I have no Microsoft Office 365 logs.

hi  kinomakino​ If the Microsoft 365 connector in Sentinel is connected but no logs are flowing, check these points:

1. Audit Log Retention – Verify Unified Audit Logging is enabled in the tenant (Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled). Even if you see logs in Purview, ingestion to Sentinel requires this setting.
2. Permissions – The account used for the connector needs the correct roles (Security Reader and Global Reader or equivalent in Azure AD / M365 Compliance).
3. Connector Configuration – Ensure you selected the right log types (Exchange, SharePoint, Teams, etc.) in the Sentinel connector blade.
4. Region Latency – M365 → Sentinel ingestion can take up to 24 hours initially. Since it’s been a month, this is not normal.
5. Check Diagnostics – In Sentinel, open the Office 365 (Preview) connector health in the Logs (KQL) pane and run:

OfficeActivity

| take 10

If it’s empty, ingestion isn’t working.

6.Connector Reset – Fully remove the connector (including its underlying Office 365 Management API subscription), then re-add it. Sometimes the subscription gets stuck.

7.Microsoft Known Issues – Check the Service Health Dashboard in M365 Admin Center for connector ingestion issues.

 If audit logs are visible in Purview but not Sentinel, the most common culprits are:

• Unified Audit Log ingestion disabled in the backend.
• Stale or broken API subscription between Sentinel and Office 365.