1. Expel Help Center
  2. Connect Your Technology
  3. SaaS Integrations
  4. Microsoft

Microsoft 365 Direct Setup for Workbench

This article provides prerequisites and onboarding steps for Microsoft 365 Direct.

Quick Links

  1. Enable Console Access

  2. Enable Microsoft 365 Audit Logging

  3. Enable Microsoft 365 Enterprise Application

  4. Configure Microsoft 365 Direct in Expel Workbench

  5. Configure Microsoft Entra ID Protection in Expel Workbench (Premium P2 License Required)

Step 1: Enable Console Access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. Learn more about the IP addresses all Expel traffic comes from.

  1. Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.

  2. In the navigation pane, click Microsoft Entra ID.

  3. Under Manage, select Users.

  4. Select New guest user.

  5. On the New user page, click Invite user, fill out the email address (expel_analyst@expel.io), and optionally include a message.

  6. Under roles, add the role Global Reader role.

  7. Click Invite to automatically send the invitation to the guest user.

  8. After you send the invitation, the user account is automatically added to the directory as a guest.

Step 2: Enable Microsoft 365 Audit Logging

Audit logging is required for Expel to provide detection and investigative value for Microsoft 365. The Microsoft 365 audit log records user and admin activity and holds the data for 90 days. Audit logging could already be running on your Microsoft 365 installation. So, the first thing to do is verify.

Verify Microsoft 365 Audit Logging Status

Use the Verify the auditing status for your organization instructions from Microsoft 365 support.

Enable Microsoft 365 Audit Logging

You can use either the Microsoft 365 Security and Compliance Center or the Exchange Online PowerShell to activate audit logging.

Note
If you prefer PowerShell, skip to Option 2: Enable Audit Logging in Microsoft 365 With PowerShell in 3 Steps.

Option 1: Enable Audit Logging in Microsoft 365 Security and Compliance Center in 5 Steps

  1. Log in to the Microsoft 365 Admin Portal with a global admin user or at minimum, a user with the Organization Management or Compliance Management roles.

  2. Navigate to the Security & Compliance Center.

  3. Navigate to Search & investigation > Audit log search.

  4. Select Start recording user and admin activities.

  5. That’s it! Microsoft 365 makes some changes behind the scenes and begins recording activity in the audit log.

Note
This change can take about 24 hours to complete.

Option 2: Enable Audit Logging in Microsoft 365 With PowerShell in 3 Steps

  1. Connect to Exchange Online PowerShell.

  2. Run the following PowerShell command to turn on audit log search in Microsoft 365:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

  1. That’s it! A message appears saying it can take up to 60 minutes for the change to take effect.

Note
Turn Microsoft 365 audit log search on or off.

Step 3: Enable Microsoft 365 Enterprise Application

To integrate Microsoft 365 Direct with Expel, we need to create secure credentials to the API. We provide two options for enabling API access:

Usually enabling the Enterprise Application (Option 1) is the recommended approach. The second option is offered for cases where the absolute minimum permissions are required. In either case, the table below shows the required items to obtain during this step:

Item we need

Description

Azure Directory (tenant) ID

A unique identifier for your Azure instance. Expel needs this information to route our API requests to the right place.

Application (client) ID (Option 2 only)

A unique identifier for the application you create that grants Expel the access it needs to your Microsoft 365 instance.

Application (client) Secret (Option 2 only)

The API secret that allows Expel to authenticate as the created application to your Microsoft 365 instance.

Option 1: Enable Microsoft 365 Integration (Preferred)

  1. As an Administrator, navigate to the Expel Admin Consent Page.

  2. Review and accept requested permissions.

  3. The Expel Microsoft 365 Integration app now appears under Enterprise Applications. Review properties and make sure that all permissions were properly granted. Note the Directory (Tenant) ID when viewing the Expel Microsoft 365 Integration application for use in later steps.

  4. Skip to Step 4: Configure Microsoft 365 Direct in Expel Workbench.

Option 2: Create Custom Microsoft Entra ID Application

  1. Log in to your Azure Active Directory account and open Microsoft Entra ID.

  2. Navigate to App registrations and create a new app by clicking + New registration.

  3. Fill in the application details. You can technically fill these in however you want, but we recommend the following:

    • Name - Expel Cloud Service.

    • Supported account types - accounts in this organizational directory only (first option).

  4. After you fill out the fields, select Register to create the new application.

  5. You will navigate automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to Azure Active Directory > App Registrations > View all applications > Expel Cloud Service (if you don’t see the new app).

  6. Make a note of the Application (client) ID and Directory (tenant) ID for later.

  7. Navigate to API permissions and select Add a permission.

  8. Add these permissions for the Expel App:

    • Microsoft Graph API

      • AuditLog.Read.All

      • Directory.Read.All

      • Group.Read.All

      • IdentityRiskEvent.Read.All

      • SecurityEvents.Read.All

      • User.Read.All

    • Microsoft 365 Management APIs

      • ActivityFeed.Read

      • ActivityFeed.ReadDIp

      • ServiceHealth.Read

  9. Select the appropriate API Category (for example, Microsoft Graph).

  10. Select Application Permissions.

  11. Select the appropriate permission(s) and Add Permissions.

  12. Repeat these steps for each permission needed. Verify that:

    • All permissions are added as Application permissions and not Delegated permissions.

    • All permissions are assigned.

    • Consent is granted for the permissions by the AAD admin.

  13. After permissions are assigned, select Grant admin consent and Yes at the prompt.

  14. Navigate to Expel Cloud Service > Certificates & secrets to begin creating an API key (client secret). To create a new key, select +New client secret.

  15. Add a description for the secret (for example, Expel API) and select 24 months for expiration. Select Add to create the secret.

  16. You will see a new client secret (API Key) under Client secrets.


    Note
    Copy the value and save it for later. The client secret disappears after you navigate away from this screen.

Step 4: Configure Microsoft 365 Direct in Expel Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, log in to Expel Security Devices to add a Microsoft 365 (direct) security device.

    office_365_direct_figure_19.png

  2. Complete the fields as follows:

    • SIEM - select Expel Cloud Service from the list.
    • Name - enter a name that might help you more easily identify this integration; this name will display in Workbench under the Name column and is a text string that you can filter on.
    • Location - select Microsoft Cloud.
    • Tenant ID - use the Azure Directory (tenant) ID from Option 1 or Option 2.
    • Client ID (Option 2 only) - use the Azure Application (client) ID created in Option 2.
    • Client Secret (Option 2 only) - use the Application (client) Secret created in Option 2.

  3. Select Save.

Step 5: Configure Microsoft Entra ID Protection in Expel Workbench (Premium P2 License Required)

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, log into Expel Security Devices to add a Microsoft Entra ID Protection security device.
  2. Complete the fields as follows:
    • SIEM - select Expel Cloud Service from the list.
    • Name - enter a name that might help you more easily identify this integration; this name will display in Workbench under the Name column and is a text string that you can filter on.
    • Location - select Microsoft Cloud.
    • Tenant ID - use the Azure Directory (tenant) ID from Option 1 or Option 2.
    • Client ID (Option 2 only) - use the Azure Application (client) ID created in Option 2.
    • Client Secret (Option 2 only) - use the Application (client) Secret created in Option 2.
  3. Select Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and select View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup as we tune your device.

  • Was this article helpful?

  • 2 out of 5 found this helpful

Related articles