Configure a ThreatSync+ Cloud Integration — Microsoft 365

Applies To: ThreatSync+ SaaS

To detect threats related to Microsoft 365 user activity, ThreatSync+ SaaS requires user activity log data from Microsoft 365. To collect this data, monitor user activity, and perform remediation actions, you must add and configure a cloud integration in WatchGuard Cloud.

This page is only available with a ThreatSync+ SaaS or Total NDR license. For more information, go to About ThreatSync+ SaaS Licenses and About Total NDR Licenses.

Before You Begin

Before you can create a cloud integration with Microsoft 365, you must:

Have a minimum of a Microsoft Office 365 E1 or a Microsoft 365 Business Basic license
Enable audit logging for your Microsoft 365 organization
Verify Microsoft 365 roles and permissions

Enable Audit Logging

Before ThreatSync+ SaaS can connect to data through a cloud integration, you must enable audit logging for your Microsoft 365 organization.

Audit logging is enabled by default for Microsoft 365 organizations. To verify audit logging is enabled, run this PowerShell command on the computer where you add the cloud integration:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If audit logging is not enabled, the status is False:

UnifiedAuditLogIngestionEnabled : False

If the status is True, no further action is required. If the status is False, run this PowerShell command to enable audit logging:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

The audit logging configuration change can take up to 60 minutes.

For more information, go to Turn Auditing On or Off in the Microsoft documentation.

Verify Roles and Permissions

The administrator who adds the cloud configuration must have these administrator roles and permissions enabled in their Microsoft 365 account:

Global Administrator
Security Administrator
Service Support Administrator
User Administrator

You can select an existing administrator or create a new administrator with the correct permissions. For more information, go to Assign Admin Roles in the Microsoft Admin Center in the Microsoft documentation.

Administrator roles and permissions are only required during the initial configuration of the cloud integration. After the cloud integration is added, administrator permissions are no longer required.

Create a Cloud Integration

To create a cloud integration, you must have the primary Microsoft 365 domain name and the administrator user account you want to use for your cloud integration.

The primary domain name is the domain of the Microsoft 365 tenant that you want to monitor for threats. For example, example.com. For more information, go to the Find Your Primary Office 365 Domain Name.

To create a cloud integration, from WatchGuard Cloud:

Select Configure > ThreatSync+ Integrations > Cloud Integration.
The Cloud Integration page opens.
Click Add Cloud Integration.

Screenshot of the Add Cloud Integration page for Microsoft 365

From the Cloud Service drop-down list, select Microsoft 365.
In the Microsoft 365 Domain Name text box, enter the name of the primary domain for the Microsoft tenant that you want to monitor.
To enable the ability to disable or enable Microsoft 365 users, select Enable Remediation.

If you enable or disable remediation for an existing cloud integration with Microsoft 365, you must reactivate the cloud integration and repeat Steps 6-8. For more information, go to Edit a Microsoft 365 Cloud Integration.

Click Activate.
You are redirected to the Microsoft login page for authentication.

Screenshot of the Microsoft Login page

Log in as an administrator user with the required permissions.
After you log in to Microsoft, Microsoft redirects you to a consent page.

Screenshot of the Microsoft Permissions Requested dialog box

Review the consent details and click Accept to consent. Consent is required to complete the cloud integration.
After you accept consent, you are redirected to the ThreatSync+ Integrations UI. The cloud integration status shows as Initializing. It might take up to 30 minutes for the status to change to Active.

Screenshot of a successful cloud ntegration added to ThreatSync+ SaaS that shows the Active status

After the status changes to Active, the cloud integration configuration is complete. To view the Microsoft 365 Flow Logs Status and Conversation Flow Count graphs, click the integration name in the Name column to view the Overview tab on the Cloud Integration Details page.

Screenshot of the Microsoft 365 domain name details after a successful SaaS integration with ThreatSync+ SaaS

It might take up to seven days for ThreatSync+ SaaS to learn your environment and start to show alerts in the Monitor menu.

Edit a Microsoft 365 Cloud Integration

You can edit an existing, active Microsoft 365 cloud integration to change the description, mute repeated failure notifications, or enable or disable remediation for Microsoft 365 users.

Screenshot of the Edit SaaS Integration page

To edit a Microsoft 365 cloud integration:

Select Configure > ThreatSync+ Integrations > Cloud Integration.
The Cloud Integration page opens.
Click the name of the cloud integration you want to edit.
The Cloud Integration Details page opens with the Overview tab open by default.
Select the Settings tab.
(Optional) In the Description text box, edit the name of the cloud integration.
Select the Mute Repeated Failure Notifications check box if you only want a single notification sent for this cloud integration when a cloud integration failure occurs.
To enable the ability to disable or enable Microsoft 365 users, select Enable Remediation.

If you enable or disable remediation for an existing cloud integration with Microsoft 365, you must reactivate the integration and provide consent for the integration again.