Skip to main content

CollectorsCloud Collectors Administration Guide

Table of Contents

Prerequisites to Configure the Microsoft 365 Exchange Admin Reports Cloud Collector

Before you configure the Microsoft 365 Exchange Admin Reports Cloud Collector, complete the following prerequisite tasks:

Create a Microsoft Entra ID Application for Cloud Collectors

Before you can begin onboarding any of the available Microsoft cloud collectors, you must create a Microsoft Entra ID application (formerly called Azure Active Directory) in the Microsoft Azure portal. The same application can support multiple Microsoft cloud collectors, as long as all of the relevant API permissions are assigned.

To create a Microsoft Entra ID application and prepare it for use by cloud collectors, follow the steps below to complete these required tasks:

During the procedure, make a note of the IDs you will need when you configure a new Microsoft cloud collector.

Create and Register a Microsoft Entra ID Application

  1. Log into your Azure account by accessing the Azure portal.

  2. From the available Azure Services, select Microsoft Entra ID (formerly called Azure Active Directory).

    ms-entra-id.png
  3. From the left navigation pane, select App Registrations, then click New Registration.

  4. On the Register an application page, enter the following information:

    • Name – Specify a name for the new application. For example, Exabeam MS Entra ID App.

    • Supported account types – Select the account type Accounts in this organizational directory only.

    • Redirect URI – (Optional) Select the Web platform and specify a URI.

  5. Click Register. When registration is complete, the Overview tab of the new application is displayed.

    azure-ad-app-overview.png
  6. Copy and make a note of the values for both the Application (client) ID and the Directory (tenant) ID. You will need these values when configuring a Microsoft cloud collector.

Generate Certificates and Secrets

  1. In your new Microsoft Entra ID application, click Certificates & secrets in the left navigation pane.

  2. Decide which authentication method you want to use. Two methods are available: OAuth2 or certificate authentication. Depending on which method you plan to use, do one of the following:

    • OAuth2 method – Select the Client secrets tab, and continue with Step 3.

    • Certificate method – Click the Certificates tab and continue with Step 4.

  3. On the Client Secrets tab, click New client secret and do the following:

    1. Enter a Description and an Expire term for the secret.

    2. Click Add. The new client secret is displayed on the Client secrets tab.

    3. Copy and make a note of the Value. You will need this client secret value when you configure a Microsoft cloud collector. You will not be able to recover this value later if you don't make a note of it.

      azure-ad-secret.png
  4. On the Certificates tab, click Upload certificate and do the following:

    1. Use the File Selection icon (icon-select-file.png) to upload an existing certificate (a public key) of file type .cer, .pem, or .crt.

    2. Enter a Description for the certificate.

    3. Click Add. The new certificate is displayed on the Certificates tab.

      azure-ad-certificate.png

    Note

    If you don't already have the certificate and private key files, create them.

    Generate the X.509 asymmetric key by running the following command in the terminal:

    openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem

    Two files are created in the directory where you ran the command:

    • certificate.pem – The certificate or public key

    • key.pem – The private key

    The cloud collector supports RSA encryption algorithm with up to 16384 bits key length.

  5. Use the certificates and secrets while creating a sharable Microsoft account.

Assign API Permissions

The permissions you assign to the new application depend on which Microsoft collectors you plan to onboard in the Cloud Collectors service. You can assign all the permissions for multiple Microsoft cloud collectors to the same Microsoft Entra ID application in the Azure portal.

To assign permissions, follow the general procedure below but make sure you include all of the API permissions required for the specific types of Microsoft cloud collectors you plan to configure. The specific permissions required for each Microsoft cloud collector are shown in the table at the end of this procedure.

  1. In your new Microsoft Entra ID application, click API permissions in the left navigation pane.

  2. Click Add a permission.

  3. In the Request API permissions pane on the right, click the APIs my organization uses tab.

  4. Depending on which permissions you need to assign, use the search field to find and select a specific API name or Application ID. Consult the table at the end of this procedure for collector-specific information.

  5. Click Application permissions to expand the permission selections.

    ms-graph-permissions.png
  6. In the permissions search bar, search for and expand a specific set of permissions. In the expanded options, select the permissions you need. For a list of the required permissions for each Microsoft cloud collector, see the table below.

    For example, the Microsoft Entra ID application requires the ReportingWebService.Read.All API permission for the Office 365 Exchange Online API for the Microsoft Exchange Admin Reports Cloud Collector.

  7. Click Add permissions. The new permissions are added to the application.

  8. Repeat this procedure for each set of API permissions required for the Microsoft cloud collectors you plan to configure.

