It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda XDR

Integrating Microsoft 365

  • Last updated on

Completing the following procedures allows Barracuda XDR to monitor your logs and investigate and alert on potential identity, email, and other risks found in the cloud including suspicious logins and more.


To incorporate SOAR for Microsoft 365 instead, see Setting up SOAR for Microsoft 365 Cloud.

Prerequisites
  • Ensure you have enabled Audit Log Search. (Microsoft docs)

  • Register an application in Entra ID. (Microsoft docs)

  • Once application is registered, take note of the Application (client) ID and the Directory (tenant) ID.

  • Configure app authentication in the Certificates & Secrets screen.

  • Add API permissions and grant admin consent.

  • Enter the application id, directory id, and application secret in Barracuda XDR Dashboard.

Enable Audit Logging For All Mailboxes in Microsoft 365

To enable audit logging for all mailboxes in Microsoft 365, do one of the following procedures:

  • To enable audit logging through Admin Center (recommended)

  • To enable audit logging via Powershell

To enable audit logging through Admin Center

You can use the Security & Compliance Center to turn on audit log search in Microsoft 365. It may take several hours after you turn on audit log search before you can return results when you search the audit log. You must be assigned the Audit Logs role in Exchange Online to turn on audit log search.

  1. Navigate to Portal.office.com, and navigate to the Admin center on the left side.

  2. On the left side, click Show All.

  3. Click Compliance tab to open Microsoft Purview.

  4. In Microsoft Purview, select Audit.
    A banner is displayed saying that auditing must be turned on to record user and admin activity.

  5. Click Turn on auditing.
    The banner is updated to say the audit log is being prepared and may take a few hours, before taking full effect. (This could result in this integration not working right away.)

If you don't see the Turn on auditing banner at the top, that means auditing is already enabled. 

1.png

To enable audit logging via Powershell

If you find any issues using the above instructions, you can also use Exchange Powershell to enable auditing for your tenant, .

  1. Connect to Exchange Online Powershell.

  2. Run the following Powershell command to turn on auditing.
    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 

  3. A message displays, saying that it may take up to 60 minutes for the changes to take effect.

You can find additional Powershell commands here .

Configuring Microsoft 365

ALL steps require Microsoft 365/Azure Administrative privileges.

  1. Log on to https://portal.office.com/adminportal

  2. On the left side, click Show All and go to Admin Center > Entra ID.

  3. Under Favorites, click Entra ID, and under Manage Column, navigate to App Registrations.

    Screenshot 1.png

  4. Click New Registration.

  5. Fill in the Application Information::

    • In Name, enter  SKOUTCYBERSECURITY.

    • Enable the  Accounts in this organizational directory only (domain - Single Tenant) checkbox.

    • Redirect URL can be left blank.

  6. You are redirected to another page. Copy the Application ID and Directory (tenant) ID, so you can input them into the Security dashboard once completed, or paste them in now without saving.

    Step6.png
  7. Under Manage on the left, click API Permissions > Add a permission.

  8. From the list, select Microsoft 365 Management API’s and open Application permissions.

  9. From the list of Application Permissions, check all the options with Read privileges (those ending in .Read), then click Add Permissions.
    NOTE The picture below may be different in your case, and will most likely have fewer permissions showing.

    setup.o365.5selectApi.png

    setup.o365.6apiPermissions.png

  10. Optionally, if you want to support remediation actions (disable user logins), add one more permission by doing the following.

    1. Click Add a permission again.

    2. Click Microsoft Graph.

    3. Select Application permissions (not delegated).

    4. Select User.ReadWrite.All.

    5. Click Add permissions to save the change.

    6. If this is an update to a previously-configured app, make sure to click Grant admin consent after adding the new permission.

      setup.o365.user-read-write-all.png

  11. You should now be back on the API permissions Overview page. Select  Grant admin consent for Domain.

    capture1.png

  12. Click Certificates & Secrets.

  13. Click New Client Secret.

    setup.o365.8newSecret.png

  14. In Description, type Barracuda XDR .

  15. In Expires, select 24 months, then click Add.

    step15.png

    step15.2.png
  16. Save the value to your notes. You'll need to paste it into the Barracuda XDR Dashboard setup screen.

To verify connection and permissions

  1. In Barracuda XDR Dashboard, click Administration > Integrations.

  2. On the Microsoft 365 card, click Setup.

    365Card.png

    NOTE If you have already set up the integration, click Update.

  3. Paste the application ID, directory ID, and secret value that you saved from the above steps.

    365Edit.png
  4. Click the Test button to verify connection & permissions.

  5. Click Save.
    NOTE It may take some time for Microsoft's changes to take effect. If the test function says there's no data yet, try saving the settings anyway.