1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Microsoft

Microsoft 365 Setup for Workbench

This guide is only for Microsoft 365. If you are looking for Microsoft Entra ID Protection, go to Microsoft Entra ID Protection Setup for Workbench.

Scope and Limitations

When choosing to set up this integration, remember the following:

  • The Office 365 Audit service does not guarantee a specified time when events will be delivered to the Office 365 service. 
  • Audit tries to deliver data as quickly as possible. However, some issues may arise (such as server outages) upstream from the Audit service and are unavoidable. Because audit events are often used for forensic investigations, Microsoft prioritizes data completeness over latency. 
  • For core services (such as Exchange, SharePoint, OneDrive, and Teams) event availability is typically 60 to 90 minutes. For other services, event availability may be longer. While these are typical event delivery times, Microsoft acknowledges that anomalies may occur. For these reasons, Microsoft does not commit to a specific delivery time.

Prerequisites

  1. You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.
  2. You must have sufficient permissions to turn on audit logging, if it is not already on (instructions are in Step 2 of this guide).
    • This requires the Audit Logs role in Exchange Online.
    • By default, the Compliance Management and Organization Management role groups have this role included.

Quick Links

  1. Enable Console and Cross-Tenant Access for Expel
  2. Enable Microsoft 365 Audit Logging
  3. Enable Microsoft 365 API Connectivity
  4. Add Microsoft 365 as a Security Device in Workbench

Step 1: Enable Console and Cross-Tenant Access for Expel

Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.

Enable Console Access for a New Account

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
  2. Navigate to Entra ID > Users > All Users.
  3. Select User > Invite external user.
  4. On the Basics tab, include the following:
    • Email - enter  "<Your Organization GUID>@soc.expel.io". For example, a123bc45-aa12-123b@soc.expel.io
    • Display Name - enter "Expel SOC".
  5. On the Assignments tab, configure the following:
    • Select Add role.
    • Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
  6. Select Review + invite and then Invite.

The user account will be added to your directory as a guest, and an invitation will be sent to the
email provided.

Enable Cross-Tenant Access

In this step you will add Expel as an external organization and configure inbound trust.

  1. Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
  2. Select the Organizational settings tab.
  3. Select Add organization.
  4. On the Add organization pane, enter Expel’s tenant ID: 1cde81fd-b430-4035-b24d-709921922876
  5. Select Expel from the search results, and then select Add.
  6. In the Organizational settings list, locate the Expel row and select Inbound access.
  7. On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
    • Select Customize settings.
    • Enable Trust multifactor authentication from Microsoft Entra tenants.
    • Enable Trust compliant devices.
    • Enable Trust Microsoft Entra hybrid joined devices.
    • Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
  8. Select Save.

Step 2: Enable Microsoft 365 Audit Logging

Audit logging is required for Expel to provide detection and investigative value. The Microsoft 365 audit log records user and admin activity and holds the data for 90 days. Audit logging could already be running on your Microsoft 365 installation, so the first step is to verify its status.

Step 1: Verify the Auditing Status

  1. Connect to Exchange Online PowerShell.
  2. Run the following command:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If the value is true, skip to Step 3: Enable Microsoft 365 API Connectivity.

If the value is false, continue to the next step to find your enablement instructions.

Step 2: Choose Your Enablement Option

If auditing is not enabled, choose one of the following methods to turn it on. You must have the Audit Logs role in Exchange Online for this process to work.

Option 1: PowerShell

  1. Connect to Exchange Online PowerShell.
  2. Run the following PowerShell command to turn on audit logging:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

It may take up to 60 minutes for this change to take effect. You may continue to Step 3 in the meantime.

Option 2: Microsoft Purview

  1. Sign into the Microsoft Purview Portal.
  2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.
  3. If auditing isn't turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.
  4. Select the Start recording user and admin activity banner.

It might take up to 60 minutes for the change to take effect. You may continue to Step 3 in the meantime.

Step 3: Enable Microsoft 365 API Connectivity

You must enable the Expel O365 Integration to allow API access.

  1. As an Administrator, go to the Expel Admin Consent Page.
  2. Review and accept the requested permissions.
  3. The Expel Microsoft 365 Integration app now appears under Enterprise Applications. 
    • Review the properties and make sure that all permissions were properly granted. 
    • Copy and save the Directory (Tenant) ID, as you will need it in the next section.

Step 4: Add Microsoft 365 as a Security Device in Workbench

Now that you have the correct access configured and noted the credentials, you can set up the integration in Workbench. Before you begin, make sure you have your Directory (tenant) ID and your tenant organization name (this is the name that appears in the top-left of the account info box, located in the top-right of Azure).

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Microsoft” and then select the Microsoft 365 integration.
  5. Using the wizard, enter your Directory (tenant) ID and follow the remaining prompts to configure the new device.
  6. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles