So I recently built a solution for streaming logs from Office365 using the Management API. And after testing for a few days I realized that in certain cases the client gets blocked due to throttling, and rather than requiring users to ask Microsoft to increase their throttle limit, I'd prefer to find a better solution. So looking through the FAQ's, I notice this (under Aren’t webhook notifications more immediate? After all, aren’t they event-driven?):
… the Management Activity API shouldn’t be thought of as a real-time security alert system. Microsoft has other products for that.
But there is no mention of what those products are… I mean sure I can guarantee that one of them is going to be Sentinel, but I don't want to pay extortionate amounts of money for a single log event stream…
I found one question from 2018 about the issue with delays in Office 365 Audit events, with no answers. Are Microsoft really forcing their users to purchase Sentinel just to get real-time Office365 events? I know that Azure EventHub can facilitate real-time logs, but I can't find any help on how to publish Office365 Audit events to Azure Event Hub. Has anyone done anything like this in the past with any success? Any documentation or further reading that might help? I can't seem to find any conclusive evidence of how this can be achieved.