# Set Up Microsoft 365/Cloud Monitor GuardWare INSIGHT integrates directly with Microsoft 365 cloud services, specifically Exchange Online and SharePoint Online, to monitor and analyse cloud-based activities. To enable this integration, several configurations must be completed in the Azure portal. Because the registration process relies on your organisation’s Azure configuration and credentials, it must be performed using the company’s Azure portal account by an authorised administrator. The configurations involve registering an application in Azure, creating a certificate, and granting the required permissions and roles, which are explained below. These steps allow GuardWare INSIGHT to securely access monitoring data from Exchange and SharePoint. Once the configuration is complete, the generated information, such as application ID, certificates, and domain details, must be sent to GuardWare Support to complete the setup. See [Information to Be Sent to GuardWare](#information-to-be-sent-to-guardware) for the full list.
RequirementDescription
Application (Client) IDIdentifies the GuardWare M365 Monitor Azure application. This ID is generated automatically when registering the application in Azure.
Directory (Tenant) IDIdentifies your organisation in Azure for email monitoring. This ID is also generated during Azure application registration.
Organisation Primary DomainIdentifies your organisation for SharePoint monitoring. This is your organisation’s primary .onmicrosoft.com domain.
Application Permissions

The following permissions are required in Azure for GuardWare Cloud Monitor to access Microsoft 365 data:

  • Group.Read.All
  • GroupMember.Read.All
  • User.Read.All
  • Mail.Read
  • Mail.ReadBasic.All
  • Exchange.ManageAsApp
  • ActivityFeed.Read
  • ServiceHealth.Read
M365 Security GroupCreated in the Microsoft 365 Admin Center, this group defines the users whose emails are to be monitored.
On-Premises Domain NameMaps GuardWare INSIGHT endpoint users to their corresponding Microsoft 365 email addresses within the GuardWare Server.
Certificate and PasswordUsed for secure communication between Microsoft 365 and GuardWare Cloud Monitor. The certificate is generated locally using Microsoft PowerShell.
### Register an Application on Azure Portal To enable GuardWare INSIGHT to access and monitor Microsoft 365 data, you must first register a new application in the Azure portal. This application acts as a secure bridge between Microsoft 365 and GuardWare, allowing authorised access through assigned permissions and roles. To register an application on the Azure Portal: 1. Go to the [Azure Portal](https://portal.azure.com/auth/login/) and sign in with your Microsoft 365 administrator account. 2. Navigate to **Microsoft Entra ID.**
3. Click **+Add**, and select **App registration**.
4. Configure: 1. **Name:** Enter a user-facing descriptive display name (e.g., `GuardWare M365 Monitor`). 2. **Supported account types:** Select **Accounts in this organizational directory only (Single tenant)**. 3. **Redirect URI:** Leave empty for service-to-service authentication.
5. Click **Register**. After registration is complete, you will get the **Application (client) ID** and **Directory (tenant) ID** in the Overview page. Copy and store them in a secure place. You’ll need it later to complete the setup. ![](/files/cf8972d478a1f9fe2e8074b0fc3e25a24df69acb) ### Create a Self-Signed Certificate You can create a self-signed certificate using Windows PowerShell with the following script to establish a secure connection between GuardWare INSIGHT and Microsoft 365. The certificate remains valid for three years. Before running the script: * Replace `` and `` with your own values. * The company domain is used as a descriptor and does not need to be accurate. * Copy and store the password securely. You’ll need it later to complete the setup. * The script generates two files: * A **.cer file**: Used to register the certificate with the Azure application. * A **.pfx file**: Used by `GWCloudMonitor.exe` to identify itself to Azure. * Both `.cer` and `.pfx` are saved in `C:\Temp` (You can change the path as needed). **PowerShell Script** {% code overflow="wrap" %} ```powershell # Create certificate $mycert = New-SelfSignedCertificate -DnsName "" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(3) -KeySpec KeyExchange # Export certificate to .pfx file $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password (ConvertTo-SecureString -String "" -AsPlainText -Force) # Export certificate to .cer file $mycert | Export-Certificate -FilePath mycert.cer ``` {% endcode %} ### Register the Self-Signed Certificate The next step is to upload the certificate to the Azure application. 1. In the left navigation menu of the GuardWare M365 Monitor application page, click **Certificates & secrets**.
2. Under **Certificates,** click **Upload certificate**.
3. Select the `mycert.cer` file to upload and enter a description. 4. Click **Add**.
Once successfully uploaded, the certificate will appear in the list of certificates associated with the application. ### Grant Permissions to the Application Microsoft Graph API permissions and Exchange Online API permissions are needed for GuardWare INSIGHT to access user, group, and mailbox information for monitoring and analysis. #### **Grant Microsoft Graph API Permissions** To grant Microsoft Graph API Permissions: 1. In the left navigation menu of the **GuardWare M365 Monitor** page, click **API Permissions**.
1. Click **+ Add a permission**. The *Request API permissions* panel opens on the right-hand side
3. Under the **Microsoft APIs** tab, click **Microsoft Graph**.
4. Click **Application permissions**.
5. From the list of permissions, expand the categories or search and select the following permissions: 1. `Group.Read.All` 2. `GroupMember.Read.All` 3. `User.Read.All` 4. `Mail.Read` 5. `Mail.ReadBasic.All` 6. Click **Add permissions**. 7. Once added, click **Grant admin consent for \** to approve the permissions. You must be signed in to the Azure Portal using an administrator account to grant admin consent.
#### Grant Exchange Online API Permission To grant Exchange Online API permission: 1. In the **API Permissions** page, click **+ Add a permission**. The *Request API permissions* panel opens on the right-hand side.
2. In the *Request API permissions* panel, select the **APIs my organisation uses** tab. 3. Search for **Office 365 Exchange Online**. 4. Click **Office 365 Exchange Online** from the search results to view its available permissions.
5. Under **Exchange**, select the `Exchange.ManageAsApp` permission.
6. Click **Add permissions** to complete the process. #### Grant Office 365 Management API Permissions (Required for SharePoint) SharePoint log collection requires permissions from the **Office 365 Management APIs**. To grant these permissions: 1. In the left navigation menu of the **GuardWare M365 Monitor** page, click **API Permissions**. 2. Click **+ Add a permission**. The *Request API permissions* panel opens on the right-hand side.
3. Under the **Microsoft APIs** tab, click **Office 365 Management APIs**.
4. In *Request API permissions*, click **Application permissions**.
5. From the list of available permissions, select the following: 1. `ActivityFeed.Read` 2. `ServiceHealth.Read` 6. Click **Add permissions**.
7. Once added, click **Grant admin consent for \** to approve the permissions. You must be signed in to the Azure Portal using an administrator account to grant admin consent.
### Assign Role to the Application After configuring permissions, assign the necessary **Microsoft Entra roles** to the GuardWare M365 Monitor application. To ensure GuardWare INSIGHT can access the required Microsoft 365 data, specific administrative roles must be assigned to the registered application. To assign roles to the application: 1. In the **Azure portal**, navigate to **Microsoft Entra ID** and click **Roles and administrators or** use the search bar to find and select **Microsoft Entra Roles and Administrators**. 2. To assign the Exchange Administrator Role: 1. On the **All roles** page, search for **Exchange Administrator** and click the role name.\ **Do not select the checkbox** next to the role. If the role is selected, you will not be able to add assignments.
2. Click **Add assignments**. 3. In the search field, enter the name of the application created earlier (for example, *GuardWare M365 Monitor*). 4. Select the application and click **Add** to assign the role. 3. To assign the Compliance Administrator Role: 1. Return to the **All Roles** page. Search and click **Compliance Administrator**.\ **Do not select the checkbox** next to the role. If the role is selected, you will not be able to add assignments. 2. Click **Add assignments**. 3. Search for the same application name (for example, *GuardWare M365 Monitor*). 4. Select the application and click **Add** to complete the role assignment. ### Create a Security Group of Emails to Be Monitored A dedicated security group helps define which user mailboxes will be monitored by GuardWare INSIGHT. To create a security group that includes the email accounts to be monitored: 1. Log in to the [Microsoft 365 admin center](https://admin.microsoft.com/) as an administrator. 2. Navigate to **Teams & Groups > Active Teams & Groups**, and select the **Security groups** tab. 3. Click **+ Add a security group**. ![](/files/56f36bf35d9a23df775285add17ac583a471000a) 4. Enter the **Name** and **Description** for the security group and click **Next**. 5. Click **Create group**, and once the group is created, click **Close**. The new security group may take a few seconds to appear in the list. 6. Click the newly created security group to open it. 7. Click **Members > View all and manage members > Add members**. 8. Add the users (email accounts) you want to include in the monitored group. ### Getting the Organisation’s Primary Domain The organisation’s primary domain is required for integration with GuardWare INSIGHT. To find your organisation’s primary domain in Azure: 1. Log in to the [**Azure Portal**](https://portal.azure.com/). 2. Search for **Domain names**, and select **Domain Names** from the results.
3. Locate the domain that ends with `.onmicrosoft.com`.
4. Copy the domain name; this is your organisation’s **primary domain**. ### Information to Be Sent to GuardWare After completing all configuration steps, send the following details to **GuardWare Support** to complete the Microsoft 365 setup: 1. **Application (Client) ID** 2. **Directory (Tenant) ID** 3. **On-Premises Domain Name** 4. **Certificate (.pfx file)** and its **Password** 5. **Monitored Security Group** 6. **Organisation Primary Domain** {% hint style="info" %} Ensure that the certificate password is shared securely and only with authorised GuardWare representatives. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.guardware.com/insight/guardware-insight/getting-started/set-up-microsoft-365-cloud-monitor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.