Azure AD Streaming Configuration

This guide provides steps on how to enable real-time data streaming for a Azuer AD connection and monitor streaming events within the Forcepoint DSPM platform.

This guide walks you through enabling real-time data streaming for a Azure AD connection and how to monitor live streaming events within the Forcepoint DSPM platform.

Configuring permissions for an Azure App

  1. Login to Azure Portal.
  2. If there are multiple tenants to choose from, use the Settings icon in the top menu to switch to the tenant in which needs to be registered to the application from the Directories + subscriptions menu.

  3. Browse to App Registration and select your application that was created for the scanning.
  4. Navigate to Manage > API permissions on the left menu, and Add a permission.

  5. Select Microsoft APIs > Office 365 Management API.

  6. Select Application permission.

  7. Select ActivityFeed.Read permission.

  8. Permissions required
    • Office 365 Management API ⇒ Application Permissions ⇒ ActivityFeed.Read
    • Microsoft Graph > Application permissions > AuditLog > AuditLog.Read.All
    • Microsoft Graph > Application permissions > Directory > Directory.Read.All

Enabling Auditing

  • Sign into the Microsoft Purview portal using Microsoft Edge browser.
  • Select the Audit solution card. If the Audit solution card is not displayed, select View all solutions and then select Audit from the Core section.

  • If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity. Select the Start recording user and admin activity banner.

  • In certain cases, recoding cannot be enabled immediately and requires additional configuration. If this applies, users will be prompted to enable the customization setting. Select OK, and a new banner will appear, informing you that the process may take 24 to 48 hours to complete. After this waiting period, repeat the previous step to proceed with enabling recoding.

Steps to Enable Data Streaming for Azure AD

Create a New Scan Configuration

  1. From the Data Sources page, select Azure AD from the list of available data sources.

    In the Scan Configurations list create New Configuration.

  2. Make sure the connection has a Name, Credentials are set and Data streaming is enabled.

  3. Clock icon: When data streaming is being activated, the clock icon will appear, indicating that the subscription is being processed. Once the subscription is activated, this icon will change to a green magnifying glass.
  4. After enabling Data streaming, the system will automatically handle the subscription to Azure ADʼs real-time events. There is no need to manually configure Webhooks.

Monitoring Real-Time Events

Once streaming is enabled, events can be monitored across multiple sections of the platform, providing comprehensive visibility into user and group activities. The Streaming tab offers an overview of essential operations, such as user and group creation, updates, and deletions.

For deeper insights, Extended Streaming Events leverage Azure ADʼs audit logging functionality along with the ActivityFeed.Read permission. This enables the system to capture a broader range of event types beyond standard data streaming, including administrative actions, role changes, and authentication events.

  1. Navigate to the Live Events section under Administration and then to Streaming tab to view a detailed audit log of streaming events.

  2. Navigate to the Live Events section under Administration and then to Extended Streaming tab to view a detailed audit log of extended streaming events.

  3. In both sections, you can filter and view event details.