If you using an existing web application
Using an existing web application
When you create or edit an Office 365 auditing template and you select to use an existing web application, it must be configured to support certificate authentication.
To ensure that you will be able to audit mailbox activity:
• Upload the certificate for the web application through the Azure Admin Center web portal using App Registration | All Applications | (web application) | Certificates & secrets | Certificate | Upload certificate. The format for the certificate (public key) must be binary x.509 (.cer).
• Add the web application to the Exchange Administrator role for the tenant in Azure.
1 In the Azure Admin Center web portal, select Roles and Administrators.
2 Locate and open the Exchange administrator role.
3 Select Add Assignments.
4 Select No members selected under Select Member(s).
5 Select the required Application (client) ID guid.
6 Save the new member with the Select button and then click Next.
7 Change the Assignment Type to Active, ensure the Permanently assigned option is selected and enter a Justification (required).
8 Click Assign to save the changes and verify that the web application name appears in the Members list for the Exchange Administrator role.
• Ensure the required permissions are applied.
https://support.quest.com/technical-documents/change-auditor/7.2/office-365-and-azure-active-directory-user-guide/4#TOPIC-1744695
If you chose to go with a new template and web application you can follow the guide below
https://support.quest.com/technical-documents/change-auditor/7.2/office-365-and-azure-active-directory-user-guide/5#TOPIC-1744698