Cloud Collector

API Name/Application ID

Permission Category

Specific Permission

Microsoft Entra ID (formerly Azure Active Directory)

Microsoft Graph

Directory

Directory.Read.All

IdentityRiskEvent

IdentityRiskEvent.Read.All

AuditLog

AuditLog.Read.All

Microsoft Entra ID Context

Data Source - Users

Microsoft Graph

Directory

Directory.Read.All

Delegated

User.Read

Microsoft 365 Exchange Admin Reports

Office 365 Exchange Online

ReportingWebService

ReportingWebService.Read.All

Microsoft 365 Management Activity

Office 365 Management APIs

ActivityFeed

ActivityFeed.Read

ActivityFeed

ActivityFeed.ReadDlp

ServiceHealth

ServiceHealth.Read

Microsoft Security Alerts

Microsoft Graph

Alert_v2

SecurityAlert.Read.All

Legacy_API

SecurityEvents.Read.All

Grant Administration Consent

When all of the API permissions have been created, the configured permissions table should look like the image below. Notice that the Status for each new permission is Not granted.

ms-permissions.png

In order for a Microsoft cloud collector to pull data from these data sources, you must grant administration consent for each API permission as follows:

  1. Above the configure permissions table, click Grant admin consent.

  2. When prompted to confirm, click Yes. The Status for each permission changes to Granted.

    ms-graph-all-permissions-granted.png

Assign Required Roles (only for the Microsoft 365 Exchange Admin Report Collector)

If you plan to onboard a Microsoft 365 Exchange Admin Report Cloud Collector, you must configure specific roles. The Compliance Administrator role provides the required permissions for completing tasks in Exchange Online PowerShell or Web Service APIs; unlike the Security Administrator role. The examples of tasks include managing recipients and accessing security and protection features such as anti-spam, anti-malware, anti-phishing, and the associated reports. The Compliance Administrator role is required for the endpoint dlp - data loss prevention.

Add an application service principal ID to the Compliance Administrator role in Microsoft Entra ID (formerly called as Azure AD) for the App only token flow and assign Microsoft Entra ID roles to the application.

If you want to use a role with minimum privileges, use the Global Reader role.

To assign the Compliance Administrator role or a Global Reader role to the Microsoft Entra ID application:

  1. On the Azure portal, navigate to Microsoft Entra ID > Roles and administrators.

  2. Search for and then select the Compliance Administrator role or Global Reader role based on your requirement.

  3. Click the role you selected.

  4. Select Add assignments.

  5. Click No member selected to choose the name of the app that you previously created earlier in the Create a Microsoft Entra ID Application for Cloud Collectors workflow, from the Select a Member window. Note that member here refers to your Microsoft Entra ID application.

  6. Click Select.

    Entra_ID_1.png
  7. In the Add Assignments section, click Next.

  8. Ensure that the role is permanently assigned by selecting the Permanently assigned option in the Setting section.

  9. In the Setting section, enter the justification for the role assignment, and click Assign.

    Entra_ID_2.png
  10. Verify the correct app is chosen by matching the intended Service Principal ID, in the Active assignments column that appears next.

    Note

    Ensure that you assign this role to your role group that you selected in Exchange Admin Portal.

For more information about assigning roles in Microsoft Entra ID, refer to Assign Microsoft Entra Roles to Users.

Add Accounts for Microsoft Cloud Collectors

To streamline the onboarding process, create a shareable account that can be used across one or more collectors that require a Microsoft account.

To set up a shareable Microsoft account in Cloud Collectors:

  1. Log in to the New-Scale Security Operations Platform with your registered credentials as an administrator.

  2. Navigate to Collectors > Cloud Collectors.

  3. Click Accounts, then click New Account.

    add-account.png
  4. On the Add a New Account page, enter the following information, as shown in the image below:

    • VENDOR – Select Microsoft as the vendor.

    • NAME – Specify a name for the Microsoft account.

    • Authentication – Select an authentication method. Depending on how you created your Microsoft Entra ID application (formerly called Azure Active Directory) in the Azure portal, select either of the options below and provide the applicable IDs and certificates or secrets.

      • Certificate – If your application uses the certificate authentication method, enter the following information:

        • CLIENT ID – Enter the value of the Application (client) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.

        • TENANT ID – Enter the value of the Directory (tenant) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.

        • CERTIFICATE – Copy and enter the public key portion of the existing certificate you uploaded in the Azure portal when you selected the authentication method of your Microsoft Entra ID application.

        • PRIVATE KEY – Copy and enter the private key of the existing certificate.

      • OAuth2 – If your application uses the OAuth2 authentication method, enter the following information:

        • CLIENT ID – Enter the value of the Application (client) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.

        • CLIENT SECRET – Enter the value of the client secret that was generated when you selected the authentication method of your Microsoft Entra ID application. If you did not make a note of the value, you will need to generate a new secret for the application in the Azure portal.

        • TENANT ID – Enter the value of the Directory (tenant) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.

