Menu
-->
Microsoft Office 365 is a suite of collaboration tools that includes Exchange-hosted email and calendar service. It offers a seamless workflow with Microsoft Office and other programs. Each mailbox includes 50GB of storage. So, Microsoft Defender for Office 365 P2 expands on the investigation and response side of the house, and adds a new hunting strength. In Microsoft Defender for Office 365 P2, the primary hunting tool is called Threat Explorer rather than Real-time detections.
This article provides instructions for connecting Microsoft Cloud App Security to your existing Office 365 account using the app connector API. This connection gives you visibility into and control over Office 365 use. For information about how Cloud App Security protects Office 365, see Protect Office 365.
Cloud App Security supports the legacy Office 365 Dedicated Platform as well as the latest offerings of Office 365 services (commonly referred as the vNext release family of Office 365). Cloud App Security doesn't support the Legacy Microsoft Business Productivity Online Standard Suite (BPOS).
Note
Office 365 Online
In some cases, a vNext service release differs slightly at the administrative and management levels from the standard Office 365 offering.
Cloud App Security supports the following Office 365 apps:
- Dynamics 365 CRM
- Exchange (only appears after activities from Exchange are detected in the portal, and requires you to turn on auditing)
- Office
- OneDrive
- Power Automate
- Power BI (only appears after activities from Power BI are detected in the portal, and requires you to turn on auditing)
- SharePoint
- Skype for Business
- Teams (only appears after activities from Teams are detected in the portal)
- Yammer
Note
Cloud App Security integrates directly with Office 365's audit logs and receives all audited events from all supported services, such as PowerApps, Forms, Sway, and Stream.
How to connect Office 365 to Cloud App Security
Note
- You must have at least one assigned Office 365 license to connect Office 365 to Cloud App Security.
- To enable monitoring of Office 365 activities in Cloud App Security, you are required to enable auditing in the Office Security and Compliance Center.
- Exchange administrator audit logging, which is enabled by default in Office 365, logs an event in the Office 365 audit log when an administrator (or a user who has been assigned administrative privileges) makes a change in your Exchange Online organization. Changes made using the Exchange admin center or by running a cmdlet in Windows PowerShell are logged in the Exchange admin audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.
- Exchange Mailbox audit logging must be turned on for each user mailbox before user activity in Exchange Online is logged, see Exchange Mailbox activities.
- If Office apps are enabled, groups that are part of Office 365 are also imported to Cloud App Security from the specific Office apps, for example, if SharePoint is enabled, Office 365 groups are imported as SharePoint groups as well.
- You must enable auditing in PowerBI to get the logs from there. Once auditing is enabled, Cloud App Security starts getting the logs (with a delay of 24-72 hours).
- You must enable auditing in Dynamics 365 to get the logs from there. Once auditing is enabled, Cloud App Security starts getting the logs (with a delay of 24-72 hours).
- If your Azure Active Directory is set to automatically sync with the users in your Active Directory on-premises environment the settings in the on-premises environment override the Azure AD settings and use of the Suspend user governance action is reverted.
- For Azure AD sign-in activities, Cloud App Security only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. Noninteractive sign-in activities may be viewed in the Azure AD audit log.
- Multi-geo deployments are only supported for OneDrive
- In the Connected apps page, click the plus button and select Office 365.
- In the Office 365 pop-up, click Connect Office 365.
- In the Office 365 components page, select the options you require, and then click Connect.Note
- For best protection, we recommend selecting all Office 365 components.
- The Office 365 files component, requires the Office 365 activities component and Cloud App Security file monitoring (Settings > Files > Enable file monitoring).
- After Office 365 is displayed as successfully connected, click Close.
Note
After connecting Office 365, you will see data from a week back including any third-party applications connected to Office 365 that are pulling APIs. For third-party apps that weren't pulling APIs prior to connection, you see events from the moment you connect Office 365 because Cloud App Security turns on any APIs that had been off by default.
If you have any problems connecting the app, see Troubleshooting App Connectors.
Outlook 365
Next steps
Office 365
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.