The azure-native:securityinsights:OfficeDataConnector resource, part of the Pulumi Azure Native provider, connects Microsoft Sentinel to Office 365 audit logs, enabling ingestion of Exchange, SharePoint, and Teams activity data. This guide focuses on one capability: enabling Office 365 audit log collection.
The connector requires an existing Microsoft Sentinel workspace and appropriate permissions to access Office 365 audit logs for the specified tenant. The example is intentionally small. Combine it with your own Sentinel workspace, analytics rules, and incident response workflows.
Enable Office 365 audit logs for Exchange, SharePoint, and Teams
Security teams monitoring Microsoft 365 environments need visibility into user activity across Exchange, SharePoint, and Teams for threat detection and compliance investigations.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const officeDataConnector = new azure_native.securityinsights.OfficeDataConnector("officeDataConnector", {
dataConnectorId: "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
dataTypes: {
exchange: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
sharePoint: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
teams: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
},
kind: "Office365",
resourceGroupName: "myRg",
tenantId: "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
office_data_connector = azure_native.securityinsights.OfficeDataConnector("officeDataConnector",
data_connector_id="73e01a99-5cd7-4139-a149-9f2736ff2ab5",
data_types={
"exchange": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
"share_point": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
"teams": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
},
kind="Office365",
resource_group_name="myRg",
tenant_id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewOfficeDataConnector(ctx, "officeDataConnector", &securityinsights.OfficeDataConnectorArgs{
DataConnectorId: pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
DataTypes: &securityinsights.OfficeDataConnectorDataTypesArgs{
Exchange: &securityinsights.OfficeDataConnectorDataTypesExchangeArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
SharePoint: &securityinsights.OfficeDataConnectorDataTypesSharePointArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
Teams: &securityinsights.OfficeDataConnectorDataTypesTeamsArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
},
Kind: pulumi.String("Office365"),
ResourceGroupName: pulumi.String("myRg"),
TenantId: pulumi.String("2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var officeDataConnector = new AzureNative.SecurityInsights.OfficeDataConnector("officeDataConnector", new()
{
DataConnectorId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
DataTypes = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesArgs
{
Exchange = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesExchangeArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
SharePoint = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesSharePointArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
Teams = new AzureNative.SecurityInsights.Inputs.OfficeDataConnectorDataTypesTeamsArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
},
Kind = "Office365",
ResourceGroupName = "myRg",
TenantId = "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.OfficeDataConnector;
import com.pulumi.azurenative.securityinsights.OfficeDataConnectorArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesExchangeArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesSharePointArgs;
import com.pulumi.azurenative.securityinsights.inputs.OfficeDataConnectorDataTypesTeamsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var officeDataConnector = new OfficeDataConnector("officeDataConnector", OfficeDataConnectorArgs.builder()
.dataConnectorId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
.dataTypes(OfficeDataConnectorDataTypesArgs.builder()
.exchange(OfficeDataConnectorDataTypesExchangeArgs.builder()
.state("Enabled")
.build())
.sharePoint(OfficeDataConnectorDataTypesSharePointArgs.builder()
.state("Enabled")
.build())
.teams(OfficeDataConnectorDataTypesTeamsArgs.builder()
.state("Enabled")
.build())
.build())
.kind("Office365")
.resourceGroupName("myRg")
.tenantId("2070ecc9-b4d5-4ae4-adaa-936fa1954fa8")
.workspaceName("myWorkspace")
.build());
}
}
resources:
officeDataConnector:
type: azure-native:securityinsights:OfficeDataConnector
properties:
dataConnectorId: 73e01a99-5cd7-4139-a149-9f2736ff2ab5
dataTypes:
exchange:
state: Enabled
sharePoint:
state: Enabled
teams:
state: Enabled
kind: Office365
resourceGroupName: myRg
tenantId: 2070ecc9-b4d5-4ae4-adaa-936fa1954fa8
workspaceName: myWorkspace
The dataTypes property controls which Office 365 services stream audit logs into Sentinel. Each service (exchange, sharePoint, teams) has a state property set to Enabled or Disabled. The tenantId identifies your Microsoft 365 tenant, and the kind property must be set to “Office365” to specify this connector type. Once enabled, audit logs flow continuously into your Sentinel workspace for analysis.
Beyond these examples
This snippet focuses on Office 365 audit log ingestion and selective data type enablement. It’s intentionally minimal rather than a full security monitoring solution.
The example references pre-existing infrastructure such as a Microsoft Sentinel workspace, Azure resource group, and Office 365 tenant with audit logging enabled. It focuses on configuring the connector rather than provisioning the surrounding infrastructure.
To keep things focused, common connector patterns are omitted, including:
- Data connector state management (enabling/disabling after creation)
- Connector health monitoring and diagnostics
- Custom filtering or transformation of ingested logs
- Integration with other Sentinel features (analytics rules, workbooks)
These omissions are intentional: the goal is to illustrate how the Office 365 connector is wired, not provide a drop-in security monitoring module. See the OfficeDataConnector resource reference for all available configuration options.
Let's configure Azure Office Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Data Types
dataTypes property with exchange, sharePoint, and teams sub-properties, setting each to state: Enabled.tenantId is required and specifies the Azure AD tenant to connect to and collect data from.kind to "Office365" for this connector type.Resource Properties & Lifecycle
dataConnectorId, resourceGroupName, and workspaceName. Changing these requires recreating the resource.OfficeDataConnector resource type. The actual connector behavior is determined by the kind property and configuration, not the example title.