Microsoft/Office 365

This walk-through will help you get Microsoft 365 (formerly known as Office 365) integrated with Perch. Follow these steps and you’ll be ingesting logs like a pro.


  • You must enable Audit Logs in Microsoft 365.
  • You must have admin rights to your Microsoft 365 installation.

Getting started

During this walk-through, you’ll complete the following steps:

  1. Authorize Perch to access your Microsoft 365 logs.
  2. Test that Perch can ingest logs from Microsoft 365.
  3. Enable log ingestion.

Authorize Perch

In order for Perch to access your Microsoft 365 logs, you must explicitly grant access. This occurs in an OAuth flow…if you know what that means, you get a cookie. If it’s all Greek to you, no worries.

  1. Click Authorize from the Microsoft 365 settings panel.
  2. A new window will open with a Microsoft prompt to allow access. Click Accept.
  3. You will be redirected to Perch. You can now close the window.

Enable Office 365

Test ingestion

To start collecting logs from Microsoft 365, Perch needs to verify that the Microsoft 365 instance has logs and that we’re able to ingest them properly.

  1. Navigate to the Microsoft 365 settings in the Perch app, or click here.
  2. Click the Test button to verify ingestion.


It may take up to 24 hours for Microsoft to configure your tenant after authorization, during which verification may fail.

As per Microsoft, there is no guaranteed maximum latency for notification delivery (in other words, there’s no SLA). Microsoft Support’s experience has been that most notifications are sent within one hour of the event. Often, the latency is much shorter, but it can occasionally be longer as well. This varies somewhat from workload to workload, but a general rule is that most notifications will be delivered within 24 hours of the originating event.

If at any time after setup you feel the need to test that your Microsoft 365 integration is still working as expected, simply click the Test button again.

Enable log ingestion

Like all Perch integrations, you can enable or disable Microsoft 365 log ingestion at any time by toggling the switch from OFF (gray) to ON ( purple ), or the other way around, in the Perch app.

Enable Office 365

When disabling Microsoft 365 log ingestion, your configuration is preserved, so you won’t have to reauthorize Perch when you re-enable it.

What logs are collected?

Microsoft 365 subscribes to these feeds:

  • Audit AzureActiveDirectory
  • Audit Exchange
  • Audit SharePoint
  • Audit General
  • DLP All
  • Alerts
  • Risk Detections
  • Risky Users
  • Security Scores
  • Subscribed Skus
  • Users


Perch requests write permissions on applications, directory data, and devices to initiate the subscriptions for the logging data to be sent back to the Perch platform for SIEM ingestion.

After the initial authentication and successful data pull validation, a customer can remove those write permissions from the Perch Security Azure AD Enterprise Application as needed for compliance with their enterprise security policies around least privilege.

If the setup needs to be repeated for any reason, the customer will need to either add the original write permissions back to the Enterprise Application or delete the Enterprise Application from the Azure AD portal and allow Perch to programmatically recreate it.

Still having trouble? Reach out to one or our specialists at