Configure a ThreatSync+ SaaS Integration — Microsoft 365

Applies To: ThreatSync+ SaaS

To detect threats related to Microsoft 365 user activity, ThreatSync+ SaaS requires user activity log data from Microsoft 365. To collect this data and monitor user activity and unusual logins, you must add and configure a SaaS integration in WatchGuard Cloud.

Before You Begin

Before you can create a SaaS integration with Microsoft 365, you must:

  • Enable audit logging for your Microsoft 365 organization.
  • Verify Microsoft 365 roles and permissions

Enable Audit Logging

Before ThreatSync+ SaaS can connect to data through a SaaS integration, you must enable audit logging for your Microsoft 365 organization.

Audit logging is enabled by default for Microsoft 365 organizations. To verify audit logging is enabled, run this PowerShell command on the computer where you add the SaaS integration:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If audit logging is not enabled, the status is False:

UnifiedAuditLogIngestionEnabled : False

If the status is True, no further action is required. If the status is False, run this PowerShell command to enable audit logging:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

The audit logging configuration change can take up to 60 minutes.

For more information, go to Turn Auditing On or Off in the Microsoft documentation.

Verify Roles and Permissions

The administrator who adds the SaaS configuration must have these administrator roles and permissions enabled in their Microsoft 365 account:

  • Global Administrator
  • Security Administrator
  • Service Support Administrator
  • User Administrator

You can select an existing administrator or create a new administrator with the correct permissions. For more information, go to Assign Admin Roles in the Microsoft Admin Center in the Microsoft documentation.

Create a SaaS Integration

To create a SaaS integration, you must have the primary Microsoft 365 domain name and the administrator user account you want to use for your SaaS integration.

The primary domain name is the domain of the Microsoft 365 tenant that you want to monitor for threats. For example, example.com. For more information, go to the Find Your Primary Office 365 Domain Name.

To create a SaaS integration, from WatchGuard Cloud:

  1. Select Configure > ThreatSync+ Integrations > SaaS Integration.
    The SaaS Integrations page opens.
  2. Click Add SaaS Integration.

Screenshot of the Add SaaS Integration page

  1. From the SaaS Service drop-down list, select Microsoft 365.
  2. In the Microsoft 365 Domain Name text box, enter the name of the primary domain for the Microsoft tenant that you want to monitor.
  3. Click Activate.
    You are redirected to the Microsoft login page for authentication.

Screenshot of the Microsoft Login page

  1. Log in as an administrator user with the required permissions.
    After you log in to Microsoft, Microsoft redirects you to a consent page.
  2. Review the consent details and click Accept to consent. Consent is required to complete the SaaS integration.
    After you accept consent, you are redirected to the ThreatSync+ SaaS UI. The SaaS integration status shows as Initializing. It might take up to 30 minutes for the status to change to Active.

Screenshot of a successful SaaS integration added to ThreatSync+ SaaS that shows the Active status

  1. After the status changes to Active, the SaaS integration configuration is complete. To view Microsoft 365 Collection Status and Log Count graphs, click the domain name in the Name column.

Screenshot of the Microsoft 365 domain name details after a successful SaaS integration with ThreatSync+ SaaS

It might take up to seven days for ThreatSync+ SaaS to learn your environment and start to show alerts in the Monitor menu.

Related Topics

Configure ThreatSync+

About ThreatSync+ SaaS Integration — Microsoft 365