Microsoft 365

Collect Microsoft 365 audit and activity logs from the Office 365 Management Activity API, including events from Exchange, SharePoint, OneDrive, Azure Active Directory, and more.

RunReveal polls the Microsoft 365 Management Activity API every 5 minutes to retrieve your organization’s audit logs. Logs are available in workload-specific views for easier querying.

Prerequisites

Before connecting Microsoft 365 to RunReveal, you need to:

1. Ensure audit logging is enabled for your Microsoft 365 tenant via the Microsoft Purview compliance portal.
2. Have access to the Azure Entra admin center with sufficient permissions to register applications and grant admin consent.

Step 1: Register an Application in Azure Entra

1. Sign in to the Azure Entra admin center and navigate to Entra ID → App registrations.
2. Click New registration.
3. Enter a name for the application (e.g., RunReveal 365).
4. Under Supported account types, select Accounts in this organizational directory only.
5. Click Register.

Step 2: Create a Client Secret

1. In your new app registration, click Certificates & secrets in the left sidebar.
2. Click New client secret.
3. Enter a description (e.g., RunReveal integration) and set an expiration period.
4. Click Add.
5. Copy the secret Value immediately — it will be hidden after you navigate away from this page. This is your Client Secret.

Step 3: Add API Permissions

1. In the left sidebar, click API permissions → Add a permission.
2. Select Office 365 Management APIs.
3. Add the following Delegated permissions:
   • ActivityFeed.Read
   • ActivityFeed.ReadDlp
   • ServiceHealth.Read
4. Add the following Application permissions:
   • ActivityFeed.Read
   • ActivityFeed.ReadDlp
   • ServiceHealth.Read
5. Click Grant admin consent to approve the permissions for your organization.

Step 4: Copy Your Application and Tenant IDs

1. In the left sidebar, click Overview.
2. Copy the Application (client) ID — this is your Client ID.
3. Copy the Directory (tenant) ID — this is your Tenant ID.

Step 5: Connect to RunReveal

1. In RunReveal, navigate to Sources → Add Source.
2. Search for and select Microsoft 365.
3. Fill in the following fields:

4. Click Save.

RunReveal will automatically subscribe to all available Microsoft 365 activity feeds for your tenant. Logs should begin appearing within a few minutes.

Note: After the first connection, it can take up to 12 hours for Microsoft to make logs available via the API for the first time.

Verify It’s Working

Once added, the source logs should begin flowing within a few minutes.

You can validate we are receiving your logs by running the following SQL query:

SELECT * FROM runreveal.microsoft365_logs LIMIT 1

Use dot notation on the rawJSON column to access any Microsoft 365-specific field without needing to know the exact JSONExtractString path:

SELECT
    eventTime,
    eventName,
    rawJSON.UserId,
    rawJSON.Workload,
    rawJSON.Operation,
    rawJSON.ResultStatus,
    rawJSON.ClientIP
FROM runreveal.microsoft365_logs
WHERE rawJSON.Workload = 'AzureActiveDirectory'
LIMIT 50

Schema

The microsoft365_logs view exposes all standard RunReveal normalized fields plus a rawJSON column typed as ClickHouse’s native JSON type. This lets you access any field from the raw Microsoft 365 audit event using dot notation, regardless of workload.