Enabling Microsoft O365 Streaming with on-premise or private cloud DDR deployments
This guide outlines how to configure Microsoft O365 Streaming in environments where Getvisibility’s Data Detection and Response (DDR) platform is deployed on-premise or in a private cloud. The integration enables DDR to receive and act upon real-time Microsoft 365 activity notifications.
https://docs.getvisibility.com/scan-with-getvisibility/streaming/enabling-microsoft-o365-streaming-with-on-premise-or-private-cloud-ddr-deployments#prerequisitesPrerequisitesEnsure the following prerequisites are in place before starting the integration:
-
A deployed and operational DDR instance.
-
A public DNS record pointing to the DDR listener endpoint.
-
A valid SSL/TLS certificate from a trusted Certificate Authority.
-
An internet-accessible port 443 (HTTPS) endpoint.
-
Firewall rules allowing inbound traffic from Microsoft Graph servers.
Make sure the DDR webhook endpoint is:
-
Publicly accessible via a fully qualified domain name (FQDN).
-
Protected with a valid SSL/TLS certificate.
-
Accessible on port 443 (HTTPS).
https://docs.getvisibility.com/scan-with-getvisibility/streaming/enabling-microsoft-o365-streaming-with-on-premise-or-private-cloud-ddr-deployments#step-2-configure-firewall-for-microsoft-graphStep 2: Configure Firewall for Microsoft GraphNote: You can use a reverse proxy (e.g., NGROK, NGINX) to securely expose internal services if needed.
Microsoft recommends restricting webhook traffic to only allow inbound requests from Microsoft Graph servers. This reduces the attack surface and prevents spoofed webhook messages.
Allowlist Required Endpoints:
More info at Graph Change Notification Delivery – Firewall Configuration
⚠️ Action Required: Your firewall or reverse proxy must allow inbound HTTPS traffic from all IP addresses Microsoft uses to deliver change notifications. Regularly update your rules using Microsoft’s published IP ranges.