/
Integrating Microsoft GCC High

Integrating Microsoft GCC High

Microsoft GCC / GCC High Environment Disclaimer
Barracuda Managed XDR supports monitoring of Microsoft GCC and GCC High environments with the following conditions:

  • Barracuda is not FedRAMP authorized.

  • Only Barracuda supported integrations will be monitored.

  • Solutions data may be accessed from outside the United States by Barracuda personnel, affiliates, or third party providers.

  • Customer is responsible for ensuring Controlled Unclassified Information (CUI) is not transmitted to Barracuda. If CUI is detected, data ingestion may be suspended immediately.

  • Customer is responsible for notifying Barracuda if consent to monitor the GCC environment is withdrawn.

Prerequisites

  • Ensure you have enabled Audit Log Search. (Microsoft docs)

  • Register an application in Entra ID. (Microsoft docs)

  • Once application is registered, take note of the Application (client) ID and the Directory (tenant) ID.

  • Configure app authentication in the Certificates & Secrets screen.

  • Add API permissions and grant admin consent.

  • Enter the application id, directory id, and application secret in Barracuda XDR Dashboard.

Enable Audit Logging For All Mailboxes in Microsoft GCC High

To enable audit logging for all mailboxes in Microsoft GCC High, do one of the following procedures:

  • To enable audit logging through Admin Center (recommended)

  • To enable audit logging via Powershell

To enable audit logging through Admin Center

You can use the Security & Compliance Center to turn on audit log search in Microsoft GCC High. It may take several hours after you turn on audit log search before you can return results when you search the audit log. You must be assigned the Audit Logs role in Exchange Online to turn on audit log search.

  1. Navigate to Portal.office.com, and navigate to the Admin center on the left side.

  2. On the left side, click Show All.

  3. Click Compliance tab to open Microsoft Purview.

  4. In Microsoft Purview, click Get started to access the new Purview Center. Once you are logged into the new Purview center, select Audit.

    Purview.png

  5. Click Turn on auditing.
    The banner is updated to say the audit log is being prepared and may take a few hours, before taking full effect. (This could result in this integration not working right away.)

If you don't see the Turn on auditing banner at the top, that means auditing is already enabled. 

 

To enable audit logging via Powershell

If you find any issues using the above instructions, you can also use Exchange Powershell to enable auditing for your tenant, .

  1. Connect to Exchange Online Powershell.

  2. Run the following Powershell command to turn on auditing.
    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 

  3. A message displays, saying that it may take up to 60 minutes for the changes to take effect.

You can find additional Powershell commands here .

Configuring Microsoft GCC High

ALL steps require Microsoft 365/Azure Administrative privileges.

  1. Log on to https://portal.office.com/adminportal

  2. On the left side, click Admin Centers.

  3. Click Show All.

    Show all.png

  4. Click Identity.

    Identity.png

  5. Under Manage Column, click App Registrations.

  6. Click New Registration.

  7. Fill in the Application Information::

    • In Name, enter  SKOUTCYBERSECURITY.

    • Enable the  Accounts in this organizational directory only (domain - Single Tenant) checkbox.

    • Redirect URL can be left blank.

  8. You are redirected to another page. Copy the Application ID and Directory (tenant) ID, so you can input them into the Security dashboard once completed, or paste them in now without saving.

    Step6.png

  9. Under Manage on the left, click API Permissions > Add a permission.

  10. From the list, select Microsoft 365 Management API’s and open Application permissions.

  11. From the list of Application Permissions, check all the options with Read privileges (those ending in .Read), then click Add Permissions.
    NOTE The picture below may be different in your case, and will most likely have fewer permissions showing.

     

     

  12. Optionally, if you want to support remediation actions (disable user logins), add one more permission by doing the following.

    1. Click Add a permission again.

    2. Click Microsoft Graph.

    3. Select Application permissions (not delegated).

    4. Select the following:

      • User.ReadWrite.All

      • User.EnableDisableAccount.All

    5. Click Add permissions to save the change.

    6. If this is an update to a previously-configured app, make sure to click Grant admin consent after adding the new permission.

       

      Request API permissions.png

  13. You should now be back on the API permissions Overview page. Select Grant admin consent for Domain.

    APIstep11.png

  14. Click Certificates & Secrets.

  15. Click New Client Secret.

     

  16. In Description, type Barracuda XDR .

  17. In Expires, select 24 months, then click Add.

    step15.png

     

    step15.2.png

  18. Save the value to your notes. You'll need to paste it into the Barracuda XDR Dashboard setup screen.

To verify connection and permissions

  1. In Barracuda XDR Dashboard, click Administration > Integrations.

  2. On the Microsoft GCC High card, click Setup.

    GCCCard.png

    NOTE If you have already set up the integration, click Update.

  3. Paste the application ID, directory ID, and secret value that you saved from the above steps.

    Integration.png

  4. Click the Test button to verify connection & permissions.

  5. Click Save.
    NOTE It may take some time for Microsoft's changes to take effect. If the test function says there's no data yet, try saving the settings anyway.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.