Configuring a Microsoft Subscription application

To collect audit events for Exchange Online, SharePoint Online, OneDrive, Entra ID Sign-ins, Entra ID, and Azure, perform the following changes in your Entra ID tenant.

  1. Log in to the Azure Portal. The account you use must be granted at least Cloud Application Administrator and Privileged Role Administrator roles.

  2. Select Entra ID and then specify App registrations.

  3. Select New registration to create a new Entra ID application.

  4. Provide an application name (e.g., Cygna Auditor - Audit Events), specify the supported account types, and add a Redirect URI. Then select Register to create the new application.

  5. Copy the Application ID and Directory (tenant) ID.

  6. In the left navigation bar, select API permissions, select Microsoft Graph, and add the following permissions:

    Permission

    Type

    Group.Read.All

    Application

    MailboxSettings.Read

    Application

    Sites.Read.All

    Application

    Directory.Read.All

    Application

    User.Read.All

    Application

    IdentityRiskEvent.Read.All

    Application

    AuditLog.Read.All

    Application

    Reports.Read.All

    Application

  7. Select Office 365 Management APIs, and add the following permissions:

    Permission

    Type

    ActivityFeed.ReadDlp

    Application

    ServiceHealth.Read

    Application

    ActivityFeed.Read

    Application

  8. Select Windows Azure Active Directory, and add the following permissions:

    Permission

    Type

    Directory.Read.All

    Application

    Member.Read.Hidden

    Application

  9. Select Grant admin consent to to confirm these permissions for the newly-created application.

  10. Navigate to Certificates & secrets and create a secret for the application. For security purposes, use this secret only for auditing by Cygna Auditor.
    • Select New client secret, provide a description and expiry, then select Add. Note that recovery collections will stop after the expiry and you will need to generate a new secret at that time.

    • Copy the value to use later. These values will be inaccessible after you leave this screen.