Skip to main content

Hello All,

I am trying to integrate O365 and Intune using the documentaiton from:

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775343

https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/microsoft-intune

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775297

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-microsoft365

Unfortunately Intune is showing me this: 

[HTTP 403] The auth account provided in feed configuration lacks required permissions.

Here are the permissions. I really don't understand why it won't integrate properly:

The log type is Third Party API - Intune although I get the same error for Graph API. 

Secondly, with all O365 log types I get the following error:

 

Error: HTTP_400[HTTP 400] The feed failed because of invalid request.What you can do?Check the feed configuration. Learn more about setting up feeds. If the problem continues, contact Chronicle Support.

 

Again, I've followed the steps from John Stoner in the articles above and done everything here. Is there something I'm missing? Permissions below:

I would add that we don't have E5 licenses although surely we would still be able to see Intune/DLP activity? 

Thank you 

Hi,
Some of the links you provided refer to SOAR integration rather than SIEM.
I’d suggest the following steps:
1. Verify the configuration values:
OAuth client ID (SecOps): Use the Application (client) ID from Azure.
OAuth client secret (SecOps): Under Certificates & secrets in Azure, make sure to use the Value, not the Secret ID.
Tenant ID (SecOps): Use the Directory (tenant) ID from Azure.

2.Microsoft 365 Logs:
I believe you’ll need a Microsoft 365 Enterprise E5 subscription with the Microsoft Security and Compliance Center feature.

Alternatively, you can collect Microsoft Entra Logs using this guide:
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/azure-ad

3.Intune Logs:
You can refer to the following documentation:
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/microsoft-intune

Thanks Eoved, I believe the M365 issue would be related to E5 subscription as I suspected, however this should still permit Intune from working. 

I have already done the steps you listed above for this, it clearly can access the API, its just a question of the permissions which I shared in the screenshot not working. Are there additional permissions we need to provide? 

In the Intune scenario, it seems in the link  that logs need to be collected from a storage account using Azure Storage credentials.
Therefore, I assume that the appropriate permissions are required for this scenario — not the ones you mentioned above.
Perhaps someone here can point you to the specific permissions needed.

In the Intune scenario, it seems in the link  that logs need to be collected from a storage account using Azure Storage credentials.
Therefore, I assume that the appropriate permissions are required for this scenario — not the ones you mentioned above.
Perhaps someone here can point you to the specific permissions needed.


Hey Eoved, 

These instructions still skip the steps on how to get the client_id and client_secret. If its through app creation, what permissions are needed? 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.