinel and Azure AD provide built-in content that you can use when moving to the Azure AD reporting and monitoring solution. For more information, see the next question on out-of-the-box security-oriented content and How to use Azure Monitor workbooks for Azure Active Directory reports.
Q: How I can use the Microsoft Sentinel out-of-the-box security-oriented content?
Microsoft Sentinel provides out-of-the-box security-oriented dashboards, custom alert queries, hunting queries, investigation, and automated response capabilities based on the Office 365 and Azure AD logs. Explore the Microsoft Sentinel GitHub community and tutorials to learn more:
- Detect threats out-of-the-box
- Create custom analytic rules to detect suspicious threats
- Monitor your data
- Investigate incidents with Microsoft Sentinel
- Set up automated threat responses in Microsoft Sentinel
- Microsoft Sentinel GitHub community
Q: Does Microsoft Sentinel provide additional connectors as part of the solution?
Yes, see Microsoft Sentinel connect data sources.
Q: What will happen on October 31? Do I need to offboard beforehand?
- You won't be able to receive data from the Office365 solution. The solution will be removed from your workspace and will no longer be available in the Marketplace.
- For Microsoft Sentinel customers, the Log Analytics workspace solution Office365 will be included in the Microsoft Sentinel SecurityInsights solution.
- If you don't offboard your solution manually by October 31, your data will be disconnected automatically, and the OfficeActivity table removed. Even so, you will still be able to restore the table when you enable the Office 365 connector in Microsoft Sentinel, as explained below.
Q: Will my data transfer to the new solution?
Yes. When you remove the Office 365 solution from your workspace, its data will become temporarily unavailable because the schema is removed. When you enable the new Office 365 connector in Microsoft Sentinel, the schema is restored to the workspace and any data already collected will become available.
The Office 365 management solution allows you to monitor your Office 365 environment in Azure Monitor.
- Monitor user activities on your Office 365 accounts to analyze usage patterns as well as identify behavioral trends. For example, you can extract specific usage scenarios, such as files that are shared outside your organization or the most popular SharePoint sites.
- Monitor administrator activities to track configuration changes or high privilege operations.
- Detect and investigate unwanted user behavior, which can be customized for your organizational needs.
- Demonstrate audit and compliance. For example, you can monitor file access operations on confidential files, which can help you with the audit and compliance process.
- Perform operational troubleshooting by using log queries on top of Office 365 activity data of your organization.
Uninstall
You can remove the Office 365 management solution using the process in Remove a management solution. This will not stop data being collected from Office 365 into Azure Monitor though. Follow the procedure below to unsubscribe from Office 365 and stop collecting data.
Save the following script as office365_unsubscribe.ps1.
param ( [Parameter(Mandatory=$True)][string]$WorkspaceName, [Parameter(Mandatory=$True)][string]$ResourceGroupName, [Parameter(Mandatory=$True)][string]$SubscriptionId, [Parameter(Mandatory=$True)][string]$OfficeTennantId, [Parameter(Mandatory=$True)][string]$clientId, [Parameter(Mandatory=$True)][string]$xms_client_tenant_Id ) $line='#-------------------------------------------------------------------------------------------------------------------------------------------------------------------------' $line IF ($Subscription -eq $null) {Login-AzAccount -ErrorAction Stop} $Subscription = (Select-AzSubscription -SubscriptionId $($SubscriptionId) -ErrorAction Stop) $Subscription $option = [System.StringSplitOptions]::RemoveEmptyEntries $Workspace = (Set-AzOperationalInsightsWorkspace -Name $($WorkspaceName) -ResourceGroupName $($ResourceGroupName) -ErrorAction Stop) $Workspace $WorkspaceLocation= $Workspace.Location # Client ID for Azure PowerShell # Set redirect URI for Azure PowerShell $redirectUri = "urn:ietf:wg:oauth:2.0:oob" $domain='login.microsoftonline.com' $adTenant = $Subscription[0].Tenant.Id $authority = "https://login.windows.net/$adTenant"; $ARMResource ="https://management.azure.com/";' switch ($WorkspaceLocation) { "USGov Virginia" { $domain='login.microsoftonline.us'; $authority = "https://login.microsoftonline.us/$adTenant"; $ARMResource ="https://management.usgovcloudapi.net/"; break} # US Gov Virginia default { $domain='login.microsoftonline.com'; $authority = "https://login.windows.net/$adTenant"; $ARMResource ="https://management.azure.com/";break} } Function RESTAPI-Auth { $global:SubscriptionID = $Subscription.SubscriptionId # Set Resource URI to Azure Service Management API $resourceAppIdURIARM=$ARMResource; # Authenticate and Acquire Token # Create Authentication Context tied to Azure AD Tenant $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority # Acquire token $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto" $global:authResultARM = $authContext.AcquireTokenAsync($resourceAppIdURIARM, $clientId, $redirectUri, $platformParameters) $global:authResultARM.Wait() $authHeader = $global:authResultARM.Result.CreateAuthorizationHeader() $authHeader } Function Office-UnSubscribe-Call{ #---------------------------------------------------------------------------------------------------------------------------------------------- $authHeader = $global:authResultARM.Result.CreateAuthorizationHeader() $ResourceName = "https://manage.office.com" $SubscriptionId = $Subscription[0].Subscription.Id $OfficeAPIUrl = $ARMResource + 'subscriptions/' + $SubscriptionId + '/resourceGroups/' + $ResourceGroupName + '/providers/Microsoft.OperationalInsights/workspaces/' + $WorkspaceName + '/datasources/office365datasources_' + $SubscriptionId + $OfficeTennantId + '?api-version=2015-11-01-preview' $Officeparams = @{ ContentType = 'application/json' Headers = @{ 'Authorization'="$($authHeader)" 'x-ms-client-tenant-id'=$xms_client_tenant_Id 'Content-Type' = 'application/json' } Method = 'Delete' URI = $OfficeAPIUrl } $officeresponse = Invoke-WebRequest @Officeparams $officeresponse } #GetDetails RESTAPI-Auth -ErrorAction Stop Office-UnSubscribe-Call -ErrorAction StopRun the script with the following command:
.\office365_unsubscribe.ps1 -WorkspaceName <Log Analytics workspace name> -ResourceGroupName <Resource Group name> -SubscriptionId <Subscription ID> -OfficeTennantID <Tenant ID>Example:
.\office365_unsubscribe.ps1 -WorkspaceName MyWorkspace -ResourceGroupName MyResourceGroup -SubscriptionId '60b79d74-f4e4-4867-b631-yyyyyyyyyyyy' -OfficeTennantID 'ce4464f8-a172-4dcf-b675-xxxxxxxxxxxx'
You will be prompted for credentials. Provide the credentials for your Log Analytics workspace.
Data collection
It may take a few hours for data to initially be collected. Once it starts collecting, Office 365 sends a webhook notification with detailed data to Azure Monitor each time a record is created. This record is available in Azure Monitor within a few minutes after being received.
Using the solution
Data collected by this monitoring solution is available in the Workspace Summary (deprecated) page in the Azure portal. Open this page from the Log Analytics workspaces for the workspace with your solution and then select Workspace Summary (deprecated) from the Classic section of the menu. Each solution is represented by a tile. Select a tile for more detailed data collected by that solution.
When you add the Office 365 solution to your Log Analytics workspace, the Office 365 tile will be added to your dashboard. This tile displays a count and graphical representation of the number of computers in your environment and their update compliance.
Click on the Office 365 tile to open the Office 365 dashboard.
The dashboard includes the columns in the following table. Each column lists the top ten alerts by count matching that column's criteria for the specified scope and time range. You can run a log search that provides the entire list by clicking See all at the bottom of the column or by clicking the column header.
| Column | Description |
|---|---|
| Operations | Provides information about the active users from your all monitored Office 365 subscriptions. You will also be able to see the number of activities that happen over time. |
| Exchange | Shows the breakdown of Exchange Server activities such as Add-Mailbox Permission, or Set-Mailbox. |
| SharePoint | Shows the top activities that users perform on SharePoint documents. When you drill down from this tile, the search page shows the details of these activities, such as the target document and the location of this activity. For example, for a File Accessed event, you will be able to see the document that's being accessed, its associated account name, and IP address. |
| Azure Active Directory | Includes top user activities, such as Reset User Password and Login Attempts. When you drill down, you will be able to see the details of these activities like the Result Status. This is mostly helpful if you want to monitor suspicious activities on your Azure Active Directory. |
Azure Monitor log records
All records created in the Log Analytics workspace in Azure Monitor by the Office 365 solution have a Type of OfficeActivity. The OfficeWorkload property determines which Office 365 service the record refers to - Exchange, AzureActiveDirectory, SharePoint, or OneDrive. The RecordType property specifies the type of operation. The properties will vary for each operation type and are shown in the tables below.
