Microsoft 365 Asset Source Sync

In order to utilize Microsoft 365 as an asset source, a connection between the Microsoft 365 API and the Graylog server is required. You are asked to enter the following when creating a new Microsoft 365 asset source on the Connection Configuration page in the Graylog user interface:

  • Tenant ID

  • Client ID

  • Client Secret

If you do not have an active Microsoft 365 client application, you will need to register one and provide the credentials listed above. You can learn more about registering an application in the Microsoft identity platform by visiting the related Microsoft website. Keep reading to learn about the required API permissions to enable the connection between Microsoft 365 and Graylog.

Prerequisites

You need to be able to access Microsoft products and the Microsoft 365 API to fully utilize the asset source sync and vulnerability import functionality. There are four Microsoft subscriptions that are required:

1. Entra ID

Required for: user asset import

Optional for: machine asset import

Not used for: vulnerability import

2. Intune

Optional for: machine or user asset import

Not used for: vulnerability import

3. Defender

Required for: vulnerability import

Optional for: machine asset import

Not used for: user asset import

4. Defender Vulnerability Management Add-on

Required for: vulnerability import

Optional for: machine asset import

Not used for: user asset import

API Permissions

Once you have fulfilled the above prerequisites, an application with API access and the correct permissions must be created to connect a Graylog instance and pull assets and vulnerabilities from Microsoft 365. The required permissions for all supported functionality to work are:

Microsoft Graph

Device.Read.All

DeviceManagementConfiguration.Read.All

DeviceManagementManagedDevices.Read.All

User.Read.All

User.ReadBasic.All

WindowsDefenderATP

Machine.Read.All

Vulnerability.Read.All

Configure the Required API Permissions

  1. Log into Microsoft Azure.

  2. Select Entra ID.

  3. Select App registration > New registration.

  4. Register a new application.

    1. Provide a name for the application (for example, Graylog Log Access).

    2. Select the appropriate account type.

    3. Do not add a redirect URI.

    4. Click the Register button.

    Hint: Once the application is registered, take note of Application (client) ID and Directory (tenant) ID.

  5. Click Add a certificate or secret.

  6. Click New client secret.

  7. Take note of the Client Secret value. Once you navigate away from this page, the value will no longer be visible. If you lose it, delete the old one and/or create a new one. You will need to update any Graylog inputs using the old secret if you delete it.

  8. For the newly created application, navigate to API permissions.

  9. Click on Add a permission.

  10. Select Microsoft Graph.

  11. Select Application Permissions.

  12. Select relevant permissions (e.g. select necessary user read permissions).

  13. Navigate to the Microsoft Entra admin center and log in with the account created above.

  14. Navigate to Applications > Enterprise Applications > All applications.

  15. Select the name of the application(s) selected in the previous steps.

  16. Click Permissions > Grant admin consent for MSFT.

  17. You will then be asked to re-authenticate your account and grant the permissions that you requested.

  18. Click Accept.

You should now see the new permissions in the list and access the API accordingly.

Hint: It can take a while for the permissions to propagate between steps, so you may need to wait or try refreshing.