Microsoft 365 Integration

What SOCturnal achieves
with your M365 environment

SOCturnal connects to your Microsoft 365 tenants via the Graph API and surfaces security-relevant data from the products your customers already use — no extra licences, no extra agents, no extra complexity.

Request Access

Microsoft Entra ID

Formerly Azure Active Directory — identity, authentication, and access management

What SOCturnal reads

  • Sign-in logs — every authentication event for the past 30 days, including timestamp, user UPN, IP address, physical location, device details, application accessed, and the outcome (success or failure)
  • Failure reason codes — distinguishing between wrong password, MFA denied, conditional access block, account locked, and dozens of other failure types
  • Risk classification — Microsoft's own risk engine signals: low, medium, or high risk per sign-in event
  • User accounts — display names, UPNs, account enabled state, and assigned M365 licence SKUs

What you can do in SOCturnal

  • Monitor all authentication events across multiple tenants from a single screen — filter by user, customer, status, location, or risk level
  • Detect impossible travel — a user signing in from Cape Town, then 20 minutes later from Eastern Europe
  • Spot credential stuffing — a spike in failures across multiple accounts from the same IP
  • Identify accounts signing in from high-risk countries your organisation has no presence in
  • Set alert rules that trigger Slack, Telegram, or email notifications the moment a threshold is exceeded
  • Build a complete sign-in history for any user for incident response and compliance reporting
🔑
Licence Requirement

Sign-in log access via the Graph API requires Azure AD Premium P1 or higher. This is included in Microsoft 365 Business Premium, Microsoft 365 E3, and Microsoft 365 E5. Tenants on Microsoft 365 Basic, Business Standard, or Business Basic do not have access to sign-in logs. User account sync (without sign-in logs) works on any M365 plan.

AuditLog.Read.All Directory.Read.All User.Read.All

Microsoft Intune

Endpoint management and device compliance

What SOCturnal reads

  • All managed devices enrolled in Intune — including Windows, macOS, iOS, and Android endpoints
  • Compliance state per device: compliant, non-compliant, or unknown
  • Operating system name and version — identify outdated or unpatched endpoints
  • Manufacturer and model — useful for inventory and hardware lifecycle planning
  • Last check-in timestamp — surface devices that haven't communicated with Intune recently
  • Device ownership: corporate-owned versus personal (BYOD)

What you can do in SOCturnal

  • View a cross-tenant device compliance dashboard — identify which customers have non-compliant endpoints at a glance
  • Drill into any customer to see a per-device compliance breakdown with failure reason
  • Track devices that have stopped checking in — a common indicator of a decommissioned or lost device still holding corporate data
  • Alert your team the moment a device's compliance state changes to non-compliant
  • Report on OS version distribution across your managed estate for patch visibility and audit purposes
💻
Licence Requirement

Device compliance data requires a Microsoft Intune licence per managed device. Intune is included in Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Enterprise Mobility + Security E3/E5, and is also available as a standalone licence. Without Intune, devices cannot be enrolled or evaluated for compliance.

DeviceManagementManagedDevices.Read.All Directory.Read.All

Microsoft Partner Center

CSP subscription management and customer tenant discovery

What SOCturnal reads

  • All CSP subscriptions per customer tenant — product name, SKU, quantity, status, and commitment end date
  • Customer tenant list — discover all tenants under your CSP relationship automatically
  • Subscription status: active, suspended, or deleted
  • Seat counts — how many licences are allocated per subscription
  • Renewal and commitment end dates — know which subscriptions are expiring before customers notice

What you can do in SOCturnal

  • View all subscriptions across every CSP customer from a single screen
  • Identify suspended or cancelled subscriptions that may affect user access
  • Track expiring commitments — proactively contact customers ahead of renewal
  • Map subscription data to customers for a complete licence and security picture in one portal
  • Support multiple MSP credentials — each reseller sees only their own customers' subscription data
🏢
Requirement

Partner Center access requires a CSP indirect or direct partner relationship with Microsoft. You will need to register an application in the Partner Center portal and grant it the appropriate Partner Center API permissions. There is no additional per-seat licence — access is gated by your partner agreement with Microsoft.

Partner Center REST API PartnerCenter user_impersonation

Exchange Online

Modern authenticated email delivery for alerts and reports

What SOCturnal uses it for

  • Sending security alert emails from a Microsoft 365 mailbox using OAuth 2.0 modern authentication — no SMTP password required
  • Delivering scheduled reports and notification digests to customers and internal teams
  • Routing alerts to specific mailboxes based on customer or notification rule configuration
  • Fallback alongside SMTP servers — choose between OAuth M365 delivery or traditional SMTP per outbound server

Why modern authentication matters

  • Legacy SMTP authentication (Basic Auth) has been disabled by Microsoft for most M365 tenants — OAuth 2.0 is the supported replacement
  • No shared SMTP passwords stored in the portal — authentication uses an Entra ID app registration with encrypted credentials
  • Works with conditional access policies that block legacy authentication
  • Fully auditable — email sends are traceable through Entra ID sign-in logs and the SOCturnal audit trail
✉️
Licence Requirement

OAuth 2.0 mail delivery requires any Microsoft 365 plan that includes Exchange Online — this covers every M365 Business and Enterprise plan from Basic upward. You will need to register an Entra ID app with Mail.Send permission granted for the sending mailbox. No additional licences are required beyond an active Exchange Online mailbox.

Mail.Send SMTP AUTH (OAuth 2.0)
Quick Reference

Licence requirements at a glance

Use this table to check which SOCturnal features are available for each of your customers based on their existing Microsoft 365 subscriptions.

SOCturnal Feature M365 Basic / Std / Prem M365 E3 M365 E5 Standalone
User account sync All plans Any M365
Sign-in log monitoring Business Premium only Azure AD P1 or P2
Risk-level sign-in signals P1 included P2 included Azure AD P1 / P2
Device compliance (Intune) Business Premium only Intune standalone
Partner Center subscriptions CSP partner relationship required (any plan) CSP only
Exchange OAuth 2.0 email All plans Exchange Online
Get Started

Connect your M365 tenants.
Start monitoring from day one.

SOCturnal handles all Graph API connectivity. All you need is an Entra ID app registration with the right permissions — we walk you through the setup when you're provisioned.

1 Request access
2 Register Entra ID app
3 Add credentials in portal
4 Data syncs automatically
Contact SOCturnal View Security Architecture