1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Microsoft

Microsoft 365 Setup for Workbench

This guide is only for Microsoft 365. If you are looking for Microsoft Entra ID Protection, go to Microsoft Entra ID Protection Setup for Workbench.

Prerequisites

  1. You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.
  2. You must have sufficient permissions to turn on audit logging, if it is not already on (instructions are in Step 2 of this guide).
    • This requires the Audit Logs role in Exchange Online.
    • By default, the Compliance Management and Organization Management role groups have this role included.

Quick Links

  1. Enable Console and Cross-Tenant Access for Expel
  2. Enable Microsoft 365 Audit Logging
  3. Enable Microsoft 365 API Connectivity
  4. Add Microsoft 365 as a Security Device in Workbench

Step 1: Enable Console and Cross-Tenant Access for Expel

Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.

Enable Console Access for a New Account

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
  2. Navigate to Entra ID > Users > All Users.
  3. Select User > Invite external user.
  4. On the Basics tab, include the following:
    • Email - enter  "<Your Organization GUID>@soc.expel.io". For example, a123bc45-aa12-123b@soc.expel.io
    • Display Name - enter "Expel SOC".
  5. On the Assignments tab, configure the following:
    • Select Add role.
    • Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
  6. Select Review + invite and then Invite.

The user account will be added to your directory as a guest, and an invitation will be sent to the
email provided.

Enable Cross-Tenant Access

In this step you will add Expel as an external organization and configure inbound trust.

  1. Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
  2. Select the Organizational settings tab.
  3. Select Add organization.
  4. On the Add organization pane, enter Expel’s tenant ID: 1cde81fd-b430-4035-b24d-709921922876
  5. Select Expel from the search results, and then select Add.
  6. In the Organizational settings list, locate the Expel row and select Inbound access.
  7. On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
    • Select Customize settings.
    • Enable Trust multifactor authentication from Microsoft Entra tenants.
    • Enable Trust compliant devices.
    • Enable Trust Microsoft Entra hybrid joined devices.
    • Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
  8. Select Save.

Step 2: Enable Microsoft 365 Audit Logging

Audit logging is required for Expel to provide detection and investigative value. The Microsoft 365 audit log records user and admin activity and holds the data for 90 days. Audit logging could already be running on your Microsoft 365 installation, so the first step is to verify its status.

Step 1: Verify the Auditing Status

  1. Connect to Exchange Online PowerShell.
  2. Run the following command:
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If the value is true, skip to Step 3: Enable Microsoft 365 API Connectivity.

If the value is false, continue to the next step to find your enablement instructions.

Step 2: Choose Your Enablement Option

If auditing is not enabled, choose one of the following methods to turn it on. You must have the Audit Logs role in Exchange Online for this process to work.

Option 1: PowerShell

Run the following PowerShell command to turn on audit logging:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

It may take up to 60 minutes for this change to take effect. You may continue to Step 3 in the meantime.

Option 2: Microsoft 365 Security and Compliance Center

  1. Log in to the Microsoft 365 Admin Portal.
  2. Go to Admin centers > Compliance.
  3. Go to Solutions > Audit.
  4. Follow the on-screen instructions to turn on audit logging.
  5. It may take up to 24 hours for the process to complete and for activity to begin recording. You may continue to Step 3 in the meantime.

Step 3: Enable Microsoft 365 API Connectivity

Choose one of the following methods to enable secure API access. You will need to save the following value(s) as they are generated, for use later in this guide:

  • Directory (tenant) ID
  • Application (client) ID*
  • Application (client) Secret*

*Custom Entra ID apps only.

Option 1: Enable the Expel O365 Integration (RECOMMENDED)

  1. As an Administrator, go to the Expel Admin Consent Page.
  2. Review and accept the requested permissions.
  3. The Expel Microsoft 365 Integration app now appears under Enterprise Applications. 
    • Review the properties and make sure that all permissions were properly granted. 
    • Copy and save the Directory (Tenant) ID, as you will need it in the next section.
  4. Skip to Step 4: Add Microsoft 365 as a Security Device in Workbench.

Option 2: Create a Custom Entra ID App

  1. Log in to Azure.
  2. Navigate to the Microsoft Entra ID service.
  3. Go to Manage > App registrations.
  4. Select New registration.
  5. Fill in the application details as follows:
    • Name - enter Expel Cloud Service, or another name of your choosing.
    • Supported account types - leave the "accounts in this organizational directory only" option selected (the first option).
  6. Select Register.
  7. You will navigate automatically to the Settings page for the app you just created.
  8. Copy and save the Application (client) ID and Directory (tenant) ID to a safe place, as you will need it in the next section.
  9. In the left menu, go to Manage > API permissions.
  10. Select Add a permission.
  11. Add the following permissions as application permissions (not as delegated permissions):
API Permissions
Microsoft Graph

AuditLog.Read.All

Directory.Read.All

Group.Read.All

IdentityRiskEvent.Read.All

SecurityEvents.Read.AllUser.Read.All
Office 365 Exchange Online Exchange.ManageAsApp
Office 365 Management

ActivityFeed.Read

ActivityFeed.ReadDIp

ServiceHealth.Read
  1. After all permissions are assigned, select Grant admin consent and Yes at the prompt.
  2. Still in the new app, use the left menu to go to Manage > Certificates & secrets.
  3. Select New client secret.
  4. For the new secret:
    • Description - enter a description, such as "Expel API".
    • Expires - select 730 days (24 months). 
  5. Select Add.
  6. Copy and save the client secret's value to a safe place, as you will need it in the next section.

Step 4: Add Microsoft 365 as a Security Device in Workbench

Now that you have the correct access configured and noted the credentials, you can set up the integration in Workbench. Before you begin, make sure you have your Directory (tenant) ID and your tenant organization name (this is the name that appears in the top-left of the account info box, located in the top-right of Azure). If you created a custom app in the previous section, you will also need the Application (client) ID and Application (client) Secret.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Microsoft” and then select the Microsoft 365 integration.
  5. Do one of the following:
    • If you chose to use the Expel O365 integration in Step 3, you may use the wizard (if you wish) and simply enter your Directory (tenant) ID. Then follow the remaining prompts to configure the new device. Skip to step 7 below for more info about your new device.
    • If you chose to use a custom app in Step 3, select Connect manually and continue to the next step.
  6. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Microsoft 365"; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Directory (tenant) ID - enter the Directory (tenant) ID from Step 3.
    • Application (client) ID - if you created a custom app, enter the application client ID from Step 3; if you did not, leave this field blank.
    • Application (client) secret - if you created a custom app, enter the secret value from Step 3; if you did not, leave this field blank.
    • Organization name - enter your tenant organization name.
  7. Select Save.
  8. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles