Microsoft 365 Dataset - Import User Account Data and Activity

Overview

This is a dataset template to extract and store user account information from Microsoft 365 for faster and more comprehensive reporting.

In addition to usage by templates published within Voleer, you can also connect Power BI directly to this dataset for visualization and reporting.

How it works

This template imports the following information from Microsoft 365 and supporting 3rd party data into the dataset:

  • Failed and successful logins
  • User account information, roles assignments and authentication policy changes
  • Mailbox permissions, external forwarding rules and updates
  • Added and deleted devices
  • Emails sent activity
  • Compromised account information

Requirements

Tenant Prerequisites

The Microsoft 365 tenant needs to be subscribed to a SKU or license pack that contains Azure Active Directory Premium (P1 or P2).

To find out which SKU also includes Azure Active Directory P1 or P2, search for Azure Active Directory Premium within Microsoft article Product names and service plan identifiers for licensing - Azure AD | Microsoft Docs

Data Access Requirements

This template requires audit logging enabled in Microsoft 365 to capture changes in data. Read documentation from Microsoft to learn more about audit log search and how to enable it.

Permission Requirements

To run this, you will require an Azure account with the rights to

  • Create an application registration
  • Assign admin-consent application permissions

The inbuilt Global Administrator role has these rights enabled

Getting started

  1. Sign in to your Voleer account or sign up for a new account
  2. On the Library page, select template Microsoft 365 Dataset - Import User Account Data and Activity
  3. Read the Requirements and configure your account and tenant as stated
  4. Once configured, along the right hand side, select a Workspace, then click on Create
    image
  5. Provide a Dataset name and Description (Optional), then click on Continue.
    TIP - For easy reference, putting in the tenant domain name as the dataset name will help with managing your dataset
  6. Authorize Access to Microsoft Graph by 1) Copying the code, 2) Visiting the link https://microsoft.com/devicecode and completing the authentication process, and then 3) Clicking on the Validate button
  7. Repeat the same steps as 6 for any other authorization and authentication forms.
  8. Choose to enable the Simple Replay Option, then click on **Submit
  9. Configure the dataset template by filling out sections 1) Retention Period and 2) User Filter. Note - by using the defaults, it will have a retention period of 1 year and include all users within the dataset.
    Once sections 1 and 2 are completed, click on Validate Template Configuration.
  10. Provide the email addresses of recipients who should receive notifications on the changes to the dataset. These notifications include information such as the number of new and deleted records and links to useful information.
    Click on Validate Template Configuration
  11. Review the configuration on the Summary page, then click on Acknowledge and Create Dataset.
    Congratulations, the Microsoft 365 User Account Data and Activity Dataset is now being provisioned!
    Depending on the size of your tenant, it may take some time to populate the dataset for the first time. But note that subsequent refreshes will be a fraction of the time!
  12. By default, the dataset is configured to be refreshed on a daily basis at 12:00 AM UTC. If you rather update the refresh to occur during non-business hours, click on Change Schedule and update the timezone and time value.
    image
    TIP - Keep the Repeat at daily to ensure data doesn’t get stale within your dataset

Sign in or sign up to use this template