/
New: Microsoft 365 Management API collector
Document toolboxDocument toolbox

New: Microsoft 365 Management API collector

Owned by Virginia Camuñas Núñez, created
Last updated: Mar 28, 2025 by Laszlo Frazer
5 min read
[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Example Tables ] [ 4 Authorize It ] [ 5 Run It ] [ 6 Secure It ] [ 7 Monitor It ]

Purpose

An analyst wants to detect malicious information sharing in Microsoft 365 office applications.  Using the Microsoft 365 API, the analyst will find data exfiltration.  As a result, the analyst will deactivate harmful users, preventing them from sharing more sensitive data.

You may also need:

 

Tip: The Microsoft 365 Management API collector will get authentication information into Devo. However, Devo recommends also enabling the Entra ID collector. The Entra ID collector provides important additional information, such as the name of the application the user accessed.

Prerequisites

  • Office 365 subscription

  • Azure subscription associated with your Office 365 subscription

  • Azure Tenant Admin access

Example Tables

Devo table

Description

Devo table

Description

cloud.office365.management.*

Data from a particular 365 service, where the service is defined by the Workload field in the data. Example: exchange.

cloud.office365.management

This table includes all the data from this collector.

cloud.office365.management.onedrive

Activity in OneDrive, including access to applications like Word and Excel.

auth.all

Authentication logs, including successful and failed login to 365.

Authorize It

Register your application in Microsoft Entra ID

  1. Register Devo application in Microsoft Entra ID from the Azure portal:

    1. Access Microsoft Entra ID > App registration > New registration.

      10_Microsoft 365 Management API Collector.png

    2. On the Register an application page:

      1. Assign a name for the application. Ex: devo_integration

      2. Define application use and API access

      3. Redirect URI field can be left blank.

    3. Click “Register” button.

Make note of the Client ID and Tenant ID generated during this registration process.

image-20250321-221722.png

Generate a new secret

  1. To exchange an authorization code for an access tokens you need to generate keys (client_secrets):

    1. Access Azure portal Microsoft Entra ID > App registrations > Application

    2. Select Certificates & secrets > New client secret specifying the key description and expiration.

Data loss warning: At the secret expiration time, the collector will stop working until the secret is replaced.

  1. Click Add.

  2. Go to Client secrets to copy the client secret value to the clipboard.

30_Microsoft 365 Management API Collector.png

 

Save the client secret value. It will only be shown once.

 

The value contains a tilde ~ character.

Specify the permissions required to access the Office 365 Management APIs

  1. From Azure portal, go to App registrations > All applications select the application and the API permissions > Add a permission to display the Request API permission.

  2. On the Microsoft APIs tab, select Office 365 Management APIs.

  3. Select the Application permissions type.

  4. Enable permissions:

    1. Read activity data from your organization.

    2. Read service health information from your organization.

    3. Read DLP policy events including detected sensitive data (only if pulling DLP.All from Management Activity).

  5. Select Add permissions.

40_Microsoft 365 Management API Collector.png

Get Office 365 tenant admin consent

  1. The Tenant Admin will need to grant authorization and authentication permissions by using SAML (Security Assertion Markup Language) standard:

    1. Enable Devo as a service provider.

    2. Enable O365/Entra ID as an identity provider.

  2. The Permissions status will change from “Not granted“ to “Granted“, once the previous authorization process has been completed by the tenant Admin.

image-20250321-222820.png

Run It

In the Cloud Collector App, create a Microsoft 365 collector instance using this parameters template, replacing the values enclosed in < >. The unique ID should be a five digit number.

{ "inputs": { "office365": { "credentials": { "client_id": "<CLIENT_ID>", "client_secret": "<CLIENT_SECRET>", "tenant_id": "<TENANT_ID>" }, "enabled": true, "id": "<UNIQUE ID>", "services": { "azure_active_directory": {} "general_audit": {}, "exchange": {}, "sharepoint": {}, "dlp": {} } } } }

Secure It

Microsoft 365 logs work with these Exchange Activeboards:

Devo provides compatible Alert packs:

Authentication

An analyst wants to identify who logged in to determine if any malicious users accessed the system.

from cloud.office365.management where Operation = "UserLoggedIn" or Operation = "UserLoginFailed" group by Operation, ActorIpAddress, UserId, split(hostchain,"-",1) as collector_id
image-20250324-180712.png

Email Attachments

A machine has been infected with malware. An analyst wants to determine if the malware was spread using an email attachment. Using this query, the analyst will improve email filtering.

from cloud.office365.management.exchange where eq(Operation,"AttachmentDownload") group by UserId, jsonparse(message)["AttachmentName"]

Exchange Auditing Disabled

A malicious user has hidden their activity by disabling audit logging. An analyst wants to identify the malicious user.

from cloud.office365.management.exchange where eq(Operation,"Remove-AuditConfigurationPolicy")

Insider Risk Policies

A user has been deactivated. The user did not trigger any data theft alerts. An analyst wants to check the history of insider risk policies to see if data theft was being monitored around the time of the deactivation.

from cloud.office365.management.securitycompliancecenter where has(Operation,"InsiderRiskPolicy"), not has(Operation,"Get")

OneDrive Exfiltration

An analyst wants to determine which accounts are sharing strategic information. If information is being shared with an unauthorized recipient, the compromised UserId should be disabled.

from cloud.office365.management.onedrive where Operation = "SharingSet" select str(jsonparse(message)["ObjectId"]) as file where weakhas(file,"strategic") select str(jsonparse(message)["ClientIP"]) as ip, str(jsonparse(message)["TargetUserOrGroupName"]) as recipient
image-20250324-203004.png

Teams Exfiltration

It was revealed that a foreign tenant received confidential information. An analyst wants to find which Teams activity was available to foreign tenants in order to find out what other information was disclosed.

from cloud.office365.management.microsoftteams select jqeval(jqcompile(".ParticipantInfo.HasForeignTenantUsers"),jsonparse(message)) as foreign where isnotnull(foreign)
image-20250324-202814.png

Sharepoint Data Destruction

A malicious user has destroyed data. An analyst wants to determine which data is lost so that service can be restored.

from cloud.office365.management.sharepoint where Operation = "FileVersionsAllDeleted"
image-20250324-203655.png

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from popular Microsoft products to the Microsoft 365 Management API using the query

from cloud.office365.management where toktains(hostchain,"collector-") select split(hostchain,"-",1) as collector_id where eq(Workload,"Exchange") or eq(Workload,"AzureActiveDirectory") or eq(Workload,"MicrosoftTeams")

Set the inactivity alert to keep track of the collector_id and Workload.

 

Related content