Configuring a Microsoft Office 365 account in Microsoft Azure Active Directory

Before you can add a log source in QRadar, you must run the Azure Active Directory PowerShell cmdlet and then configure Azure Active Directory for Microsoft Office 365.

1. Run the Azure Active Directory PowerShell cmdlet. For more information, see How to install and configure Azure PowerShell (https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).
2. Identify the Tenant ID of the tenant that is subscribed to Microsoft Office 365 by typing the following commands:

   import-module MSOnline

   $userCredential = Get-Credential

   Connect-MsolService -Credential $userCredential

   Get-MsolAccountSku | % {$_.AccountObjectID}

   Use the Tenant ID value for the Tenant ID value when you configure a log source in QRadar.

3. To use Azure Active Directory to register an application, log in to the Azure Management Portal (https://portal.azure.com) with the credentials of the tenant that is subscribed to Microsoft Office 365.
   1. From the navigation menu, select Azure Active Directory.
   2. From the Overview pane, select App registrations, and then click New registration.
   3. In the Supported account types section, select the type of account to use the application or to access the API.
   4. In the Redirect URI (optional) section, select Web, and type http://localhost in the Web field.
   5. Click Register, and then copy and store the Application (client) ID value. Use this value for the Client ID value when you configure a log source in QRadar.
4. Generate a client secret for the application.
   1. From the Manage pane, select Certificates & secrets > New client secret.
   2. Select an expiry period, and then click Add.
   3. Copy and store your client secret key value because it can't be retrieved later. Use this value for the Client Secret value when you configure a log source in QRadar.
5. Specify the permissions that the Microsoft Azure application must use to access Microsoft Office 365 Management APIs.
   1. From the Manage pane, select API permissions.
   2. Click Add a permission > from the API list, choose Office 365 Management APIs > Delegated permissions, and then select the following options:

      Table 1. Delegated permissions

      Permission	Values
      Activity Feed	ActivityFeed.Read ActivityFeed.ReadDlp
      ServiceHealth	ServiceHealth.Read

   3. Click Application permissions, and then select the following options:

      Table 2. Application permissions

      Permission	Values
      Activity Feed	ActivityFeed.Read ActivityFeed.ReadDlp
      ServiceHealth	ServiceHealth.Read

   4. Click Add permssions.
   5. In the API permissions window, go to the Grant consent section, click Grant admin consent > Yes.