Note: In addition to setting up this Microsoft Office 365 integration, please also configure the Entra ID integration and Microsoft Graph integration to ensure you have the most complete and accurate login data.
Prerequisites
Before you start the Microsoft Office 365 integration, please make sure the following requirements are met:
You’re a Global Admin user
You have an active Microsoft subscription that includes a Defender for Office 365 workload. To check if your subscription plan includes Defender for Office 365, refer to Microsoft's Subscription Matrix.
Step 1: Turn on auditing for your organization
Make sure audit logging is turned on for your organization by following the steps in Turn auditing on or off.
Note: We recommend that you have the following operations turned on in your mailbox audit log section in Office 365 in addition to the operations enabled by default.
Move
SearchQueryInitiated
For more information, see Manage mailbox auditing.
Step 2: Give Red Canary Office 365 permissions
Red Canary needs permission from a global administrator to ingest audit logs from your Microsoft 365 account.
Navigate to this URL, and then log in to your global administrator account.
Approve the permissions requested by Red Canary + Office365.
Note
Only Global Administrators can approve admin consent requests.
Step 3: Connect Red Canary to Office 365
From your Red Canary homepage, click Integrations.
From the Integrations section, select Microsoft Office 365.
Click Configure.
Check the box indicating that auditing is turned on and Red Canary has access to your Office 365 account.
Paste your tenant ID in the box labeled Microsoft Office 365 Tenant ID. To find your ID, follow the steps in How to find your Azure Active Directory tenant ID.
Optional: Click Advanced Configuration to exclude selected Entra ID identity groups from being counted as monitored identities. Note that excluded groups and identities may still be included in investigations and threats, but will not be included in the MDR Identities count on the License Usage page.
.png?sv=2022-11-02&spr=https&st=2026-03-24T08%3A44%3A54Z&se=2026-03-24T08%3A58%3A54Z&sr=c&sp=r&sig=0urkcOaONCqEJZSAY4wL2DAiGk9aTChnl6ki5f9cmMI%3D)
Click Save.
FAQ
How do I know Red Canary is connected to Office 365?
It can take some time before Red Canary starts ingesting your audit logs. Confirmed threats from Office 365 will appear alongside endpoint activity in your threat timeline.
Check the status of the integration:
In Red Canary, click your profile icon.
Under Integrations, click Microsoft Office 365. If the integration was successful, you’ll see Audit.Exchange enabled in the Office 365 Subscriptions table.
If you don’t see any subscriptions, wait a few minutes, and then refresh the page.
How is this integration different from the Microsoft Graph for Microsoft Entra ID Protection?
The Microsoft Entra ID Identity Protection alert source and the Microsoft Entra ID and Microsoft Azure integrations are loosely related.
The alert source is focused on ingesting the alerts generated by the Identity Protection service. Red Canary then analyzes the alerts to determine if a threat has occurred.
The Entra and Azure integrations ingest logs and telemetry, which flows through the Red Canary detection engine and generates threats when merited.
The Microsoft Entra ID Identity Protection Alert Source and the Microsoft Entra ID and Microsoft Azure integrations work together. Suppose Red Canary receives a Microsoft Entra ID log and publishes a threat for it, and we also receive an MS Graph Identity Protection alert, or vice versa. In that case, we can correlate the alert and the threat and offer extended coverage.
Why would the Entra ID integration stop receiving data after configuring the Azure integration?
This is expected behavior when both integrations are exporting data from the same Log Analytics Workspace, to account for duplicated data sets.
When Entra ID is the only integration configured, a data export is created in Log Analytics Workspace to send data to Red Canary. This data is received under the Entra ID integration.
If an Azure integration is also configured using the same Log Analytics Workspace, a data export is created for this service and the data export for Entra ID is deleted. The data is then received by Red Canary under the Azure integration, and the telemetry volume reported under Entra ID will drop to zero.
Because of the overlap in telemetry Red Canary collects from Entra ID and collects from Azure in the same Log Analytics Workspace, a single data export is used to avoid Microsoft egress charges for redundant data.
Why is my MDR Identities license count higher than my MDR Email and Productivity Suites count?
This is due to object counting differences. MDR Identities (Entra ID) counts both User and Application objects, while MDR Email and Productivity Suites (Office 365) counts only User objects.
Ingest Details
Red Canary monitors your Office 365 environment by integrating with the Office 365 Management API, which sources data from the Microsoft Unified Audit Log. The Unified Audit Log (UAL) is an aggregation of audited activities that occur within your Microsoft 365 environment. By connecting your Unified Audit Log to Red Canary as an external service, Red Canary will have the enhanced ability to analyze and detect threats related to email events, user sign-ins, and more, supplementing the investigation of your Microsoft email- and identity-based alerts. Supporting artifacts from the Unified Audit Log will appear alongside endpoint activity in your threat timeline where applicable.
Red Canary collects and stores all event types from the Unified Audit log for investigations and hunting, and we pay special attention to the following logs for detection purposes:
EmailRuleModification
MailboxSettingsModification
LogonAttempt
MailboxAccessDelegated
MailboxFolderPermissions