Configure a Tenant in the Splunk Add-on for Microsoft Office 365

You must configure at least one Tenant in the Splunk Add-on for Microsoft Office 365.

Prerequisite: Before you create a Tenant, complete the previous step in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Make sure that port 443 is open to allow the Splunk Add-on for Microsoft Office 365 to communicate with the Microsoft Azure servers.

Set up the add-on using Splunk Web

1. Go to the Splunk Web home screen.
2. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
3. Click on the Configuration tab.
4. Under the “Tenant” section, Click on “Add” and fill in the fields. Use the parameters you configured for the application in the Azure Active Directory, see Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365 where: - Tenant ID is the Directory ID from Microsoft Entra ID. - Client ID is the Application ID from the registered application within the Microsoft Entra ID. - Client Secret is the registered application key for the corresponding application. - (Optional) The following fields are only required for the Cloud Application Security input:
   • Cloud Application Security Token is the registered application key for the corresponding tenant.
   • Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
   • Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
5. Click Add to add the Tenant to your local configuration.