Configuring Azure AD app

To use a data collecting account with modern authentication, you should do the following:

1. Create an Azure AD app that will be used for modern authentication.

2. Grant required permissions to that application.

3. Configure client secret for that application.

4. Obtain tenant ID – you will need it when configuring a monitored item (Office 365 tenant) settings.

Step 1. Create and register a new app in Azure AD

IMPORTANT! You will need to create a dedicated app for each cloud-based data source you plan to audit: Azure AD, Exchange Online or SharePoint Online. That is, if you plan to audit all of them, you should create 3 apps.

To register a new Azure AD application, do the following:

1. Sign into the Microsoft 365 Admin Center with your Global Administrator, Application Administrator or Cloud Application Administrator account and go to the Azure Active Directory admin center.

2. Under the App registrations section, select New registration.

3. In the Name field, enter the application name.

4. In the Supported account types select who can use this application – use the Accounts in this organizational directory only option.

5. Click the Register button.

NOTE: Application Redirect URI is optional, you can leave it blank.

6. Your Application (client) ID is now available in the Overview section. Copy it to a safe location.

Step 2: Grant Required Permissions

Next, you need to grant your new application the required API permissions.

Azure AD applications can be assigned Delegated or Application permissions:

  • Delegated permissions require a signed-in user present who consents to the permissions every time an API call is sent.
  • Application permissions are consented by an administrator once granted.

For the newly created app, you should use Application permissions.

NOTE: By default, a new application is granted one delegated permission for Microsoft Graph API – User.Read. It is not required and can be removed. For that, click the ellipsis (...) on the right, then from the context menu select Remove all permissions.

Take the following steps:

  1. Select API Permissions.
  2. Click Add a permission.
  3. From the list of APIs, select Microsoft Graph.
  4. Click Application permissions.
  5. From the list of available permissions, select:
    • For Azure AD auditing:
      • Directory.Read.All
      • AuditLog.Read.All
    • For Exchange Online auditing:
      • Directory.Read.All
      • Mail.ReadBasic.All
    • For SharePoint Online auditing:
      • Directory.Read.All

  6. Then from the list of APIs select Office 365 Management APIs.
  7. Click Application permissions.
  8. From the list of available permissions, select
    • For Azure AD auditing, Exchange Online or SharePoint Online auditing:
      • ActivityFeed.Read
  9. Then in the list of APIs locate Supported legacy APIs section and select Azure Active Directory Graph.
  10. Click Application permissions.
  11. From the list of available permissions, select
    • For Azure AD or Exchange Online auditing:
      • Directory.Read.All
    • For SharePoint Online auditing:
      • Directory.Read.All
      • Application.ReadWrite.All (required for state-in-time data collection)
  12. Also, for SharePoint Online state-in-time data collection, from the list of APIs select SharePoint, then click Application permissions and from the list of available permissions select Sites.FullControl.All

  13. Finally, grant admin consent to the tenant (that is, for the Office 365 organization whose audit data will be collected by the newly registered app). Go to the new app settings > API permissions and click Grant admin consent for <tenant name>. When prompted to confirm granting, click Yes.

Step 3: Configure client secret

Now, create a new client secret to be used by the app:

1. Go to Manage > Certificates & secrets and click New client secret.

2. Enter the description. From the expiration options select Never.

3. Click Add.

4. The new secret will be displayed in the list. Click Copy to clipboard icon on the right.

Step 4: Obtain tenant name

To obtain the tenant name:

1. Go to Azure Active Directory > Overview.

2. In the Tenant information locate the Primary domain field, copy its value and store to a safe location.

Then you should create a corresponding monitoring plan in Netwrix Auditor and add an item (Office 365 tenant) to it. See Office 365 Tenant for details.