Skip to main content
 

This article provides prerequisites and onboarding steps for Office 365 Direct.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Step 1: Enable Office 365 Audit Logging

Audit logging is required for Expel to provide detection and investigative value for Office 365. The Office 365 audit log records user and admin activity and holds the data for 90 days. Audit logging could already be running on your Office 365 installation. So, the first thing to do is verify.

Verify Office 365 audit logging status

Use the Verify the auditing status for your organization instructions from Office 365 support.

  • If audit logging is ON, skip to Step 2: Enable 0365 Enterprise Application.

  • If audit logging is OFF, follow the Enable Office 365 audit logging instructions.

Enable Office 365 audit logging

You can use either the Office 365 Security and Compliance Center or the Exchange Online PowerShell to activate audit logging.

Note

If you prefer PowerShell, skip to Option 2.

Option 1: Enable audit logging in Office 365 Security and Compliance Center in 5 steps

  1. Log to the Office 365 Admin Portal with a global admin user or at minimum, a user with the Organization Management or Compliance Management roles.

  2. Navigate to the Security & Compliance Center.

    office_365_direct_figure_1_.png
  3. Navigate to Search & investigation > Audit log search.

    Screen_Shot_2021-03-05_at_1.01.59_PM.png
  4. Click Start recording user and admin activities.

    Screen_Shot_2021-03-05_at_1.02.46_PM.png
  5. That’s it! Office 365 makes some changes behind the scenes and begins recording activity in the audit log.

    Note

    This change can take about 24 hours to complete.

Option 2: Enable audit logging in Office 365 with PowerShell in 3 steps

  1. Connect to Exchange Online PowerShell.

  2. Run the following PowerShell command to turn on audit log search in Office 365.

    Screen_Shot_2021-03-05_at_1.03.41_PM.png
  3. That’s it! A message appears saying it can take up to 60 minutes for the change to take effect.

Step 2: Enable Office 365 Enterprise Application

To integrate Office 365 Direct with Expel, we need to create secure credentials to the API. We provide 2 options for enabling API access:

  • Option 1: Enable the Expel Office 365 Integration Enterprise Application within Azure.

  • Option 2: Create a custom Azure Active Directory (AD) Application.

Usually enabling the Enterprise Application (option 1) is the recommended approach. The second option is offered for cases where the absolute minimum permissions are required. In either case, the table below shows the required items to obtain during this step:

Item we need

Description

Azure Directory (tenant) ID

A unique identifier for your Azure instance. Expel needs this information to route our API requests to the right place.

Application (client) ID (Option 2 only)

A unique identifier for the application you create that grants Expel the access it needs to your Office 365 instance.

Application (client) Secret (Option 2 only)

The API secret that allows Expel to authenticate as the created application to your O365 instance.

Option 1: Enable Office 365 integration (preferred)

  1. As an Administrator, navigate to the Expel Admin Consent Page.

  2. Review and accept requested permissions.

  3. The Expel Office 365 Integration app now appears under Enterprise Applications. Review properties and make sure that all permissions were properly granted. Note the Directory (Tenant) ID when viewing the Expel Office 365 Integration application for use in later steps.

  4. Skip to step 3.

Option 2: Create Custom Azure AD Application

  1. Log into your Azure Active Directory account (https://portal.azure.com) and open Azure Active Directory.

    Azure_active_directory (2).png
  2. Navigate to App registrations and create a new app by clicking + New registration.

    app_registrations.png
  3. Fill in the application details. You can technically fill these in however you want, but we recommend the following:

    • Name: Expel Cloud Service.

    • Supported account types: Accounts in this organizational directory only (first option).

      office_365_direct_figure_8.png
  4. After you fill out the fields, click Register to create the new application

  5. You navigate automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to Azure Active Directory > App Registrations > View all applications (if you don’t see the new app) > Expel Cloud Service.

  6. Make a note of the Application (client) ID and the Directory (tenant) ID. We need that later.

    office_365_direct_figure_9.png
  7. Navigate to API permissions and click Add a permission.

  8. Add these permissions for the Expel App.

    • Microsoft Graph API

      • AuditLog.Read.All

      • User.Read.All

      • Group.Read.All

      • IdentityRiskEvent.Read.All

      • SecurityEvents.Read.All

      • Directory.Read.All

    • Office 365 Management APIs

      • ActivityFeed.Read

      • ActivityFeed.ReadDIp

      • ServiceHealth.Read

  9. Select the appropriate API Category (for example, Microsoft Graph).

    office_365_direct_figure_11.png
  10. Select Application Permissions.

    Screen_Shot_2021-03-05_at_1.06.44_PM.png
  11. Select the appropriate permission(s) and click Add Permissions.

    Screen_Shot_2021-03-05_at_1.07.14_PM.png
  12. Repeat these steps for each permission needed. Verify that:

    • All permissions are added as Application permissions and NOT Delegated permissions.

    • All Permissions are assigned.

    • Consent is granted for the permissions by the AAD admin.

  13. After permissions are assigned, click Grant admin consent, and Yes at the prompt.

    mceclip0.png
  14. Navigate to Expel Cloud Service > Certificates & secrets to begin creating an API key (aka client secret). To create a new key, click +New client secret.

    office_365_direct_figure_15.png
  15. Add a description for the secret (like Expel API) and select Never for expiration. Click Add to create the secret.

    Screen_Shot_2021-03-05_at_1.08.28_PM.png
  16. You see a new client secret (API Key) appear under Client secrets.

    Screen_Shot_2021-03-05_at_1.09.58_PM.png

    Important

    Copy the value and save it for later. It disappears after you navigate away from this screen.

Step 3: Configure Office 365 Direct in Expel Workbench

Now that we have the correct access configured and noted the credentials, we can integrate Office 365 Direct with Expel Workbench.

  1. In a new browser tab, log into https://workbench.expel.io/settings/security-devices?setupIntegration=office365.

  2. The Add Security Device page for Office 365 (direct) appears.

    office_365_direct_figure_19.png
  3. Use this table to complete the fields.

    Field Name

    What to put in it

    SIEM

    Select Expel Cloud Service from the list.

    Name

    What you want to name the security device.

    Location

    Microsoft Cloud

    Tenant ID

    Azure Directory (tenant) ID from Option 1 or Option 2.

    Client ID (Option 2 only)

    The Azure Application (client) ID that we saved in Option 2.

    Client Secret (Option 2 only)

    The Application (client) Secret that we saved in Option 2.

Step 4: Configure Azure AD Identity Protection in Expel Workbench (Premium P2 license required)

Now that we have the correct access configured and noted the credentials, we can integrate Azure AD Identity Protection with Expel Workbench.

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_identity_protection.

  2. The Add Security Device page for Azure AD Identity Protection appears.

    azure_ad_identity_protection_device_template.png
  3. Refer to the table in the previous step to complete the fields.

O 365, O365, Office365, ms 365, microsoft 365