Common properties
The following properties are common to all Office 365 records.
| Property | Description |
|---|---|
| Type | OfficeActivity |
| ClientIP | The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. |
| OfficeWorkload | Office 365 service that the record refers to. AzureActiveDirectory Exchange SharePoint |
| Operation | The name of the user or admin activity. |
| OrganizationId | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs. |
| RecordType | Type of operation performed. |
| ResultStatus | Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False. |
| UserId | The UPN (User Principal Name) of the user who performed the action that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NTAUTHORITY\SYSTEM) are also included. |
| UserKey | An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts |
| UserType | The type of user that performed the operation. Admin Application DcAdmin Regular Reserved ServicePrincipal System |
Azure Active Directory base
The following properties are common to all Azure Active Directory records.
| Property | Description |
|---|---|
| OfficeWorkload | AzureActiveDirectory |
| RecordType | AzureActiveDirectory |
| AzureActiveDirectory_EventType | The type of Azure AD event. |
| ExtendedProperties | The extended properties of the Azure AD event. |
Azure Active Directory Account logon
These records are created when an Active Directory user attempts to log on.
| Property | Description |
|---|---|
OfficeWorkload |
AzureActiveDirectory |
RecordType |
AzureActiveDirectoryAccountLogon |
Application |
The application that triggers the account login event, such as Office 15. |
Client |
Details about the client device, device OS, and device browser that was used for the of the account login event. |
LoginStatus |
This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms. |
UserDomain |
The Tenant Identity Information (TII). |
Azure Active Directory
These records are created when change or additions are made to Azure Active Directory objects.
| Property | Description |
|---|---|
| OfficeWorkload | AzureActiveDirectory |
| RecordType | AzureActiveDirectory |
| AADTarget | The user that the action (identified by the Operation property) was performed on. |
| Actor | The user or service principal that performed the action. |
| ActorContextId | The GUID of the organization that the actor belongs to. |
| ActorIpAddress | The actor's IP address in IPV4 or IPV6 address format. |
| InterSystemsId | The GUID that track the actions across components within the Office 365 service. |
| IntraSystemId | The GUID that's generated by Azure Active Directory to track the action. |
| SupportTicketId | The customer support ticket ID for the action in "act-on-behalf-of" situations. |
| TargetContextId | The GUID of the organization that the targeted user belongs to. |
Data Center Security
These records are created from Data Center Security audit data.
| Property | Description |
|---|---|
| EffectiveOrganization | The name of the tenant that the elevation/cmdlet was targeted at. |
| ElevationApprovedTime | The timestamp for when the elevation was approved. |
| ElevationApprover | The name of a Microsoft manager. |
| ElevationDuration | The duration for which the elevation was active. |
| ElevationRequestId | A unique identifier for the elevation request. |
| ElevationRole | The role the elevation was requested for. |
| ElevationTime | The start time of the elevation. |
| Start_Time | The start time of the cmdlet execution. |
Exchange Admin
These records are created when changes are made to Exchange configuration.
| Property | Description |
|---|---|
| OfficeWorkload | Exchange |
| RecordType | ExchangeAdmin |
| ExternalAccess | Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator. |
| ModifiedObjectResolvedName | This is the user friendly name of the object that was modified by the cmdlet. This is logged only if the cmdlet modifies the object. |
| OrganizationName | The name of the tenant. |
| OriginatingServer | The name of the server from which the cmdlet was executed. |
| Parameters | The name and value for all parameters that were used with the cmdlet that is identified in the Operations property. |
Exchange Mailbox
These records are created when changes or additions are made to Exchange mailboxes.
| Property | Description |
|---|---|
| OfficeWorkload | Exchange |
| RecordType | ExchangeItem |
| ClientInfoString | Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information. |
| Client_IPAddress | The IP address of the device that was used when the operation was logged. The IP address is displayed in either an IPv4 or IPv6 address format. |
| ClientMachineName | The machine name that hosts the Outlook client. |
| ClientProcessName | The email client that was used to access the mailbox. |
| ClientVersion | The version of the email client . |
| InternalLogonType | Reserved for internal use. |
| Logon_Type | Indicates the type of user who accessed the mailbox and performed the operation that was logged. |
| LogonUserDisplayName | The user-friendly name of the user who performed the operation. |
| LogonUserSid | The SID of the user who performed the operation. |
| MailboxGuid | The Exchange GUID of the mailbox that was accessed. |
| MailboxOwnerMasterAccountSid | Mailbox owner account's master account SID. |
| MailboxOwnerSid | The SID of the mailbox owner. |
| MailboxOwnerUPN | The email address of the person who owns the mailbox that was accessed. |
Exchange Mailbox Audit
These records are created when a mailbox audit entry is created.
| Property | Description |
|---|---|
| OfficeWorkload | Exchange |
| RecordType | ExchangeItem |
| Item | Represents the item upon which the operation was performed |
| SendAsUserMailboxGuid | The Exchange GUID of the mailbox that was accessed to send email as. |
| SendAsUserSmtp | SMTP address of the user who is being impersonated. |
| SendonBehalfOfUserMailboxGuid | The Exchange GUID of the mailbox that was accessed to send mail on behalf of. |
| SendOnBehalfOfUserSmtp | SMTP address of the user on whose behalf the email is sent. |
Exchange Mailbox Audit Group
These records are created when changes or additions are made to Exchange groups.
| Property | Description |
|---|---|
| OfficeWorkload | Exchange |
| OfficeWorkload | ExchangeItemGroup |
| AffectedItems | Information about each item in the group. |
| CrossMailboxOperations | Indicates if the operation involved more than one mailbox. |
| DestMailboxId | Set only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID. |
| DestMailboxOwnerMasterAccountSid | Set only if the CrossMailboxOperations parameter is True. Specifies the SID for the master account SID of the target mailbox owner. |
| DestMailboxOwnerSid | Set only if the CrossMailboxOperations parameter is True. Specifies the SID of the target mailbox. |
| DestMailboxOwnerUPN | Set only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox. |
| DestFolder | The destination folder, for operations such as Move. |
| Folder | The folder where a group of items is located. |
| Folders | Information about the source folders involved in an operation; for example, if folders are selected and then deleted. |
SharePoint Base
These properties are common to all SharePoint records.
| Property | Description |
|---|---|
| OfficeWorkload | SharePoint |
| OfficeWorkload | SharePoint |
| EventSource | Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel. |
| ItemType | The type of object that was accessed or modified. See the ItemType table for details on the types of objects. |
| MachineDomainInfo | Information about device sync operations. This information is reported only if it's present in the request. |
| MachineId | Information about device sync operations. This information is reported only if it's present in the request. |
| Site_ | The GUID of the site where the file or folder accessed by the user is located. |
| Source_Name | The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel. |
| UserAgent | Information about the user's client or browser. This information is provided by the client or browser. |
SharePoint Schema
These records are created when configuration changes are made to SharePoint.
| Property | Description |
|---|---|
| OfficeWorkload | SharePoint |
| OfficeWorkload | SharePoint |
| CustomEvent | Optional string for custom events. |
| Event_Data | Optional payload for custom events. |
| ModifiedProperties | The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group), the new value of the modified property (such the user who was added as a site admin), and the previous value of the modified object. |
SharePoint File Operations
These records are created in response to file operations in SharePoint.
| Property | Description |
|---|---|
| OfficeWorkload | SharePoint |
| OfficeWorkload | SharePointFileOperation |
| DestinationFileExtension | The file extension of a file that is copied or moved. This property is displayed only for FileCopied and FileMoved events. |
| DestinationFileName | The name of the file that is copied or moved. This property is displayed only for FileCopied and FileMoved events. |
| DestinationRelativeUrl | The URL of the destination folder where a file is copied or moved. The combination of the values for SiteURL, DestinationRelativeURL, and DestinationFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file that was copied. This property is displayed only for FileCopied and FileMoved events. |
| SharingType | The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter. |
| Site_Url | The URL of the site where the file or folder accessed by the user is located. |
| SourceFileExtension | The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder. |
| SourceFileName | The name of the file or folder accessed by the user. |
| SourceRelativeUrl | The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user. |
| UserSharedWith | The user that a resource was shared with. |
Sample log queries
The following table provides sample log queries for update records collected by this solution.
| Query | Description |
|---|---|
| Count of all the operations on your Office 365 subscription | OfficeActivity | summarize count() by Operation |
| Usage of SharePoint sites | OfficeActivity | where OfficeWorkload =~ "sharepoint" | summarize count() by SiteUrl | sort by Count asc |
| File access operations by user type | OfficeActivity | summarize count() by UserType |
| Monitor external actions on Exchange | OfficeActivity | where OfficeWorkload =~ "exchange" and ExternalAccess == true |
Next steps
- Use log queries in Azure Monitor to view detailed update data.
- Create your own dashboards to display your favorite Office 365 search queries.
- Create alerts to be proactively notified of important Office 365 activities.