⚠️ Microsoft 365 Audit.DLP

⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Connectors Index

---

Attribute	Value
Connector ID	M365AuditDLPCCPDefinition
Publisher	Marko Lauren
Used in Solutions	Microsoft 365 Audit General and DLP
Collection Method	CCF
Connector Definition Files	M365AuditDLP_ConnectorDefinition.json
DCR Definition Files	M365Audit_DCR.json
CCF Configuration	M365AuditDLP_PollerConfig.json
CCF Capabilities	OAuth2, Paging, Nested

Microsoft 365 Audit.DLP connector ingests DLP events for all workloads from the Office 365 Management Activity API.

Data is ingested to the same M365AuditGeneral_CL table with 321 columns including dedicated DLP schema fields.

Prerequisites: Entra ID app with Office 365 Management API permissions and DLP.All subscription.

Tables Ingested

This connector ingests data into the following tables:

Table	Transformations	Ingestion API	Lake-Only
M365AuditGeneral_CL	?	✓	?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions:

• Workspace (Workspace): read and write permissions are required.

Custom Permissions:

• Office 365 Management API credentials: An Entra ID application registration with Client ID and Client Secret. The application must have Office 365 Management APIs - ActivityFeed.Read permission and an active subscription to the DLP.All content type. You can reuse the same app as the Audit.General connector.

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

1. Register an Entra ID Application

⚠️ If you already have an app from the Audit.General connector, you can reuse the same app. Otherwise:

1. Go to Microsoft Entra ID > App registrations > New registration
2. Name: Sentinel-M365Audit (or your preferred name)
3. Supported account types: Accounts in this organizational directory only
4. Click Register
5. Note the Application (client) ID - you'll need this later
6. Go to Certificates & secrets > New client secret
7. Add a description, set expiration, click Add
8. Copy the secret Value immediately - it won't be shown again

2. Configure API Permissions

⚠️ Audit.DLP requires ActivityFeed.ReadDlp permission (different from Audit.General which needs ActivityFeed.Read).

1. In your app registration, go to API permissions > Add a permission
2. Select Office 365 Management APIs
3. Choose Application permissions
4. Select ActivityFeed.ReadDlp
5. Click Add permissions
6. Click Grant admin consent for your tenant
7. Verify the permission shows as Granted

Note: If sharing the same app with Audit.General connector, add both ActivityFeed.Read and ActivityFeed.ReadDlp permissions.

3. Subscribe to DLP.All Content

[concat('Run this PowerShell script to subscribe to the DLP.All content type (required before data flows):

# Replace with your values
$tenantId = ''YOUR_TENANT_ID''
$clientId = ''YOUR_CLIENT_ID''
$clientSecret = ''YOUR_CLIENT_SECRET''
$publisherId = $tenantId  # Publisher identifier is your tenant ID

# Get OAuth token
$body = @{
    grant_type    = ''client_credentials''
    client_id     = $clientId
    client_secret = $clientSecret
    resource      = ''https://manage.office.com''
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri "', environment().authentication.loginEndpoint, '$tenantId/oauth2/token" -Body $body
$token = $tokenResponse.access_token

# Start subscription
$headers = @{Authorization = "Bearer $token"}
$subscribeUri = "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=DLP.All&PublisherIdentifier=$publisherId"
Invoke-RestMethod -Method Post -Uri $subscribeUri -Headers $headers
```')]

**4. Connect the Data Connector**

Provide your Entra ID application credentials below. You can use the **same app credentials** as the Audit.General connector. The connector will automatically use your subscription's tenant ID for authentication and API calls.
- **OAuth Configuration**:
  - Application (Client) ID
  - Client Secret Value
  - Click 'Connect' to authenticate

---

**Browse:** [🏠](../README.md) · [Solutions](../solutions-index.md) · [Connectors](../connectors-index.md) · [Methods](../methods-index.md) · [Tables](../tables-index.md) · [Content](../content/content-index.md) · [Parsers](../parsers/parsers-index.md) · [ASIM Parsers](../asim/asim-index.md) · [ASIM Products](../asim/asim-products-index.md) · [Logic Apps](../logic-apps/logic-apps-index.md) · [📊](../statistics.md)

↑ [Back to Connectors Index](../connectors-index.md)