Knowledgebase
Safetica Office 365 e-mail monitoring
Posted by Michael Skoupý, Last modified by Štěpán Horký on 11 June 2019 01:29 PM

Safetica Office 365 e-mail monitoring requires an existing and configured Safetica Azure application. Follow this article to set it up: Safetica Office 365 file monitoring


Office 365 e-mail monitoring - Safetica Azure application permissions

In order to monitor Exchange Online e-mail, the Safetica Azure application requires additional sets of permissions:

Required application permission
Permissions type
Purpose

Microsoft Graph: Read mail in all mailboxes

Application Required for monitoring Office 365 mail activity

Microsoft Graph: Access directory as the signed in user

Delegated Required for a one-time creation of the Safetica Azure service account

1. Log in to your organization’s Azure Active Directory admin center: https://aad.portal.azure.com/

2. Go to All services → App registrations and find your Safetica Azure application and open its details

3. Within the application's view go to Manage → API permissions → Add a permission and add the following permissions:

  • Microsoft Graph → Application permissions → Mail.Read (Read mail in all mailboxes)
  • Microsoft Graph → Delegated permissions → Directory.AccessAsUser.All (Access directory as the signed in user)

5. Confirm the new permissions by clicking on Grant admin consent for <your tenant name>

6. Applying your changes may take a while, bear this in mind before continuing with next steps.


Office 365 e-mail monitoring - Basic authentication

Safetica uses Powershell commands to retrieve details about e-mail messages from Microsoft Graph API. As of the release of Safetica 9.1, Office 365 does not support Powershell authentication methods other than Basic: https://office365.uservoice.com/forums/264636-general/suggestions/20570782

From security standpoint we are not happy about this either, and we definitely intend to change the authentication method as soon as Microsoft allows us to do so.

In the meantime, you can use the following command to turn on Basic authentication on your Safetica Management Server machine:

Command Prompt
winrm set winrm/config/client/auth @{Basic="true"}

PowerShell
winrm set winrm/config/client/auth '@{Basic="true"}'


Office 365 e-mail monitoring - Safetica Azure service account

The creation of Safetica service account is automated and requires an already configured Office 365 file monitoring and an already created Azure application with sufficient permissions - make sure the steps above have been followed properly.

1. Log in to your WebSafetica management console

2. Go to Management → General → Office 365 settings

3. Service account will report an Error. Click on authenticate and a new tab will open

4. Log in with your Azure administrator account and follow the steps

5. Once finished, you will be redirected back to WebSafetica where Service account will be reported as OK

6. Exchange Online monitoring is managed the same way as endpoint e-mail monitoring - visit the desktop Safetica Management Console and turn e-mail audit on and off for selected users in the Auditor module.