The azure-native:securityinsights:OfficeDataConnector resource, part of the Pulumi Azure Native provider, configures data connectors that stream logs from Office 365 and threat intelligence sources into Azure Sentinel workspaces. This guide focuses on one capability: Office 365 audit log ingestion.
Data connectors attach to existing Sentinel workspaces and require appropriate permissions to access the configured data sources. The example is intentionally small. Combine it with your own workspace configuration and access policies.
Connect Office 365 audit logs to Sentinel
Security teams monitoring Microsoft 365 environments need visibility into Exchange, SharePoint, and Teams activity for threat detection and investigation.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const officeDataConnector = new azure_native.securityinsights.OfficeDataConnector("officeDataConnector", {
dataConnectorId: "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
dataTypes: {
exchange: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
sharePoint: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
teams: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
},
kind: "Office365",
resourceGroupName: "myRg",
tenantId: "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
office_data_connector = azure_native.securityinsights.OfficeDataConnector("officeDataConnector",
data_connector_id="73e01a99-5cd7-4139-a149-9f2736ff2ab5",
data_types={
"exchange": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
"share_point": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
"teams": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
},
kind="Office365",
resource_group_name="myRg",
tenant_id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewOfficeDataConnector(ctx, "officeDataConnector", &securityinsights.OfficeDataConnectorArgs{
DataConnectorId: pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
DataTypes: &securityinsights.OfficeDataConnectorDataTypesArgs{
Exchange: &securityinsights.OfficeDataConnectorDataTypesExchangeArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
SharePoint: &securityinsights.OfficeDataConnectorDataTypesSharePointArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
Teams: &securityinsights.OfficeDataConnectorDataTypesTeamsArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
},
Kind: pulumi.String("Office365"),
ResourceGroupName: pulumi.String("myRg"),
TenantId: pulumi.String("2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var officeDataConnector = new AzureNative.SecurityInsights.OfficeDataConnector("officeDataConnector", new()
{
DataConnectorId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
DataTypes = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesArgs
{
Exchange = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesExchangeArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
SharePoint = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesSharePointArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
Teams = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesTeamsArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
},
Kind = "Office365",
ResourceGroupName = "myRg",
TenantId = "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.OfficeDataConnector;
import com.pulumi.azurenative.securityinsights.OfficeDataConnectorArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesExchangeArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesSharePointArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesTeamsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var officeDataConnector = new OfficeDataConnector("officeDataConnector", OfficeDataConnectorArgs.builder()
.dataConnectorId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
.dataTypes(OfficeDataConnectorDataTypesArgs.builder()
.exchange(OfficeDataConnectorDataTypesExchangeArgs.builder()
.state("Enabled")
.build())
.sharePoint(OfficeDataConnectorDataTypesSharePointArgs.builder()
.state("Enabled")
.build())
.teams(OfficeDataConnectorDataTypesTeamsArgs.builder()
.state("Enabled")
.build())
.build())
.kind("Office365")
.resourceGroupName("myRg")
.tenantId("2070ecc9-b4d5-4ae4-adaa-936fa1954fa8")
.workspaceName("myWorkspace")
.build());
}
}
resources:
officeDataConnector:
type: azure-native:securityinsights:OfficeDataConnector
properties:
dataConnectorId: 73e01a99-5cd7-4139-a149-9f2736ff2ab5
dataTypes:
exchange:
state: Enabled
sharePoint:
state: Enabled
teams:
state: Enabled
kind: Office365
resourceGroupName: myRg
tenantId: 2070ecc9-b4d5-4ae4-adaa-936fa1954fa8
workspaceName: myWorkspace
The dataTypes property controls which Office 365 services stream audit logs into Sentinel. Each service (exchange, sharePoint, teams) has a state property set to Enabled or Disabled. The tenantId specifies which Microsoft 365 tenant to monitor, and the kind property must be set to “Office365” to indicate this connector type. Once configured, Sentinel ingests audit events from the enabled services for analysis and alerting.
Beyond these examples
This snippet focuses on Office 365 audit log ingestion. It’s intentionally minimal rather than a full security monitoring solution.
The example references pre-existing infrastructure such as an Azure Sentinel workspace, a resource group, and an Office 365 tenant with audit logging enabled. It focuses on configuring the data connector rather than provisioning the surrounding infrastructure.
To keep things focused, common data connector patterns are omitted, including:
- Data connector state management (enabling/disabling individual data types)
- Connector health monitoring and diagnostics
- Custom filtering or transformation of ingested logs
- Integration with other Sentinel data connectors
These omissions are intentional: the goal is to illustrate how the Office 365 data connector is wired, not provide a drop-in security monitoring module. See the OfficeDataConnector resource reference for all available configuration options.
Let's configure Azure Office Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
kind property is required and must be set to Office365.dataConnectorId, resourceGroupName, and workspaceName. The kind property defaults to Office365.tenantId is optional. Use it to specify which tenant to connect to and collect data from.Data Collection
dataTypes property with exchange, sharePoint, and teams sub-properties. Set each to state: Enabled to collect that service’s data.dataTypes to enable only the services you want. You can enable any combination of Exchange, SharePoint, and Teams.Resource Management
dataConnectorId, resourceGroupName, and workspaceName. Changing these requires recreating the resource.OfficeDataConnector resources regardless of the title. Focus on the resource type, not the example title.