    • CLOUD – Select an Azure AD cloud environment from the list of available clouds.

      ms-account-clouds.png
  5. Click Save.

  6. Proceed to configure any cloud collector that requires the use of the Microsoft account.

    When you onboard new cloud collectors that require this Microsoft account, you can reuse credentials between different collectors, provided that you assigned the required permissions when you created the Microsoft Entra ID application in the Azure portal. The required permissions for each Microsoft cloud collector are listed in a table in that procedure.

Assign Permissions to a Role Group to Collect Events

A role group helps you to manage users and permissions better. All the users of a role group have same set of roles with permissions. You can add or remove users from the role group to add and remove permissions from users.

To collect the data from Microsoft, you need a user with permissions to access those events. Make sure to create the user in the organization and domain you want to monitor. The organization needs to be licensed to the Exchange email functionality.

Because some of the Exchange Admin Reports require different permissions, it is important to understand the configuration requirements to allow the collection of the data you need. Refer to the Exchange Online permissions for the permissions required for each report type.

You can use one of the following roles groups to collect events based on your requirement. For more information, see Permissions in Exchange Online in the Microsoft documentation.

Note

For the DLP data source, ensure that the organization has the required subscription. An Office ATP plan is required. For more information, see Microsoft Defender for Office 365 security overview.

  • Organization Management – Users have access to mailbox reports and mail protection reports.

    Data sources enabled by this role: MessageTrace, MailDetailATP, SpoofMailReports, and MailDetailDlpPolicy.

  • View-Only Organization Management – Users have access to mailbox reports.

    Data sources enabled by this role: MessageTrace, MailDetailATP, and SpoofMailReports.

    Note

    For MailDetailDlpPolicy source, you must add the Data Loss Prevention permission to this role group.

  • Compliance Management – Users have access to mail protection reports and Data Loss Prevention (DLP) reports (if their subscription has DLP capabilities).

    Data sources enabled by this role: MessageTrace, MailDetailATP, SpoofMailReports, and MailDetailDlpPolicy.

For Microsoft 365 Exchange Admin Reports Cloud Collector, if you want to use a role group with minimum privileges, use the View-Only Organization Management role with required permissions.

To assign permissions to the View-Only Organization Management role group:

  1. Log in to the Exchange Admin Portal https://admin.exchange.microsoft.com/#/adminRole.

  2. In the left pane, click Role > Admin roles.

    Admin_role_2.png
  3. Search for the View-Only Organization Management role group using the Search box. For more information, see Manage role groups in Exchange Online in the Microsoft documentation.

    Admin_role_3.png
  4. Click View-Only Organization Management.

  5. In the View-Only Organization Management pane, click Permissions.

    Admin_role_4.png
  6. In the list of permissions select the following permissions:

    • Data Loss Prevention

    • View-Only Configuration

    • View-Only Recipients

  7. In the Assigned section, you can assign various users or a user group to this role group.

  8. To assign a role: Global Reader, click Add.

    Note

    Select a role that you assigned to your Microsoft Entra ID application. For example: Compliance Administrator or Global Reader. Refer to the Assign Required Roles section in Create a Microsoft Entra ID Application for Cloud Collectors.

  9. Search for the Global Reader role, click the role, then click Add.

    Add_global_reader1.png

    The Assigned section displays the selected role. Proceed to complete other prerequisites and configure the Microsoft 365 Exchange Admin Reports Cloud Collector.

    Required Subscriptions for Microsoft 365 Exchange Admin Reports

    Before you can onboard a Microsoft 365 Exchange Admin Reports collector, validate that your organization has the required subscriptions to collect data from specific data sources. Information about managing subscriptions can be found in the Microsoft Azure Active Directory fundamental documentation.

    The following table lists the minimum subscriptions required for each data source that can provide data to your Microsoft 365 Exchange Admin Reports cloud collectors.

    Data Source

    Minimum Office 365 Subscription

    MessageTrace

    No Minimum

    SpoofMailReport

    E3

    MailDetailATP

    E3

    MailDetailDlpPolicy

    E3

    Ensure that Microsoft Collects Message Trace Events

    By default, Microsoft does not collect Message Trace events, and does not analyze the data to generate anomaly and detection events. So, if you plan to collect Message Trace events, ensure that the data is available before you continue.

    1. Ensure Message Trace is collected by Microsoft.

      1. Browse to https://admin.exchange.microsoft.com/#/messagetrace.

      2. Click + Start a trace, use the defaults of no specified ‘from’ nor ‘to’ people and a time-range of 2 days.

      3. Click Search and verify that the results are as you expect.

    2. If there was no data in the Message Trace search results, or some results were missing (for example excluding some users), refer to the Microsoft guide to enable Microsoft to collect the message trace events.

      Note

      After completing the configuration, it may take up to 24 hours for Microsoft to start collecting the data.