Connect Incydr to Microsoft Office 365 email

Updated

Overview

To help protect you from data loss, you can use Incydr to investigate attachments sent through users' Microsoft Office 365 Outlook email accounts or mailboxes. 

When you add Microsoft Office 365 as a data connection, you must authorize Incydr as a registered client API using your administrator account. Once connected, Incydr monitors your organization's email environment from that point forward to collect information about all attachments emailed by monitored users. That attachment file information then becomes available in Forensic Search for investigation.   

This article explains how to add Microsoft Office 365 email as a data connection.

Considerations

Monitoring and alerting tools may report download activity
When ongoing file activity is detected, Incydr temporarily streams files from your cloud storage or email service to the Incydr cloud to calculate the file hash. (Hash values are not calculated during the initial inventory process.) 

This appears in your vendor logs as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts. Consider adding these IP addresses to your allowlist to reduce false alerts in your vendor logs, keeping in mind that these addresses can change. 

File contents are never stored or written to disk during this process.

See also the considerations applicable to all email services.

Before you begin

Before you connect Incydr to Microsoft Office 365 email, complete these steps:

  1. Verify that the users you want to monitor are active users that have an Exchange email account or mailbox in your Microsoft environment.
  2. Plan user or group scoping to identify the users you want the Incydr connection to monitor.

Connect Incydr to Microsoft Office 365 email

  1. Sign in to the Incydr console
  2. Select Administration > Integrations > Data Connections.
  3. Click Add data connection.
    The Add data connection panel opens.
  4. From Data connection, select Microsoft Office 365 under Email services.
  5. Enter a display name. This name must be unique.
  6. Select the scope of email users in your Microsoft Office 365 environment to monitor:
    • All: Monitors all email users with Office 365 mailboxes in your environment.
    • Specific users: Monitors only the Office 365 mailboxes for the email users you designate.
      1. Click Upload .CSV file.
      2. Select the scoping CSV file that contains a list of only those Office 365 email user accounts that you want to monitor.
    • Specific groups: Monitors only the mailboxes of the email users in the Office 365 groups you designate.
      1. Click Upload .CSV file.
      2. Select the scoping CSV file that contains a list of Office 365 groups whose user mailboxes you want to monitor.
  7. In Incydr federal (FedRAMP) environments, an additional question appears: Is this data connection for a GCC High environment?
    • Select Yes or No, based on your environment type. If you don't know your environment type, contact your Microsoft administrator before continuing. You must select the correct environment type to authorize the connection and complete the setup.
  8. Click Authorize.
    The Microsoft Office 365 sign in screen appears.
  9. Enter your Microsoft Office 365 administrator credentials.
  10. Review the terms and agreements, including the requested Office 365 email permissions, and click Accept.
    Microsoft Office 365 is added to the Data Connections list as an email data connection.

    Permissions can be delayed in Microsoft Azure
    The permissions you accept during the authorization process can take up to 1 hour to flow through your Microsoft Azure environment. During this time, Incydr may report an error with the new connection in the Data Connections list. This error clears automatically as soon as Incydr is able to access the Microsoft audit log.

The next time that an attachment is emailed by a monitored user, information about that file is recorded as an event by Incydr. For details, see Attachment metadata below.

Next Steps

Now that you have added Microsoft Office 365 as a data connection, learn more about:

Attachments

When a monitored user emails an attachment, Incydr captures the attached file contents, plus extensive metadata about the file (including the email addresses of the sender and recipients). For a detailed list of all metadata, see the File event metadata reference.

The Date Observed for the event indicates the date and time the attachment was emailed through Microsoft Office 365, not when the file event appeared in Incydr. 

Troubleshooting

Issues in your Microsoft Office 365 email environment can cause errors with the Incydr connection. When such issues occur, the connection in the Data Connections table is highlighted in red and an error message is displayed at the top of the screen. When this occurs, click the connection in the Data Connections table. The detail panel opens and lists the specific error so that you can resolve it.

Refer to these articles to troubleshoot specific errors that can appear for the email connection in the Data Connections list:

External resources

Microsoft documentation: Compare Exchange Online plans

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.