# Connecting Splunk to Office 365 – Part 2: Microsoft Office 365 Reporting Add-On for Splunk

•
•
•
•
•
•

In Part 1 of this blog series, I went through the setup of the Splunk Add-On for Microsoft Cloud Services, which you can use to extract, query, and analyze data provided by the Office 365 Management Activity API.  In this particular post, we’re going to explore the Microsoft Office 365 Reporting Add-On for Splunk, which you can use to review message trace data from Office 365.

Obviously, you’ll need Splunk installed and configured, so if you haven’t done that already, you’ll want to get on that.

# Prepare Office 365

In order to retrieve the logging data necessary, you need to grant a user object the ability to read the message tracking logs.  By default, Exchange Online doesn’t have a role with only that as its permission (or anything really close), so we’re going to:

• Create a user account
• Create a role group
• Add some roles to it (Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients)
• Add the newly created user to it

Note: Only the ViewOnlyRecipients role is needed for the add-on to work, as that is what the reporting services API requires.  I’ve found it’s useful, though, to have the others so you can check the message trace, message tracking, transport configuration, and message audit data with one account.  If you are going for a least-privilege configuration, remove the MessageTracking, ViewOnlyAuditLogs, and ViewOnlyConfiguration lines.

To do this, connect to Office 365 with PowerShell as a global administrator, and run the following commands:

$TenantDomain = (Get-MsolAccountSku).AccountSkuId[0].Split(":")[0] + ".onmicrosoft.com"$UserName = "splunkreporting@"+$tenantdomain New-MsolUser -UserPrincipalName$UserName -DisplayName "Splunk Reporting" -PasswordNeverExpires $True -UsageLocation US$MessageTrackingRoles = @()
$MessageTrackingRoles += (Get-ManagementRole -RoleType "MessageTracking").Guid.ToString()$MessageTrackingRoles += (Get-ManagementRole -RoleType "ViewOnlyAuditLogs").Guid.ToString()
$MessageTrackingRoles += (Get-ManagementRole -RoleType "ViewOnlyConfiguration").Guid.ToString()$MessageTrackingRoles += (Get-ManagementRole -RoleType "ViewOnlyRecipients").Guid.ToString()

# Looking for data in all the right places

1. From the dashboard, click Search.
2. Under What to Search, click the Data Summary button.
3. Select the Sourcetypes tab.  You should see a source type for ms:o365:reporting:messagetrace, which will contain message trace data.
4. Click on the ms:o365:reporting:messagetrace link to view collected data.

Until next time, keep on Splunking.

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

1. shailajasarangi says:

Hi ,

I see there is always 24 hrs delay for source type “ms:o365:reporting:messagetrace” . See here the recentTime and lastTime. Deifference s 24hrs . Why so ? Please acknowledge .

firstTime lastTime recentTime sourcetype
1589553571 06/27/2020 18:16:43 06/28/2020 18:17:15 ms:o365:reporting:messagetrace

2. seriousguy says:

Hi Aaron

How will this work when MS will disable basic auth in October 2020?
The reporting web service will then become obsolete.

Any ideas what to do then?
Thx

This site uses Akismet to reduce spam. Learn how your comment data is processed.