Prerequisites
Before you start, ensure you have:
• Azure Administrator privileges (or access to an admin who can grant required permissions).
• Access to the Azure portal (https://portal.azure.com).
Step 1: Create an App Registration in Microsoft Entra ID
1. Log into the Azure portal: https://portal.azure.com
2. In the left sidebar, navigate to Microsoft Entra ID.
3. Click on App registrations.
4. Click New registration.
5. Enter a Name for your application (e.g., Logsign_Office365_SP).
6. Choose Supported account types → Select Accounts in this organizational directory only (Single tenant).
7. Leave Redirect URI blank (not required for this integration).
8. Click Register.
NOT: After registering, note down the Application (client) ID and Directory (tenant) ID from the Overview page. You will need these later.
Step 2: Generate Client Credentials
1. In your App Registration, click Certificates & secrets in the left sidebar.
2. Click New client secret.
3. Enter a descriptive name (e.g., Logsign_Office365_Secret).
4. Set an expiration period (e.g., 1 year, 2 years, etc.).
5. Click Add.
6. Copy the generated Value and store it securely.
NOT: You will not be able to view the secret value again once you leave the page.
Step 3: Configure API Permissions
Grant the required permissions for the Office 365 Exchange Online API.
1. In your App Registration, click API permissions in the left sidebar.
2. Remove any existing permissions by clicking ... → Remove permission.
3. Click Add a permission.
4. Select the APIs my organization uses tab.
5. Search for Office 365 Exchange Online and select it.
6. Select Application permissions.
7. Find and check ExchangeMessageTrace.Read.All.
8. Click Add permissions.
9. Click Grant admin consent and confirm.
NOT: After granting admin consent, a green checkmark should appear next to the permission.
Step 4: Create Transport Data Platform Service Principal
The Microsoft Graph API message trace endpoint requires the Transport Data Platform service principal to exist in each tenant.
1. In Microsoft Entra ID, navigate to Enterprise applications.
2. In the All applications tab, paste the following App ID into the search box.
3. If Transport Data Platform appears in the list: select it and click Create.
4. If it does not appear: click New application → Create your own application. Enter Transport Data Platform as the name and use the App ID above.
NOT: After creating this service principal, wait 2-3 hours before testing. The API may return an authentication error during this provisioning period.
Step 5: Assign Security Reader Role
Assign the Security Reader role to allow the application to read message trace logs.
1. In Microsoft Entra ID, click Roles and administrators in the left sidebar.
2. Search for Security Reader and select it.
3. Click Add assignments.
4. Search for the application you created in Step 1, select it, and click Save.
NOT: You may need an Azure administrator to perform this step if you do not have sufficient privileges.
Step 6: Collect Required Information
You will need the following values when adding this source in Logsign USO:
• Client ID → App Registration > Overview > Application (client) ID
• Tenant ID → App Registration > Overview > Directory (tenant) ID
• Client Secret → The Value generated in Step 2
• OAuth Scope → https://graph.microsoft.com/.default