Configure a ThreatSync+ SaaS Integration — Microsoft 365

Applies To: ThreatSync+ SaaS

To detect threats related to Microsoft 365 user activity, ThreatSync+ SaaS requires user activity log data from Microsoft 365. To collect this data, monitor user activity, and perform remediation actions, you must add and configure a SaaS integration in WatchGuard Cloud.

Before You Begin

Before you can create a SaaS integration with Microsoft 365, you must:

  • Have a minimum of a Microsoft Office 365 E1 or a Microsoft 365 Business Basic license
  • Enable audit logging for your Microsoft 365 organization
  • Verify Microsoft 365 roles and permissions

Enable Audit Logging

Before ThreatSync+ SaaS can connect to data through a SaaS integration, you must enable audit logging for your Microsoft 365 organization.

Audit logging is enabled by default for Microsoft 365 organizations. To verify audit logging is enabled, run this PowerShell command on the computer where you add the SaaS integration:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

If audit logging is not enabled, the status is False:

UnifiedAuditLogIngestionEnabled : False

If the status is True, no further action is required. If the status is False, run this PowerShell command to enable audit logging:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

The audit logging configuration change can take up to 60 minutes.

For more information, go to Turn Auditing On or Off in the Microsoft documentation.

Verify Roles and Permissions

The administrator who adds the SaaS configuration must have these administrator roles and permissions enabled in their Microsoft 365 account:

  • Global Administrator
  • Security Administrator
  • Service Support Administrator
  • User Administrator

You can select an existing administrator or create a new administrator with the correct permissions. For more information, go to Assign Admin Roles in the Microsoft Admin Center in the Microsoft documentation.

Administrator roles and permissions are only required during the initial configuration of the SaaS integration. After the SaaS integration is added, administrator permissions are no longer required.

Create a SaaS Integration

To create a SaaS integration, you must have the primary Microsoft 365 domain name and the administrator user account you want to use for your SaaS integration.

The primary domain name is the domain of the Microsoft 365 tenant that you want to monitor for threats. For example, example.com. For more information, go to the Find Your Primary Office 365 Domain Name.

To create a SaaS integration, from WatchGuard Cloud:

  1. Select Configure > ThreatSync+ Integrations > SaaS Integration.
    The SaaS Integrations page opens.
  2. Click Add SaaS Integration.

Screenshot of the Add SaaS Integration page

  1. From the SaaS Service drop-down list, select Microsoft 365.
  2. In the Microsoft 365 Domain Name text box, enter the name of the primary domain for the Microsoft tenant that you want to monitor.
  3. To enable the ability to disable or enable Microsoft 365 users, select Enable Remediation.

If you enable or disable remediation for an existing SaaS integration with Microsoft 365, you must reactivate the SaaS integration and repeat Steps 6-8. For more information, go to Edit a SaaS Integration.

  1. Click Activate.
    You are redirected to the Microsoft login page for authentication.

Screenshot of the Microsoft Login page

  1. Log in as an administrator user with the required permissions.
    After you log in to Microsoft, Microsoft redirects you to a consent page.

Screenshot of the Microsoft Permissions Requested dialog box

  1. Review the consent details and click Accept to consent. Consent is required to complete the SaaS integration.
    After you accept consent, you are redirected to the ThreatSync+ SaaS UI. The SaaS integration status shows as Initializing. It might take up to 30 minutes for the status to change to Active.

Screenshot of a successful SaaS integration added to ThreatSync+ SaaS that shows the Active status

  1. After the status changes to Active, the SaaS integration configuration is complete. To view Microsoft 365 Collection Status and Log Count graphs, click the integration name in the Name column.

Screenshot of the Microsoft 365 domain name details after a successful SaaS integration with ThreatSync+ SaaS

It might take up to seven days for ThreatSync+ SaaS to learn your environment and start to show alerts in the Monitor menu.

Edit a SaaS Integration

You can edit an existing active SaaS integration to change the name, mute repeated failure notifications, or enable or disable remediation for Microsoft 365 users.

Screenshot of the Edit SaaS Integration page

To edit a SaaS integration:

  1. Select Configure > ThreatSync+ Integrations > SaaS Integration.

    The SaaS Integrations page opens.
  2. Click the name of the SaaS integration you want to edit.
    The Edit SaaS Integration page opens.
  3. (Optional) In the Description text box, edit the name of the SaaS integration.
  4. Select the Mute Repeated Failure Notifications check box if you only want a single notification sent for this SaaS collector when a SaaS collector failure occurs.
  5. To enable the ability to disable or enable Microsoft 365 users, select Enable Remediation.

If you enable or disable remediation for an existing SaaS integration with Microsoft 365, you must reactivate the integration and provide consent for the integration again.

  1. Click Save.

Related Topics

About ThreatSync+ SaaS Integration — Microsoft 365

ThreatSync+ Users

Configure ThreatSync+