Introduction
This article shows you how to integrate Microsoft 365 (M365) in the Field Effect MDR Portal for the first time.
If you want to enable Active Response for a cloud service that has already been added in the MDR Portal, see Configuring Active Response.
Optionally, you can request that this integration be limited to a specific subset of your M365 users by Group. This is useful if you have licensing limitations that can't cover the full user count. Please reach out at support@fieldeffect.com to make these specifications.
This article covers the following:
Requirements
To enroll M365 for cloud monitoring, you will need the following:
- Administrator credentials for M365.
- Audit logging enabled within your M365 tenant.
Licensing
It's important for clients to review their Microsoft 365 licensing to ensure they meet the necessary requirements, are leveraging the appropriate features, and remain compliant with Microsoft’s Terms and Services.
Some features of this integration require the Enterprise ID Plan 1 or 2 (Entra P1 or P2) licenses:
| License | Graph API | Active Response (Standard Only) | Conditional Access Policy (CA) | Account MFA Reporting (Accounts Page) | Default Log Retention |
|---|---|---|---|---|---|
| No Entra P1 or P2 | Yes | Yes | No | No | 30 days, raw logs 90 days, security events |
| Entra P1 or P2 | Yes | Yes | Yes | Yes | 30 days, raw logs 90 days, security events |
See the chart below to determine if your license includes Entra P1 or P2. To view the full Microsoft licensing matrix, visit Microsoft Feature Matrix.
| License | Feature | Entra ID Plan 1 or 2 |
| Office 365 | E1 | No |
| E3 | No | |
| E5 | No | |
| M365 Business | Basic | No |
| Standard | No | |
| Premium | Yes | |
| M365 Frontline | F1 | Yes |
| F3 | Yes | |
| F5 Security | Yes | |
| F5 Compliance | No | |
| F5 Sec+Comp | Yes | |
| M365 Enterprise | E3 | Yes |
| E5 Security | Yes | |
| E5 Compliance | No | |
| E5 | Yes | |
| M365 Education | A1 (Legacy) | No |
| A1 for Devices | No | |
| A3 | Yes | |
| A5 Security | Yes | |
| A5 Compliance | No | |
| A5 | Yes |
Setting up M365 Monitoring
Partners: This procedure is performed on a per-client basis. Ensure that the Organization Selector is set to the appropriate client before continuing.
From the Integrations page's (Administration section) Cloud Monitoring tab, click Add in the Microsoft 365 (with Azure AD) card.
The Microsoft 365 window will open. The first page asks if you would like to enable Active Response for the account.
If your organization has an Active Response policy in place, selecting Standard will apply it to this cloud service. Visit Active Response for Cloud Service to learn more.
You’ll be taken to a Microsoft page listing the accounts you’re currently logged into. Select your Microsoft 365 admin account.
After logging in, you will be asked to grant Field Effect MDR permission to access the metrics listed in the image below. If you approve of this, click Accept.
The example above shows the permissions required for the Standard integration. If you are selecting the Limited integration, you will see fewer permissions listed.
You'll be taken back to the integrations page, and the integration card will show that the integration is connected and promoted to the top, alongside any other connected integrations.
Due to the time it takes for configuration changes to propagate through Microsoft’s servers, it may take up to 4 hours for audit logging to start collecting logs.
Troubleshooting
"Need admin approval"
If you try enabling integrating this service with an account that does not have admin privileges, you’ll receive the following "Need admin approval" error:
Have an admin in your organization follow the steps above to resolve this. Alternatively, if you have an admin account, click Have an admin account? Sign in with that account and continue the process.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article