To send Microsoft Office 365 logs into LimaCharlie, you will need to add Office 365 as a sensor.

First, we need to set up Office 365 keys & gather all the required information.

Gathering Microsoft Office 365 Details

Tenant ID & Domain Name

Following the instructions from Microsoft, find your Tenant ID & Domain Name.

Tenant ID is represented as GUID: 00000000-0000-0000-0000-000000000000 while Domain Name will normally look like

Client ID & Client Secret

Following the instructions from Microsoft, create a Client ID. Then, by looking at instructions from Microsoft, create a Client Secret. Make sure you copy it right away as it can only be viewed once after the creation.

Publisher ID

Publisher ID will be the same as Tenant ID.

API endpoint

One of:

Content Types

List all the data types to subscribe as comma separated values. Refer to the Office 365 Management Activity API reference for all available options, which include:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • Audit.General (includes all other workloads not included in the previous content types)

  • DLP.All (DLP events only for all workloads)

Onboarding the Microsoft Office 365 Sensor

From the sensors page, select Add Sensor and choose Office 365.

Then, select or create a new installation key.

Select the executable for your architecture & set the ingestion method as Microsoft Office 365 Management API. Then, provide the Office 365 details you have previously collected.

After you have provided all the details, copy the command line & run the adapter on your machine.

Return to the sensor onboarding view to see if any new sensors have successfully registered with LimaCharlie's cloud. It may take a moment for the sensor to enroll after you've installed it.

You should see the sensor come online quickly thereafter.

Did this answer your question?