Is there a Azure Subscription type that is required for the Splunk Add On for Office 365 to generate the proper Audit Logs?
Our Security Admin is only seeing System Wide Messages but not any individual authentications or other
Could this be a limitation on the Azure Tenant Side or something misconfigured on the Splunk Side?
For Office 365 data, there is no dependency on any Azure subscription. You actually don't have to have any Azure subscriptions to collect Office 365 data.
If you want to collect Azure activity/audit data, you'll need to create an Azure AD application registration in the Azure portal and grant that application read access to your subscription(s), but that is different data than Office 365.
If you can share some more detail on what you would like to collect, we can help get you going in the right direction.
I am working with one of our security administrators to capture O365 Audit Data using the Splunk Add On for O365. I created a Azure Application in our cloud tenant and provided it the Office 365 Graph API Permissions
Read Activity data for your organization
Read Service Health for your organization
Read Activity Reports
The application authenticates but does not get all data that I can see in the Audit Search Log which is found in the O365 Security and Compliance portion of the Portal. Is there something missing on the Azure Permission Side?
I would have thought this would provide logging for activity related to
Adding and removing licences
Blocking user sign in
creating/deleting a user in the cloud
adding roles/groups to users etc.
Those permissions seem correct. Make sure your Azure AD app registration has both application and delegated permissions set. Also, be sure to click the "Grant permission" button in the Azure portal to enable these permissions.
Here is a reference to the type of data you should see in your Splunk environment -> https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api...