Applies To: WatchGuard CloudDR
Microsoft 365 is a suite of productivity tools and cloud-based services developed by Microsoft. Microsoft 365 is designed to help individuals, businesses, and organizations collaborate in various ways. This guide describes how to integrate Microsoft 365 with CloudDR.
Available Features
- Misconfiguration Rules
- Identity Rules
- Discovered Application Rules
- User Inventory
- Discovered Application Inventory
- Devices Inventory
Prerequisites
To configure this integration, you must have:
- A user account with a Microsoft 365 Business Basic subscription license (or higher).
- (Optional) An active Microsoft Teams Essentials subscription license if you want to include Teams in the integration.
- (Optional) Active OneDrive and SharePoint licenses to include OneDrive and SharePoint data in the shared data inventory.
- (Optional) Unified audit logging enabled for Microsoft 365 to view extended logs for your Microsoft 365 accounts.
- A user account with these roles:
- Global Reader
- Privileged Role Administrator
- Exchange Administrator
- Application-specific administrator roles (for example, Teams Administrator and SharePoint Administrator). Alternatively, you can use the Global Administrator role.
Enable Unified Audit Logging
To view extended unified logs for your Microsoft 365 accounts in CloudDR, you require active Business Premium or higher licenses of SharePoint and OneDrive. When you open the Microsoft Purview portal for the first time, you can enable auditing of user and admin activity.
To enable recording of user and admin activity in the Microsoft Purview portal:
- Go to https://purview.microsoft.com/ (external) and sign in with your Microsoft 365 credentials.
- Select the Audit solution card.
A banner prompts you to record user and admin activity. If the Audit solution card is not available, select View All Solutions, and in the Core section, select Audit. - Select the Start Recording User and Admin Activity banner to enable unified audit logging.
If you have previously opened the Purview portal and the banner does not appear, complete the instructions below to enable auditing.
To enable auditing through the Windows PowerShell CLI:
- Open a PowerShell window.
- Enter these commands:
Connect-ExchangeOnline
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Required Permissions
The user account requires permissions for the base, SharePoint and EntraID integration.
Permissions for Base Integration
| Scope | Use |
|---|---|
| Mail.ReadBasic.All | Read access to basic mail properties for all mailboxes |
| Mail.ReadBasic | Read access to basic mail properties |
| Files.ReadWrite.All | Read access to basic file information for all users and sites |
| AuditLogsQuery-SharePoint.Read.All | Read access to audit log data from Sharepoint |
| AuditLogsQuery-OneDrive.Read.All | Read access to audit log data from OneDrive |
| Exchange.Manage | Read access to Exchange, Threat, Data Loss Prevention Policies, and Configurations |
| User.Read.All | Read access to all user profiles |
| Read SharePoint and OneDrive tenant settings | Read access to SharePoint and OneDrive configurations and settings for an organization |
| TeamMember.Read.All | Read access to the members of all teams |
| Team.ReadBasic.All | Read access to the list of all teams |
| Sites.Read.All | Read access to documents and list items in all list collections |
| SharePointTenantSettings.Read.All | Read access to tenant-level configurations for SharePoint and OneDrive |
| RoleManagement.Read.Directory | Read access to roles and role assignments |
| Reports.Read.All | Read access to all service usage reports |
| Policy.Read.All | Read access to all policies for an organization |
| Directory.Read.All | Read access to directory information such as users, groups, and apps |
| DelegatedPermissionGrant.ReadWrite.All | Read access to all delegated permission grants |
| AuditLog.Read.All | Read access to audit log activities |
SharePoint Permissions
| Scope | Use |
|---|---|
| Read directory data | Read access to organization information, roles, role assignments, and third-party apps |
| Read SharePoint and OneDrive tenant settings | Read access to SharePoint configurations and settings for the organization |
| Read items in all site collections | Read access to metadata for sites in the organization |
| Read directory RBAC settings | Read access to role and access-related information for users |
| Read managed metadata | Read access to metadata for public sites |
| Read and query your audit log activities | Read access to audit logs for the organization |
| Read Reports | Read access to reports |
EntraID Permissions
| Scope | Use |
|---|---|
| Read directory data | Read access to organization information, roles, role assignments, and third-party apps |
| Read your organization's policies | Read access to organization policies and configurations |
|
Read the names and descriptions of teams |
Read access to teams in the organization |
|
Read all users' full profiles |
Read access to detailed profiles for users |
Configure the Microsoft 365 Integration in CloudDR
The integration of Microsoft 365 includes all of the individual apps in the suite. Additional integration of individual apps such as Microsoft Teams that is part of the Microsoft 365 license is not required.
To configure the Microsoft 365 integration in CloudDR:
- In WatchGuard Cloud, select Configure > CloudDR.
- Select the Integrations tab.
- (Service Providers) From the Select Integrations View drop-down list, select Add Integrations.
- In the Microsoft 365 widget, click Add.
- Click Start Integration.
- Select the services you want to include in the integration.
- Click Next.
- To give CloudDR access to EntraID (previously called Azure AD), on the Base Integration – Step 1 of 2 page of the wizard, click Sign In With Microsoft 365, and log in with a user account that meets the prerequisites listed above.
- Click Next.
- To give CloudDR access to Microsoft Exchange through the command line interface (CLI), on the Base Integration – Step 2 of 2 page of the wizard, click Sign In With Microsoft 365, and log in with a user account that meets the prerequisites listed above.
- Click Next.
- If you selected Data, Email Scanning, and Extended Unified Logs in step 6 above, to give CloudDR extended access to read those files in your Microsoft 365 environment, in the Data, Email Scanning, and Extended Unified Logs page of the wizard, click Sign In With Microsoft 365, and log in with a user account that meets the prerequisites listed above.
This feature reads email subject lines and file metadata to detect unauthorized app connections and security risks. Email body content is not accessed. - Click Next.
- If you selected Include Teams in the Integration in step 6 above, to give CloudDR extended access to your Microsoft Teams configuration, in the Teams OAuth page of the wizard, click Sign In with Microsoft 365, and log in with a user account that meets the prerequisites listed above.
- Click Finish.