Back to top
The setup script is the quickest way to register the Microsoft app the connector needs. If you’d rather not run PowerShell — or your environment is change-controlled — you can do the exact same registration by hand in the Microsoft Entra admin center, or with the Azure CLI.
All paths produce the same thing: a single-tenant, app-only application with the
permissions ActivityFeed.Read (Office 365 Management APIs) + AuditLog.Read.All and
Directory.Read.All (Microsoft Graph), admin consent granted, and a client
secret. You’ll come away with three values — TENANT_ID, CLIENT_ID,
CLIENT_SECRET — to put in the connector’s .env.
You need to be a Global Administrator (or Privileged Role Administrator + Cloud Application Administrator) to grant admin consent.
In Microsoft Purview → Audit, choose Start recording user and admin activity if it isn’t already on. The Management Activity API depends on it, and it can take up to ~12 hours to begin producing data after you enable it.
Secure60 M365 Connector).CLIENT_ID and TENANT_ID.On the app, go to API permissions → Add a permission, and add the following as Application permissions (not delegated):
| API | Where to find it | Permission |
|---|---|---|
| Office 365 Management APIs | APIs my organization uses → search “Office 365 Management APIs” | ActivityFeed.Read (add ActivityFeed.ReadDlp for DLP) |
| Microsoft Graph | Microsoft Graph → Application permissions | AuditLog.Read.All |
| Microsoft Graph | Microsoft Graph → Application permissions | Directory.Read.All |
On Entra ID P2 tenants, also add Graph IdentityRiskEvent.Read.All and
IdentityRiskyUser.Read.All if you want Identity Protection data.
“Office 365 Management APIs” doesn’t appear under APIs my organization uses? Its service principal isn’t provisioned in your tenant yet. Add and consent the Microsoft Graph permissions first; the Office 365 Management APIs entry typically becomes selectable afterwards. (The script and CLI paths create it automatically.)
On the API permissions page, click Grant admin consent for <your tenant> and confirm. Each permission’s Status should turn to a green Granted.
Go to Certificates & secrets → Client secrets → New client secret. Give it
a description and an expiry (24 months max), then Add. Copy the secret Value
immediately — it cannot be retrieved later. This is your CLIENT_SECRET. Set a
reminder to rotate it before it expires (an expired secret silently stops collection).
az login # add --use-device-code on a headless host
TENANT=$(az account show --query tenantId -o tsv)
APPID=$(az ad app create --display-name "Secure60 M365 Connector" \
--sign-in-audience AzureADMyOrg --query appId -o tsv)
az ad sp create --id "$APPID"
# Microsoft Graph application permissions
# AuditLog.Read.All b0afded3-3588-46d8-8b3d-9842eff778da
# Directory.Read.All 7ab1d382-f21e-4acd-a863-ba3e13f7da61
az ad app permission add --id "$APPID" --api 00000003-0000-0000-c000-000000000000 \
--api-permissions b0afded3-3588-46d8-8b3d-9842eff778da=Role 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
# Office 365 Management APIs -> ActivityFeed.Read 594c1fb6-4f81-4475-ae41-0c394909246c
az ad sp create --id c5393580-f805-4401-95e8-94b7a6ef2fc2 2>/dev/null || true # ensure the resource SP exists
az ad app permission add --id "$APPID" --api c5393580-f805-4401-95e8-94b7a6ef2fc2 \
--api-permissions 594c1fb6-4f81-4475-ae41-0c394909246c=Role
az ad app permission admin-consent --id "$APPID" # requires Global Admin
SECRET=$(az ad app credential reset --id "$APPID" --years 2 --query password -o tsv)
echo "TENANT_ID=$TENANT"; echo "CLIENT_ID=$APPID"; echo "CLIENT_SECRET=$SECRET"
Put the three values into the connector’s .env and continue from
Step 2: Configure the connector.
TENANT_ID=...
CLIENT_ID=...
CLIENT_SECRET=...
# then add your Secure60 destination (PROJECT_ID + TOKEN, or S60_COLLECTOR_BASE)
Need a hand? Contact the integrations team at integrations@secure60.io.