In some cases, when connecting a customer Microsoft tenant and requesting log events the response we get from Microsoft is "tenant does not exist".
It turns out this error is related to permissions and the status of the Microsoft audit log and auditing not being enabled.
Steps to resolve quick view:
1. Check Permissions
Kindly head over to your customer's Active Directory portal, select Enterprise Applications and select SaaS Alerts.
Once on this page, we're looking in the Microsoft Graph table for "Read audit log data" permission.
Confirm the "Read audit log data" permission appears as shown in the attached screenshot. If the permission is not present, enable this permission for the admin user employed for the SaaS Alerts tenant integration.
2. Enable auditing
The other reason this error may be occurring is that auditing is not enabled.
The following instructions are provided by Microsoft in this article:
Go to https://compliance.microsoft.com and sign in.
Please be sure you are logging into the correct M365 Tenant as using the above link in a browser with an actively signed-in M365 session will access the incorrect Tenant.
In the left navigation pane of the Microsoft 365 compliance center, click Audit.
If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.
Click the Start recording user and admin activity banner. It may take from 60 minutes up to 24 hours for the change to take effect.
Once auditing is available it is suggested to test if it is working by generating an audit search and confirming it generates results.
After the 60 minutes access the customer that auditing has been enabled for, click the pencil icon, then the Play button to reconnect the customer. If it fails try again after 24 hours.
Additional options for turning auditing are presented in the Microsoft article.
3. Remove and then Reconnect the Microsoft connection
The last step is to create a new connection between your Microsoft tenant and SaaS Alerts. This is the "Turn it off and on again" step and is very important as it refreshes the connection and will allow the API connection to acknowledge the new Auditing status.
Since in the previous step Microsoft stated it could take from 60 minutes up to 24 hours for the changes to take effect it makes sense to wait at least an hour.
In SaaS Alerts, delete the existing connection.
Add a new connection to your customer's Microsoft tenant.
Checking if the new connection is working
To verify the connection is working as intended In SaaS Alerts/Customers verify the following:- Customer status is active- Active user count > 0
Next, go to the Analysis page where you should be able to filter for your newly re-added customer and view their events.
If Auditing Fails to Enable
Should Auditing fail to enable
If unable to turn on auditing (pop-up message stating enabling auditing failed), please wait for 12-24 hrs, and try again.
2. Once connected use the command
3. Then the command to enable auditing
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Here is the Microsoft guide as well for reference:
Confirming M365 Tenant being Accessed
Signing into M365 when using multiple browsers can cause some confusing access issues. In most cases you may already be accessing an M365 tenant in your current browser session.
To confirm if you are already signed in open a new browser tab and go to URL https://admin.microsoft.com/
You will then be shown either the Microsoft 365 admin center screen or a login screen.
Microsoft 365 admin center
Here you can confirm the account you are logged in as by clicking the user icon at the top right of the screen
Login Screen will be a login page that will display available user accounts (if previously signed in) or prompt for credentials
If you are currently logged in with an admin account
Option 1: Sign out of Microsoft and close all browser tabs and windows. Open a new session and sign in with the global admin for the M365 tenant you are trying to enable auditing for.
Option 2: Use a different browser (or browser mode such as incognito, etc) and test https://admin.microsoft.com/ to ensure no accounts are signed in, and then sign in with the M365 global admin for the tenant you are attempting to enable (confirm) auditing is enabled on.
If you are not logged in with an admin account
Log in as the global admin for the M365 tenant you are working on to enable or confirm auditing on and navigate to https://compliance.microsoft.com and click on the Audit option which will load the Audit page and give you the option to enable or search depending on the status of the service.
Should Auditing fail to enable or not become functional after these steps we suggest contacting Microsoft support to have them review your tenant. Another option is Microsoft: Auditing Fails to Enable or Appears Active but is Not Functional