Connect to Microsoft Office 365 to start ingesting and processing your Office 365 audit logs.

Step 1: Turn on auditing for your organization

Make sure audit logging is turned on for your organization by following the steps in Turn auditing on or off.

Step 2: Give Red Canary Office 365 permissions

Red Canary needs permission from a global administrator to ingest audit logs from your Microsoft 365 account.

1. Go to this URL, and then log in to your global administrator account.
2. Approve the permissions requested by Red Canary + Office365.

Step 3: Connect Red Canary to Office 365

1. In Red Canary, click your profile icon.
2. Under Integrations, click Microsoft Office 365.
   
3. Click Configure a new service.
4. Ensure that you’ve completed all the steps above, and then check the box indicating that auditing is turned on and Red Canary has access to your Office 365 account.
5. Paste your tenant ID in the box labeled Microsoft Office 365 Tenant ID. To find your ID, follow the steps in How to find your Azure Active Directory tenant ID.
6. Click Create external service.

How do I know Red Canary is connected to Office 365?

It can take some time before Red Canary starts ingesting your audit logs. Confirmed threats from Office 365 will appear alongside endpoint activity in your threat timeline.

Check the status of the integration:

1. In Red Canary, click your profile icon.
2. Under Integrations, click Microsoft Office 365. If the integration was successful, you’ll see Audit.Exchange enabled in the Office 365 Subscriptions table.
   If you don’t see any subscriptions, wait a few minutes, and then refresh the page.