Azure & Office 365 Monitoring

[Alex]

Hello,

I want to view Office 365 and Azure logs with Wazuh. What licenses do I need for this? What are the effects of the differences between the licenses on the logs? I would appreciate it if you could provide me with this information.

Best regards.

[Nicolas Stefani]

Hi Alex,

I'm not an expert on the Azure side, but doing a quick search, I found that the license requirements are:

* Unified auditing must be active for any logs to be available.
* Standard Office 365 logs are available with most paid M365 plans if audit logging is turned on.
* Advanced audit categories and longer histories require Audit Premium / E5-level licensing.
* Azure AD sign-in logs via Graph API typically require Azure AD Premium P1/P2 to export.
* Azure Monitor logs require an Azure subscription but not special Microsoft 365 licenses.

From the Wazuh side, we have these guides to configure the integrations:

* https://documentation.wazuh.com/current/cloud-security/azure/log-analytics.html#setting-up-the-application

* https://documentation.wazuh.com/current/cloud-security/azure/storage.html#configuration

* https://documentation.wazuh.com/current/cloud-security/azure/graph.html#configuration

* https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html#setting-up-office-365-for-monitoring

Regards,

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/124a4ed4-142b-425f-a460-01881d5b105cn%40googlegroups.com.

--

Nicolás Stefani Software Engineer

[Alex]

Hi,

I completed the steps in the link below. I also entered the settings below in the manager config section.

https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html#setting-up-office-365-for-monitoring

  <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>100M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id>xxxxxxxxxxxxxx</tenant_id>
      <client_id> xxxxxxxxxxxxxx  </client_id>
      <client_secret> xxxxxxxxxxxxxx  </client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
      <subscription>Audit.SharePoint</subscription>
      <subscription>Audit.AzureActiveDirectory</subscription>
      <subscription>Audit.Exchange</subscription>
      <subscription>Audit.SharePoint</subscription>
      <subscription>Audit.General</subscription>
      <subscription>DLP.All</subscription>
    </subscriptions>
  </office365>


However, I am receiving the errors below:

Rule.id: 91648
Office 365 module internal event, 3 request fail.

{"error":{"code":"StartSubscription [CorrId=xxxxxx][TenantId=xxx,ContentType=Audit.AzureActiveDirectory,ApplicationId=xxx,PublisherId=00000000-0000-0000-0000-000000000000][AppId","message":"xxxx] failed. Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant xxxxx does not exist.\r\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetSubscriptionAzureTableClientForTenantAsync>d__84.MoveNext() in C:\\__w\\1\\s\\sources\\dev\\AuditAPIService\\Common\\AzureManager.cs:line 3930\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetAPISubscriptionV2Async>d__30.MoveNext() in C:\\__w\\1\\s\\sources\\dev\\AuditAPIService\\Common\\AzureManager.cs:line 959\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Office.Compliance.Audit.API.StartController.<StartSubscription>d__4.MoveNext() in C:\\__w\\1\\s\\sources\\dev\\AuditAPIService\\APIFrontEndServiceRole\\Controllers\\StartController.cs:line 177"}}

15 Ocak 2026 Perşembe tarihinde saat 16:28:39 UTC+3 itibarıyla Nicolas Stefani şunları yazdı:

[Nicolas Stefani]

Where are you getting this error from? Is it from the Wazuh side?

At first glance, you have a problem with the tenant id

Tenant xxxxx does not exist.

However, it seems unrelated to Wazuh; please clarify.

To view this discussion visit https://groups.google.com/d/msgid/wazuh/e7fddc15-0235-43d4-a0b9-06b955327708n%40googlegroups.com.