## Overview

Microsoft 365 provides detailed audit logs of user activities, such as file downloads, data access grants, configuration changes, and DLP event logs.

You can monitor the logs in the Coralogix platform to:

- Track user activities, such as login attempts, file access, and changes to permissions.
- Provide a record of actions taken by users to demonstrate compliance with different regulations.
- Detect unexpected changes to files or settings to diagnose and resolve problems.
- Keep a record of actions like data deletions or modifications to ensure recovery of lost or altered information and maintain data integrity.

The procedure below explains how to configure the integration, allowing you to read logs from Microsoft 365 into Coralogix.

## Prerequisites

### Enable auditing in Microsoft 365

Verify that auditing is enabled in Microsoft 365. If not, follow this procedure.

1. Log into the M365 platform and navigate to the **Admin** tab.
1. In a new window, click **Security**.
1. Expand **Search**, then click **Audit log search**.
1. If the **Audit logs** option is disabled, a blue banner will be displayed on top of the page, click it to enable the audit logs.

### Configure Coralogix application in Microsoft Entra

Verify that Coralogix enterprise application has been configured in Microsoft Entra. If not, follow this procedure.

1. Log into Azure portal.

1. Navigate to Entra (formerly known as **Azure Active Directory**).

1. Select **Enterprise applications**, create a new application and register it.

1. Navigate to **App registrations**.

1. Select the application you have just created, and:

   1. Click **API Permissions**, select **Office 365 Management APIs**.
   1. Add these 3 permissions and click **Grant admin consent for Coralogix**.
   1. Navigate to **Certificate & secrets**.
   1. Create a client secret and copy it into the clipboard.

## Configure a Microsoft 365 integration

1. In the Coralogix UI, go to **Data Flow > Integrations**.

1. From the **Integrations** section, select **Microsoft 365**.

1. Enter configuration parameters according to your application requirements:

   - Integration name - Meaningful name of the M365 integration.
   - Application name - The Coralogix application name.
   - Subsystem name - The Coralogix subsystem name.
   - Tenant ID - Your Microsoft tenant ID.
   - Application ID - Application ID used to authenticate and read logs from your Microsoft 365 environment.
   - Secret value - Secret value used to authenticate and read logs from your Microsoft 365 environment.

1. Click **Create** to create the integration.

## Limitations

- There is no guaranteed maximum latency for notification delivery of Office 365 events. Typically, most notifications are sent within one hour of the event. Often the latency is much shorter, but this period might be longer since this varies from workload to workload. Find out [more](https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api).
- Logs older than 24 hours from their original event time are dropped and not processed.
- Some duplication of audit logs is expected, as explained in the [Microsoft documentation](https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#frequently-asked-questions-about-the-office-365-management-activity-api): This duplication of events is an expected and designed behavior intended to prevent the loss of any audit events.