All Apps and Add-ons

Splunk Add On for Office 365 Requirement for Azure

New Member

Is there a Azure Subscription type that is required for the Splunk Add On for Office 365 to generate the proper Audit Logs?

Our Security Admin is only seeing System Wide Messages but not any individual authentications or other

Could this be a limitation on the Azure Tenant Side or something misconfigured on the Splunk Side?



Tags (1)
0 Karma

Splunk Employee
Splunk Employee

For Office 365 data, there is no dependency on any Azure subscription. You actually don't have to have any Azure subscriptions to collect Office 365 data.

If you want to collect Azure activity/audit data, you'll need to create an Azure AD application registration in the Azure portal and grant that application read access to your subscription(s), but that is different data than Office 365.

If you can share some more detail on what you would like to collect, we can help get you going in the right direction.

0 Karma

New Member

Hi Jconger,

I am working with one of our security administrators to capture O365 Audit Data using the Splunk Add On for O365. I created a Azure Application in our cloud tenant and provided it the Office 365 Graph API Permissions
Read Activity data for your organization
Read Service Health for your organization
Read Activity Reports

The application authenticates but does not get all data that I can see in the Audit Search Log which is found in the O365 Security and Compliance portion of the Portal. Is there something missing on the Azure Permission Side?

I would have thought this would provide logging for activity related to
Adding and removing licences
Blocking user sign in
creating/deleting a user in the cloud
adding roles/groups to users etc.

kevin C.

0 Karma

Splunk Employee
Splunk Employee

Those permissions seem correct. Make sure your Azure AD app registration has both application and delegated permissions set. Also, be sure to click the "Grant permission" button in the Azure portal to enable these permissions.

Here is a reference to the type of data you should see in your Splunk environment ->

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...