OMS Office 365 management solution now in public preview

Summary: Announcing the public preview of the Microsoft Operations Management Suite solution for Office 365.

Good morning everyone, Cigdem Kontaci from the OMS team here, and today I am happy to announce the Public Preview of Office 365 solution in OMS. We have been working on getting Office 365 data in OMS for some time, and, finally, we can share the result of this effort with all of you!

With the Office 365 solution, you can perform the following types of management activities:

  • Monitor user activities on your Office 365 accounts to analyze usage patterns as well as identify behavioral trends. For example, you can extract specific usage scenarios, such as files that are shared outside your organization or the most popular SharePoint sites.
  • Monitor admin activities to track configuration changes or high privilege operations.
  • Detect and investigate unwanted user behavior, which can be customized for your organizational needs.
  • Demonstrate audit and compliance. For example, you can monitor file access operations on confidential files, which can help you with the audit and compliance process.
  • Perform operational troubleshooting by using OMS Search on top of Office 365 activity data of your organization.

Overview of the solution

Office 365 solution gives you full visibility into your Office 365 user activities.

Screenshot of a graph of Office 365 activities. Screenshot of an overview page in Microsoft Operations Management Suite, which shows data for different activities within workloads.

Data that is collected for Office 365 is all based on the current functionality of the Office 365 Management Activity API. Today, this API includes management activities for Exchange, SharePoint, and Azure Active Directory.

The OPERATIONS section provides information about the active users from your all monitored Office 365 subscriptions. You will also be able to see the number of activities that happen over time.

The EXCHANGE section shows the breakdown of Exchange Server activities such as Add-Mailbox Permission, or Set-Mailbox.

The SHAREPOINT section shows the top activities that users perform on SharePoint documents. When you drill down from this tile, the search page shows the details of these activities, such as the target document and the location of this activity. For example, for a File Accessed event, you will be able to see the document that’s being accessed, its associated account name, and IP address.

The AZURE ACTIVE DIRECTORY section includes top user activities, such as Reset User Password and Login Attempts. When you drill down, you will be able to see the details of these activities like the Result Status. This is mostly helpful if you want to monitor suspicious activities on your Azure Active Directory.

Alerting and customization with Office 365 solution

Office 365 solution in OMS will enable you to search Office 365 user activities quickly and efficiently. Although you can utilize search capabilities provided by OMS, you have detailed information for your Office 365 activities with more than 50 fields for different Office workloads. You can find some use cases in the Example Queries section.

With custom search queries that are fine-tuned for your organization’s needs, you can create alerts on these queries that will show up in the Alert Management solution in your Overview page. This will help you to monitor Office 365 alerts along with your other alerts in OMS.

Screenshot of and Add Alert Rule page where you create alerts for queries.

You can pin your favorite Office 365 search queries on your Dashboard for a customized view.

Screenshot of an Office 365 query that’s pinned to the Dashboard.

Correlate Office 365 data with other data types

You can extend your search capability on Office 365 data by correlating it with other data types in OMS. All Office 365 user activities include a ClientIP field that shows the IP address that’s used to perform the operation. Whenever you want to investigate an issue, you can use the ClientIP field to correlate with other data types in OMS that include IP addresses.

Apart from the IP information, some Office activities, such as Exchange Mailbox operations, have client machine information under ClientInfoString or ClientMachineName fields. With these fields, you can identify when an issue in Office 365 originates from a particular client. After you can identify the clients that causes the problem, you can further investigate the issue on the client end.

Get started

  1. Go to Solutions Gallery, and add Office 365 solution.

Screenshot of Office 365 solution in Solution Gallery.

Adding the solution from the Solutions Gallery should add an Office 365 solution tile in your Overview page.

  1. Go to your Overview page to see the Office 365 solution tile.

Screenshot of Office 365 solution tile.

  1. In order to see the Office 365 data that flows in, click the solution tile to configure the solution. It will direct you to the Connected Resources tab on the Settings page.
  2. Scroll right to see the Office 365 column.

Screenshot of the Connect Office 365 button.

  1. Click the Connect Office 365 button. The sign-in page that opens is a popup screen, so please disable popup blockers momentarily for this step.
  2. On the popup screen, enter you Global Administrator Credentials for your preferred subscription. (Right now, we support Office 365 accounts for organizations.)
  3. After the popup screen closes, you should be able to see the linked subscription.

Screenshot of a linked subscription.

  1. You’re Done!

After you’ve successfully added the Office 365 solution and connected your OMS workspace to your Office 365 account, you should expect to see the initial data flow in 3–4 hours. After the initial data flow, activity data will be available within a few minutes of publishing from Office 365.

Search query examples:

Here are some example queries that will utilize your monitoring capabilities over your Office 365 account.

  • Count of all the operations on your Office 365 subscription:

“Type = OfficeActivity | measure count() by Operation”

 Screenshot that shows all the operations in an Office 365 subscription.

This is an overall view that includes all Office workloads. If you want to get details about a specific Office workload like SharePoint, you can filter out by the OfficeWorkload field.

  • Usage of SharePoint sites:

“Type=OfficeActivity OfficeWorkload=sharepoint | measure count() as Count by SiteUrl | sort Count asc”

You can identify the idle SharePoint sites as well as the most popular ones.

  • File access operations by user type:

“Type=OfficeActivity OfficeWorkload=sharepoint Operation=FileAccessed | measure count() by UserType”

This will help you to track when a sensitive file is access by an unwanted user group.

  • Search with a specific keyword:

“Type=OfficeActivity OfficeWorkload=azureactivedirectory "CigdemTest"”

You might want to query your Office 365 data with a keyword. For example, I have created a group called “CigdemTest” on Azure Active Directory. I can go ahead and search with the previous query to get details about all activities that are related with my group.

Screenshot that shows all activities that are related to the CigdemTest group.

  • Monitor external actions on Exchange:

“Type=OfficeActivity OfficeWorkload=exchange ExternalAccess = true”

This search query returns operations that are performed by actors outside your organization, such as datacenter personnel, datacenter service accounts, or delegated administrators.

Notes and tips

You have to be a global admin of the Office 365 account to be able to connect the account to OMS.

You can connect only your organizational Office 365 accounts to OMS. If the Office 365 admin account that you’re planning to use is a Microsoft account (email addresses that end in @Hotmail.com, @msn.com,  @outlook.com,  @live.com), you will not be able to complete the onboarding for this solution. As a workaround, get an Office 365 admin account that is also an organizational account, for example, JohnDoe@contoso.onmicrosoft.com).

Multiple office subscriptions can be connected to an OMS workspace. However, an office subscription can only be connected to one OMS workspace.

If you are using a third-party single sign-on service, please note that you might face some authentication problems.

That is all I have for you today. I would like to hear any feedback you have. Please feel free to send me an e-mail at cigkoc@microsoft.com with questions, comments, and suggestions.

You can get a free Microsoft Operations Management Suite (#MSOMS) subscription so that you can test the new alerting features. You can also get a free subscription for Microsoft Azure.

I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.

Cigdem Kontaci
Microsoft Operations Management Team