In order for RocketCyber to monitor Office 365, the Microsoft admin account you use to link RocketCyber to Microsoft must have the following licenses/privileges:
1. The account must have global admin rights.
2. The account must have the Azure Security Reader Role (see the following URL for configuring the Security Reader Role: https://support.rocketcyber.com/hc/en-us/articles/360018051418-How-To-Add-Security-Reader-Role-in-Azure-Portal)
3. The account must have an Azure P1 or P2 License Assigned (see details below):
You can check if the account has an Azure P1 or P2 License assigned by logging into your Microsoft Admin Portal, Navigating to Users (and selecting the user) and looking at the Licenses and App tab as shown below:
If you do not own an Azure P1 or P2 license, the following link walks you through how to acquire the license from Microsoft:
NOTE: An Azure P2 License is preferred for the Risk Detection app. If you apply a P1 license the following fields will be presented as "hidden" in the Risk Detection data: