https://community.splunk.com/t5/All-Apps-and-Add-ons/Microsoft-Azure-Add-on-for-Splunk-Problem-while-getting-AAD-User/m-p/536857#M64674 <P>A 403 error is typically a permissions issue with the Azure AD app registration.&nbsp; Check the permissions by going to <A href="https://portal.azure.com" target="_self">https://portal.azure.com</A>&nbsp; Go to Azure Active Directory &gt; App registrations &gt; find your app registration the add-on is using &gt; API permissions.&nbsp; To get user data, you will need to have Microsoft Graph User.Read.All.</P><P>For details on the various permissions needed for specific inputs, refer to this link -&gt;&nbsp;<A href="http://bit.ly/Splunk_Azure_Permissions" target="_blank">http://bit.ly/Splunk_Azure_Permissions</A></P> Fri, 22 Jan 2021 16:31:24 GMT jconger 2021-01-22T16:31:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Microsoft-Azure-Add-on-for-Splunk-Problem-while-getting-AAD-User/m-p/533786#M64490 <P>While configuring the AAD User log, I am getting this error. Is there anyone who can help me regrading this?</P><P>&nbsp;</P><P>----------------------------------------------------------------------------------------</P><P><SPAN class="t">2020-12-22</SPAN> <SPAN class="t">08:42:59</SPAN><SPAN>,</SPAN><SPAN class="t">793</SPAN> <SPAN class="t a"><SPAN class="t">ERROR</SPAN></SPAN> <SPAN class="t">pid=13688</SPAN> <SPAN class="t">tid=MainThread</SPAN> <SPAN class="t">file=base_modinput.py:log_<SPAN class="t a">error</SPAN>:309</SPAN><SPAN> | </SPAN><SPAN class="t">Get</SPAN> <SPAN class="t a"><SPAN class="t">error</SPAN></SPAN> <SPAN class="t">when</SPAN> <SPAN class="t">collecting</SPAN> <SPAN class="t">events.</SPAN></P><P><SPAN class="t">Traceback<SPAN> (</SPAN>most recent call last<SPAN>)</SPAN>:</SPAN></P><DIV class="raw-event normal wrap "><SPAN class="t">File</SPAN> "<SPAN class="t">C:\Program</SPAN> <SPAN class="t">Files\Splunk\etc\apps\TA-MS-AAD\bin\ta_ms_aad\aob_py3\modinput_wrapper\base_modinput.py</SPAN>", <SPAN class="t">line</SPAN> <SPAN class="t">128</SPAN>, <SPAN class="t">in</SPAN> <SPAN class="t">stream_events</SPAN> <SPAN class="t">self.collect_events</SPAN>(<SPAN class="t">ew</SPAN>)</DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">File</SPAN> "<SPAN class="t">C:\Program</SPAN> <SPAN class="t">Files\Splunk\etc\apps\TA-MS-AAD\bin\MS_AAD_user.py</SPAN>", <SPAN class="t">line</SPAN> <SPAN class="t">76</SPAN>, <SPAN class="t">in</SPAN> <SPAN class="t">collect_events</SPAN> <SPAN class="t">input_module.collect_events</SPAN>(<SPAN class="t">self</SPAN>, <SPAN class="t">ew</SPAN>)</DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">File</SPAN> "<SPAN class="t">C:\Program</SPAN> <SPAN class="t">Files\Splunk\etc\apps\TA-MS-AAD\bin\input_module_MS_AAD_user.py</SPAN>", <SPAN class="t">line</SPAN> <SPAN class="t">36</SPAN>, <SPAN class="t">in</SPAN> <SPAN class="t">collect_events</SPAN> <SPAN class="t">users_response</SPAN> <SPAN class="t">=</SPAN> <SPAN class="t">azutils.get_items_batch</SPAN>(<SPAN class="t">helper</SPAN>, <SPAN class="t">access_token</SPAN>, <SPAN class="t">url</SPAN>)</DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">File</SPAN> "<SPAN class="t">C:\Program</SPAN> <SPAN class="t">Files\Splunk\etc\apps\TA-MS-AAD\bin\ta_azure_utils\utils.py</SPAN>", <SPAN class="t">line</SPAN> <SPAN class="t">55</SPAN>, <SPAN class="t">in</SPAN> <SPAN class="t">get_items_batch</SPAN> <SPAN class="t">raise</SPAN> <SPAN class="t">e</SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">File</SPAN> "<SPAN class="t">C:\Program</SPAN> <SPAN class="t">Files\Splunk\etc\apps\TA-MS-AAD\bin\ta_azure_utils\utils.py</SPAN>", <SPAN class="t">line</SPAN> <SPAN class="t">49</SPAN>, <SPAN class="t">in</SPAN> <SPAN class="t">get_items_batch</SPAN> <SPAN class="t">r.raise_for_status</SPAN>()</DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">File</SPAN> "<SPAN class="t">C:\Program</SPAN> <SPAN class="t">Files\Splunk\etc\apps\TA-MS-AAD\bin\ta_ms_aad\aob_py3\requests\models.py</SPAN>", <SPAN class="t">line</SPAN> <SPAN class="t">940</SPAN>, <SPAN class="t">in</SPAN> <SPAN class="t">raise_for_status</SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">raise</SPAN> <SPAN class="t">HTTPError</SPAN>(<SPAN class="t">http_<SPAN class="t a">error</SPAN>_msg</SPAN>, <SPAN class="t">response=self</SPAN>)</DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">requests.exceptions.HTTPError:</SPAN> <SPAN class="t">403</SPAN> <SPAN class="t">Client</SPAN> <SPAN class="t"><SPAN class="t a">Error</SPAN>:</SPAN> <SPAN class="t">Forbidden</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t">url:</SPAN> <SPAN class="t"><A href="https://graph.microsoft.com/beta/users/" target="_blank" rel="noopener">https://graph.microsoft.com/beta/users/</A></SPAN></DIV><DIV class="raw-event normal wrap "><SPAN class="t">-------------------------------------------------------------------------------------------------------------------</SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">Thanks in advance ....</SPAN></DIV><P><SPAN class="t"><A href="http://localhost:8000/en-GB/app/TA-MS-AAD/search?q=search%20index%3D_internal%20sourcetype%3Dta%3Ams%3Aaad%3Alog%20ERROR&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;workload_pool=&amp;earliest=-24h%40h&amp;latest=now&amp;sid=1608606815.2336#" target="_blank" rel="noopener">Collapse</A></SPAN></P> Tue, 22 Dec 2020 03:23:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Microsoft-Azure-Add-on-for-Splunk-Problem-while-getting-AAD-User/m-p/533786#M64490 admin12345678 2020-12-22T03:23:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Microsoft-Azure-Add-on-for-Splunk-Problem-while-getting-AAD-User/m-p/536857#M64674 <P>A 403 error is typically a permissions issue with the Azure AD app registration.&nbsp; Check the permissions by going to <A href="https://portal.azure.com" target="_self">https://portal.azure.com</A>&nbsp; Go to Azure Active Directory &gt; App registrations &gt; find your app registration the add-on is using &gt; API permissions.&nbsp; To get user data, you will need to have Microsoft Graph User.Read.All.</P><P>For details on the various permissions needed for specific inputs, refer to this link -&gt;&nbsp;<A href="http://bit.ly/Splunk_Azure_Permissions" target="_blank">http://bit.ly/Splunk_Azure_Permissions</A></P> Fri, 22 Jan 2021 16:31:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Microsoft-Azure-Add-on-for-Splunk-Problem-while-getting-AAD-User/m-p/536857#M64674 jconger 2021-01-22T16:31:24Z