In Azure Log Analytics is available a specific solution that consolidates within the Log Analytics workspace different information from the environment Office 365, making the consultation of the data simple and intuitive. This article will look at the characteristics of this solution and It will illustrate the steps to follow for the relative activation.
Features of the solution
The solution allows you to use Log Analytics to perform the following tasks related to Office 365:
- Monitor the activities carried out by administrators, in order to track changes to configurations and operations that require elevated privileges.
- Analyze the activities of account in Office 365 in order to identify behavioral trends and monitor resource utilization. For example, you can determine which files are shared outside your organization or check the most used SharePoint sites.
- Provide support in audits and compliance. It is possible for example to control access to specific files that are considered confidential.
- Identify any unwanted behaviors that are performed by users, based on specific organizational needs.
- Play easier troubleshooting tasks that become necessary in your environment Office 365.
To enable this solution you must have an account with the role Global Administrator. For a single Log Analytics workspace you can connect multiple subscriptions Office 365. In case you want to merge in the Log Analytics workspace also the Audit events of Office 365 you must enable auditing on the subscription Office 365, by following the steps in this documentation.
Figure 1 – Enabling Office 365 audit
Solution activation
To enable theOffice 365 Management solution You must follow these steps. The solution collects data directly from Office 365, without the iteration of any agent of Log Analytics.
Figure 2 – Access to Workspace summary from the Azure portal and adding solution
Figure 3 - Selection of the solution of Office 365
Figure 4 – Selection of the workspace to use
The solution requires the presence of an Azure Active Directory application, configured as reported later, which is used to access data in Office 365.
Figure 5 – Adding a new App registration in Azure AD
Figure 6 – Creation of the App registration required for solution
Figure 7 – Enable Multi-tenanted
Figure 8 -Added API Access for Office 365 Management APIs
Figure 9 - Selection of permission for Office 365 Management APIs
Figure 10 – Assignment of permissions
To be able to configure the solution is required a key for the Azure Active Directory application created.
Figure 11 – Generating a key for the application
At this point, you must run the PowerShell script office365_consent.ps1 which enables administrative access. This script is available at this link.
Figure 12 - Command line example for the execution of the script office365_consent.ps1
Figure 13 - Request for administrative approval
The last step needed to complete activation is the script PowerShell office365_subscription.ps1, also available at this link, which subscribes the Azure AD application to the Log Analytics workspace.
Figure 14 - Command line example for the execution of the script office365_subscription.ps1
initial setup may take several minutes to view data from office 365 in Log Analytics. All records created by this solution in Log Analytics have the Type in OfficeActivity. The value contained in the property OfficeWorkload determines which Office Service 365 refers: Exchange, Azure Active Directory, SharePoint, or OneDrive. In the property RecordType instead, is showed the type of operation performed.
The solution adds to the dashboard the following tile:
Figure 15 - Tile Office 365
When selected it will open the specific dashboard, which divides the various services activities collected from Office 365.
Figure 16 – Dashboard of Office 365
Of course you can also perform specific queries to suit your needs:
Figure 17 - Examples of queries to return specific records collected by the solution
Conclusions
The collection in Log Analytics of activities carried out in Office 365 allows granular control of the environment, in order to satisfy at best and with a single instrument to regulations concerning auditing and compliance.