Skip to content

Migrate from legacy Microsoft add-ons

Use this guide when you are migrating data collection from older Microsoft add-ons that can overlap with the Splunk Add-on for Microsoft Office 365, including the Splunk Add-on for Microsoft Azure and the Microsoft Graph Security API Add-On for Splunk.

Use the following recommended migration path:

  • Migrate Microsoft Entra ID metadata inputs such as Users, Groups, Applications, and Devices to the Splunk Add-on for Microsoft Office 365.
  • Migrate high-volume Microsoft Entra ID sign-in, audit, risk detection, and Microsoft Defender for Cloud logs to Azure Event Hub ingestion with the Splunk Add-on for Microsoft Cloud Services, or Splunk Data Manager for Splunk Cloud Platform deployments.
  • Migrate the legacy Microsoft Graph Security API input to the Splunk Add-on for Microsoft Security by using the Microsoft Defender for Endpoint Alerts input.

If you need the Microsoft Cloud Services side of this migration flow, see the migration matrix for legacy Microsoft add-ons.

Inputs and destinations

Legacy feature/input Recommended destination Reference link
Microsoft Entra ID Users Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Groups Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Applications Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Devices Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Interactive Sign-ins Azure Event Hub + Splunk Add-on for Microsoft Cloud Services/Data Manager Details
Microsoft Entra ID Audit Azure Event Hub + Splunk Add-on for Microsoft Cloud Services/Data Manager Details
Microsoft Entra ID Risk Detection Azure Event Hub + Splunk Add-on for Microsoft Cloud Services/Data Manager Details
Microsoft Graph Security API Splunk Add-on for Microsoft Security (Defender for Endpoint Alerts) Details

Migration details

Microsoft Entra ID Users

This legacy input should be migrated to the Splunk Add-on for Microsoft Office 365 Microsoft Entra ID Metadata input. This is the recommended destination for Microsoft Entra ID metadata collection.

  1. Disable the existing input in the legacy add-on.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Input and then select Microsoft Entra ID Metadata.
  3. Select the Users option in the Microsoft Entra ID Type parameter.
  4. Save the input.

For configuration details, see Configure Microsoft Entra ID Metadata inputs for the Splunk Add-on for Microsoft Office 365.

Microsoft Entra ID Groups

This legacy input should be migrated to the Splunk Add-on for Microsoft Office 365 Microsoft Entra ID Metadata input. This is the recommended destination for Microsoft Entra ID metadata collection.

  1. Disable the existing input in the legacy add-on.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Input and then select Microsoft Entra ID Metadata.
  3. Select the Groups option in the Microsoft Entra ID Type parameter.
  4. Save the input.

For configuration details, see Configure Microsoft Entra ID Metadata inputs for the Splunk Add-on for Microsoft Office 365.

Microsoft Entra ID Applications

This legacy input should be migrated to the Splunk Add-on for Microsoft Office 365 Microsoft Entra ID Metadata input. This is the recommended destination for Microsoft Entra ID metadata collection.

  1. Disable the existing input in the legacy add-on.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Input and then select Microsoft Entra ID Metadata.
  3. Select the Applications option in the Microsoft Entra ID Type parameter.
  4. Save the input.

For configuration details, see Configure Microsoft Entra ID Metadata inputs for the Splunk Add-on for Microsoft Office 365.

Microsoft Entra ID Devices

This legacy input should be migrated to the Splunk Add-on for Microsoft Office 365 Microsoft Entra ID Metadata input. This is the recommended destination for Microsoft Entra ID metadata collection.

  1. Disable the existing input in the legacy add-on.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Input and then select Microsoft Entra ID Metadata.
  3. Select the Devices option in the Microsoft Entra ID Type parameter.
  4. Save the input.

For configuration details, see Configure Microsoft Entra ID Metadata inputs for the Splunk Add-on for Microsoft Office 365.

Microsoft Entra ID Interactive Sign-ins

If you are migrating sign-in collection from a legacy add-on, the recommended migration path is Azure Event Hub ingestion with the Splunk Add-on for Microsoft Cloud Services, or Splunk Data Manager for Splunk Cloud Platform deployments. This avoids the throttling limits of the legacy direct collection path.

For configuration details, see the Microsoft Cloud Services migration guide.

Microsoft Entra ID Audit

If you are migrating Microsoft Entra ID audit collection from a legacy add-on, the recommended migration path is Azure Event Hub ingestion with the Splunk Add-on for Microsoft Cloud Services, or Splunk Data Manager for Splunk Cloud Platform deployments. This avoids the throttling limits of the legacy direct collection path.

For configuration details, see the Microsoft Cloud Services migration guide.

Microsoft Entra ID Risk Detection

If you are migrating Risk Detection collection from a legacy add-on, the recommended migration path is Azure Event Hub ingestion with the Splunk Add-on for Microsoft Cloud Services, or Splunk Data Manager for Splunk Cloud Platform deployments.

For configuration details, see the Microsoft Cloud Services migration guide.

Microsoft Graph Security API

If you are migrating the legacy Microsoft Graph Security API input, the recommended migration path is the Splunk Add-on for Microsoft Security Microsoft Defender for Endpoint Alerts input.

For configuration details, see Configure.