Skip to content

pmatthews05/O365AuditWebHook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
AuditWebHook
AuditWebHook
 
 
Powershell
Powershell
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Introduction

This is the main README.md file for the O365AuditWebHook project. This README.md file will show you how to set up your environment read to use this code.

The purpose of this project is to show how you can set up a webhook connected to the Office 365 Audit logs.

Related blog post URL:

Disclaimer

This code is to be used as an example, and should never be used directly within Production environoment.

Pre-requsites knowledge required

  • PowerShell
  • Azure Functions V1
  • Azure Storage
  • SharePoint Tenant
  • Creating a App Token

Getting Started

Create Environment Settings file

Create an local.settings.json file that holds all the settings needed for the environment in the AuditWebHook folder.

{
 "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "<Location to your Azure Function Storage>",
    "AzureWebJobsDashboard": "<Location to your Azure Fucntion Storage>",
    "Tenant": "<TenantName>",
    "ClientId": "<ClientID>",
    "Secret": "<AppSecret>" ,
    "FUNCTIONS_EXTENSION_VERSION": "~1",
    "AzureServicesAuthConnectionString": "RunAs=Developer;DeveloperTool=AzureCli"
    }
}

Steps to Set up

  • Create Azure Resource Group
    • Add Azure Functions V1
    • Add Storage
      • Take copy of the Access Keys Connection String for Key 1
    • Add Application Insights
  • Create a App Registration
    • Get Copy of Application (Client) ID
    • Create a Secret and take a copy of the Application secret
    • Take a copy of the Directory (tenant) ID
    • Add API Permssion - Office 365 Managemnet APIs -> Application permissions -> ActivityFeed.Read
  • Put the values you copied from previous values into the local.settings.json file
    • Keep the Directory (tenant) ID for PowerShell later
    • The Tenant name is just the name before .onmicrosoft.com (no need to include .onmicrosoft.com)
  • Publish the Solution to the Azure Function
    • Ensure the settings are in the Configuration settings
    • Take a copy of your Azure Function URL

Add an O365 Audit log to your Webhook

There are 5 different logs that can connect to the webhook.

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.SharePoint
  • Audit.General
  • DLP.All

Call the following PowerShell to register the Audit.SharePoint to the webhook.

.\Set-AuditLogs.ps1 -ClientID:<CLIENTID> -ClientSecret:<APPSECRET> -TenantDomain:<TENANT>.onmicrosoft.com -TenantGUID:<TENANTGUID> -WebHookUrl:https://<AzurefunctionURL>/API/AuditWebHook -ContentType:Audit.SharePoint

Remove an O365 Audit log from your Webhook

Call the following PowerShell to de-register the Audit.SharePoint from the webhook.

.\Remove-AuditLogs.ps1 -ClientID:<CLIENTID> -ClientSecret:<APPSECRET> -TenantDomain:<TENANT>.onmicrosoft.com -TenantGUID:<TENANTGUID> -WebHookUrl:https://<AzurefunctionURL>/API/AuditWebHook -ContentType:Audit.SharePoint

About

A webhook setup for O365 Audit logs

cann0nf0dder.wordpress.com/2020/01/19/setting-up-webhook-for-o365-audit-logs/

Topics

powershell audit azure-functions sharepoint msteams

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages