Skip to content
KYRA MDR KYRA MDR Docs

Microsoft 365 Integration

Overview

This integration collects Azure AD sign-in events, Exchange mail flow rules, SharePoint file access, OneDrive activity, and Microsoft Defender alerts via the Office 365 Management Activity API and Microsoft Graph API.

Supported services: Exchange Online, SharePoint, OneDrive, Teams, Azure AD

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • Microsoft 365 Business Basic plan or higher
  • Azure AD admin access to register an application and grant API permissions

Configuration

Step 1: Register an Azure AD Application

  1. Log in to the Azure Portal
  2. Navigate to Azure Active Directory > App registrations > New registration
  3. Register the application and note the Application (client) ID and Tenant ID
  4. Create a client secret under Certificates & secrets

Step 2: Grant API Permissions

Grant the following permissions to the registered application:

  • ActivityFeed.Read (Office 365 Management APIs)
  • AuditLog.Read.All (Microsoft Graph)
  • SecurityEvents.Read.All (Microsoft Graph)

Step 3: Enable Activity Feed Subscriptions

POST https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/subscriptions/start
Content-Type: application/json
{ "contentType": "Audit.AzureActiveDirectory" }

Repeat for: Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All

Step 4: Provide Credentials to KYRA MDR

Enter the Tenant ID, Client ID, and Client Secret in the KYRA MDR integration settings.

Collected Log Types

Log TypeSecurity UsePriority
Azure AD sign-insAccount takeover, brute force detectionCritical
MFA eventsMFA fatigue attack detectionHigh
Exchange forwarding rulesBusiness email compromise (BEC)Critical
SharePoint external sharingData exfiltration detectionHigh
OneDrive bulk downloadPre-resignation data theftHigh
Teams guest additionsUnauthorized external accessMedium
Defender alertsMalware detectionCritical
Admin role changesPrivilege escalation detectionCritical
DLP eventsSensitive data leak preventionHigh

Troubleshooting

No Events Received

  1. Verify the Azure AD app has the correct permissions and admin consent
  2. Confirm the activity feed subscriptions are active
  3. Check that the Client Secret has not expired

Partial Logs

  • Ensure all content types (Audit.Exchange, Audit.SharePoint, etc.) have active subscriptions
  • Some log types require Microsoft 365 E5 or Defender for Office 365 licenses

For additional help, contact kyra@seekerslab.com.