Configuring a Microsoft Subscription application
To collect audit events for Exchange Online, SharePoint Online, OneDrive, Entra ID Sign-ins, Entra ID, and Azure, perform the following changes in your Entra ID tenant.
-
Log in to the Azure Portal. The account you use must be granted at least Cloud Application Administrator and Privileged Role Administrator roles.
-
Select Entra ID and then specify App registrations.
-
Select New registration to create a new Entra ID application.
-
Provide an application name (e.g., Cygna Auditor - Audit Events), specify the supported account types, and add a Redirect URI. Then select Register to create the new application.
-
Copy the Application ID and Directory (tenant) ID.
-
In the left navigation bar, select API permissions, select Microsoft Graph, and add the following permissions:
Permission
Type
Group.Read.All
Application
MailboxSettings.Read
Application
Sites.Read.All
Application
Directory.Read.All
Application
User.Read.All
Application
IdentityRiskEvent.Read.All
Application
AuditLog.Read.All
Application
Reports.Read.All
Application
-
Select Office 365 Management APIs, and add the following permissions:
Permission
Type
ActivityFeed.ReadDlp
Application
ServiceHealth.Read
Application
ActivityFeed.Read
Application
-
Select Windows Azure Active Directory, and add the following permissions:
Permission
Type
Directory.Read.All
Application
Member.Read.Hidden
Application
-
Select Grant admin consent to to confirm these permissions for the newly-created application.
- Navigate to Certificates & secrets and create a secret for the application. For security purposes, use this secret only for auditing by Cygna Auditor.
Select New client secret, provide a description and expiry, then select Add. Note that recovery collections will stop after the expiry and you will need to generate a new secret at that time.
Copy the value to use later. These values will be inaccessible after you leave this screen.