1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Monitoring Microsoft 365 Security with Azure Sentinel

DEMO: Connect Office 365 Logs to Azure Sentinel


Course Introduction
Course Conclusion
Start course

This course looks at how to monitor Microsoft 365 security with Azure Sentinel. We'll start by looking at what Azure Sentinel is and at what it offers, as well as how to onboard Azure Sentinel. We’ll then take a look at the process required for connecting Azure Sentinel to Microsoft 365 and you'll watch a live demo showing you how to do this.

After covering the onboarding of Azure Sentinel and the connection of Sentinel to Microsoft 365, we’ll look at how you can visualize data using Azure Sentinel, before wrapping things up by covering workbooks.

Learning Objectives

By the time you finish this course, you should have an understanding of how to onboard Azure Sentinel and how to connect it to Microsoft 365 and Office 365.

Intended Audience

This course is intended for anyone who wishes to learn what Azure Sentinel is and how to use it to monitor Microsoft 365.


To get the most out of this course, you should have a basic understanding of Microsoft 365.


Hello, and welcome back. What we're gonna do in this demonstration here is connect Azure Sentinel to our Office 365 logs. Now on the screen here, I'm logged in to my Azure portal. I'm at the Azure Sentinel overview page for the Sentinel that we deployed earlier. And what we're gonna do here is connect it to Office 365.

Now to do that, we simply browse down to data connectors here under Configuration in the left-hand pane. And then from here, this data connectors page shows us all of the different data connectors we have at our disposal. Now, one of these data connectors, if we scroll down here, is going to be Office 365. So what we'll do here is we'll select Office 365 from the list. And then if we scroll down further, we have an option here to open the connector page, which is what we'll do here.

Now on this instructions pane, we have really two separate pieces. We have the prerequisites pane and the configuration pane. Prerequisites here tell us what we need in terms of a workspace and in terms of tenant permissions. The green check marks here tell us we're good. And then under Configuration here, this is where we can tell Azure Sentinel what we're interested in. Essentially we can select what record types we want to collect from Office 365. For this demonstration here, we'll just select Exchange logs, and then we'll apply the changes.

Now we don't have any previously connected tenants here, so we don't have to do anything here. If we click Next steps here, we can see the recommended workbooks and query samples along with analytics rule templates that come with the Office 365 log connector. We can use these to get insight into our environment.

If we select Exchange Online, we'll go ahead and select it. The green check mark here tells us we do have the required data types for this particular template. If we scroll down, we can view the template. And then from here we gonna notice that the query can't run because we haven't set any parameters. So we do this in activities here. So we'll select the dropdown for activities. And we'll select all.

Now, since the Berks Batteries tenant here, this subscription is just a lab environment, I haven't been using Exchange. So I wouldn't expect to see any activities here. And that's what's happening here. If we scroll down, we could also see user activities, admin activities, any kind of external access activities, access activities by activity. And these are all listed under suspicious. We can see hard delete activities.

So everything that happens within our Exchange environment would be shown through Azure Sentinel through this workbook. But like I said, since I'm not doing anything with Exchange in this particular lab, I really have nothing to show here. But that's how you connect a data source to Azure Sentinel using the Azure portal.

About the Author
Thomas Mitchell
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.