Microsoft Graph Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

The Microsoft Graph input supports collecting email logs, Microsoft Entra ID logs, directory, provisioning, and sign-in audit logs using Microsoft Graph APIs. See the official documentation for more information about the Microsoft Graph API.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must have an existing Entra ID account. Follow the official Microsoft instructions to set up a new Azure App and generate the necessary credentials for authentication.

  • The required permissions must be granted for Application permissions and not for Delegated permissions. This ensures that Graylog can interact with the Graph API directly.

  • The API user must be defined with the following permissions for the supported log types:

    Log Type Permissions License Requirements
    Email Logs User.ReadAll, User.ReadBasic.All, Mail.Read, Mail.ReadBasic, Mail.ReadBasic.All, Mail.ReadWrite Microsoft Office 365 Business
    Directory Audit logs AuditLog.Read.All, Directory.Read.All, Directory.ReadWrite.All  
    Sign In Audit logs AuditLog.Read.All At least Microsoft Entra P1 or P2
    Provisioning Audit logs AuditLog.Read.All  

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • Client ID
  • Tenant ID
  • Client Secret

Input Type

This input is a pull input type. See Inputs to learn about input types.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

Provide a unique name for your new input.

Tenant ID

Provide tenant ID of Microsoft Entra ID account.

Client ID

Client ID of your registered application in Microsoft Entra ID account.

Client Secret

This is the client secret key of your registered application in Microsoft Entra ID account.

Subscription Type

Select your Azure AD subscription plan for your organization.

Log Types to Collect

The log types to collect. By default, all the log types are selected. At least one log type must be selected.

Polling Interval

Determines how often (in minutes) Graylog checks for new data in Graph APIs. The shortest allowable interval is 5 minutes.

Read Time Offset (minutes)

How long Graylog will wait for logs to become available in the Microsoft Graph API before attempting to read them.
Enable Throttling

If enabled, no new messages are read from this input until Graylog catches up with its message load.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: