Microsoft 365 Asset Source Sync
In order to utilize Microsoft 365 as an asset source, a connection between the Microsoft 365 API and the Graylog server is required. You are asked to enter the following when creating a new Microsoft 365 asset source on the Connection Configuration page in the Graylog user interface:
-
Tenant ID
-
Client ID
-
Client Secret
If you do not have an active Microsoft 365 client application, you will need to register one and provide the credentials listed above. You can learn more about registering an application in the Microsoft identity platform by visiting the related Microsoft website. Keep reading to learn about the required API permissions to enable the connection between Microsoft 365 and Graylog.
Prerequisites
You need to be able to access Microsoft products and the Microsoft 365 API to fully utilize the asset source sync and vulnerability import functionality. There are four Microsoft subscriptions that are required:
1. Entra ID
Required for: user asset import
Optional for: machine asset import
Not used for: vulnerability import
2. Intune
Optional for: machine or user asset import
Not used for: vulnerability import
3. Defender
Required for: vulnerability import
Optional for: machine asset import
Not used for: user asset import
4. Defender Vulnerability Management Add-on
Required for: vulnerability import
Optional for: machine asset import
Not used for: user asset import
API Permissions
Once you have fulfilled the above prerequisites, an application with API access and the correct permissions must be created to connect a Graylog instance and pull assets and vulnerabilities from Microsoft 365. The required permissions for all supported functionality to work are:
Microsoft Graph
Device.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
User.Read.All
User.ReadBasic.All
WindowsDefenderATP
Machine.Read.All
Vulnerability.Read.All
Configure the Required API Permissions
-
Log into Microsoft Azure.
-
Select Entra ID.
-
Select App registration > New registration.
-
Register a new application.
-
Provide a name for the application (for example, Graylog Log Access).
-
Select the appropriate account type.
-
Do not add a redirect URI.
-
Click the Register button.
Hint: Once the application is registered, take note of Application (client) ID and Directory (tenant) ID. -
-
Click Add a certificate or secret.
-
Click New client secret.
-
Take note of the Client Secret value. Once you navigate away from this page, the value will no longer be visible. If you lose it, delete the old one and/or create a new one. You will need to update any Graylog inputs using the old secret if you delete it.
-
For the newly created application, navigate to API permissions.
-
Click on Add a permission.
-
Select Microsoft Graph.
-
Select Application Permissions.
-
Select relevant permissions (e.g. select necessary user read permissions).
-
Navigate to the Microsoft Entra admin center and log in with the account created above.
-
Navigate to Applications > Enterprise Applications > All applications.
-
Select the name of the application(s) selected in the previous steps.
-
Click Permissions > Grant admin consent for MSFT.
-
You will then be asked to re-authenticate your account and grant the permissions that you requested.
-
Click Accept.
You should now see the new permissions in the list and access the API accordingly.