Configure a Tenant in the Splunk Add-on for Microsoft Office 365

You must configure at least one Tenant in the Splunk Add-on for Microsoft Office 365.

Prerequisite: Before you create a Tenant, complete the previous step in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Make sure that port 443 is open to allow the Splunk Add-on for Microsoft Office 365 to communicate with the Microsoft Azure servers.

Set up the add-on using Splunk Web

1. Go to the Splunk Web home screen.
2. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
3. Click on the Configuration tab.
4. Under the Tenant section, click Add and fill in the fields. Use the parameters you configured for the application in the Azure Active Directory, see Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365 where:

• Tenant ID is the Directory ID from Microsoft Entra ID.
• Client ID is the Application ID from the registered application within the Microsoft Entra ID.
• Authentication Type is the type of authentication to communicate with the Azure portal.
• The following fields are only required for Client Secret Based Authentication Authentication Type:
  • Client Secret is the registered application key for the corresponding application.
• The following fields are only required for Certificate Based Authentication Authentication Type:
  • Certificate Private Key is the private key of the certificate of the corresponding application. It must be in the PEM format.
  • Certificate Thumbprint is the thumbprint provided from Azure for the corresponding application after uploading a certificate.
  • Private Key Password is the password of a private key. This field is optional and it is only required if private key is encrypted.
• (Optional) The following fields are only required for the Cloud Application Security input:
  • Cloud Application Security Token is the registered application key for the corresponding tenant.
  • Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
  • Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.

5. Click Add to add the Tenant to your local configuration.