USM Anywhere™

Configuring the AlienApp for Office 365

Role Availability Read-Only Analyst Manager

The Microsoft Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365. After you configure the connection between the AlienApp for Office 365 and the Office 365 Management Activity API, the predefined log collection job performs a query for Office 365 events. When USM Anywhere collects and analyzes the first of these events, the Office 365 dashboards become available in the Dashboards menu (according to the type of events that it collects).

Warning: Due to the design of the Office 365 Management Activity API, you may see events being delayed or received out of order. See Office 365 Event Latency for more information.

This integration requires connectivity between your USM Anywhere Sensor and the Office 365 Management Activity API. If you have an Azure Sensor deployed in your Azure subscription, you should use this sensor to configure the AlienApp because you don't need to configure additional permissions.

If you use a non-Azure Sensor, you must set your firewall permissions based on the following table to allow inbound and outbound connections for the sensor:

Firewall Permissions for the USM Anywhere Sensor
Type Port Endpoint Purpose
TCP 443 https://login.windows.net/ Authentication for your Office 365 account
TCP 443 https://manage.office.com/api/v1.0/ Queries to retrieve log data from the Office 365 Management Activity API

Note: To access Office 365 US Government, allow connections to manage.office365.us instead of manage.office.com.

 

Before you configure the AlienApp for Office 365, make sure that you have fulfilled the requirements in your Office 365 account for this integration.

To configure the AlienApp for Office 365

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Follow the instructions on the page to register the AlienApp for Office 365 in Azure, and then copy the Application (client) ID and Directory (tenant) ID.

    Note: This step is better conducted in a different browser.

  7. Enter the copied IDs in the Tenant ID and Application ID fields.
  8. Select the endpoint for Office 365 Management Activity API:

    • Office 365: https://manage.office.com
    • Office 365 US Government: https://manage.office365.us
  9. Click Save.
  10. Verify the connection.

    After USM Anywhere completes a successful connection to the Office 365 APIs, a icon displays in the Health column.

    If the icon appears, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Office 365 connection.

  11. In the USM Anywhere main menu, go to Settings > Scheduler and search for the collection job for Office 365.
  12. Enable the job if it is not already enabled.

    Important: The AlienApp will not work if the scheduler job is not enabled.

    When this job runs for the first time after the connection, it collects Office 365 events from the previous hour. On subsequent runs (every 20 minutes), it only collects new events since the last check. In the unlikely event that the AlienApp stops working after it is enabled, Microsoft Azure keeps Office 365 events for 7 days. The AlienApp will resume collecting events after it recovers.