topic Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error? in All Apps and Add-ons

OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

gordo32 — Thu, 04 Aug 2022 21:51:40 GMT

I saw that a new version of this add-on was released to support OAuth.

The instructions for setting up the Client ID is truncated: "The Reporting Web Service should now appear in the list of applications that your app requires permissions for <blank"

I added ReportingWebService.Read.All to the Client ID I already use for other O365 logs, and configured the new TA but this still gives me a 401 error. Are there additional premissions required?

Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

gsddrake — Tue, 09 Aug 2022 13:15:42 GMT

I have the same issue, followed the recommended permissions but I receive a 403.

2022-08-09 09:14:20,818 ERROR pid=656295 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events get_events_continuous(helper, ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous message_response = get_messages(helper, microsoft_trace_url) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages raise e File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages r.raise_for_status() File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-07T10:01:10Z'%20and%20EndDate%20eq%20datetime'2022-08-07T11:01:10Z'

Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

gordo32 — Thu, 18 Aug 2022 19:17:30 GMT

@splunklabs Any feedback on this? Has anyone managed to get this working? I've played around with various settings, like providing Organization.Read.All, etc, with no luck.

BTW, the confusion around error code is because _auth.log returns 403, but the other log returns 401 (see below).

From ta_ms_o365_reporting_ms_o365_message_trace_oauth.log

2022-08-18 19:10:06,228 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO 2022-08-18 19:10:06,229 INFO pid=1745907 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling 2022-08-18 19:10:06,241 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled! 2022-08-18 19:10:06,443 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled! 2022-08-18 19:10:07,546 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z' 2022-08-18 19:10:07,547 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events get_events_continuous(helper, ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous message_response = get_messages(helper, microsoft_trace_url) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages raise e File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages r.raise_for_status() File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z'

From ta_ms_o365_reporting_ms_o365_message_trace.log

2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO 2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling 2022-08-18 19:06:22,692 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled! 2022-08-18 19:06:27,816 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 401 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z' 2022-08-18 19:06:27,817 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 357, in collect_events get_events_continuous(helper, ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 99, in get_events_continuous message_response = get_messages(helper, microsoft_trace_url, global_microsoft_office_365_username, global_microsoft_office_365_password) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 74, in get_messages raise e File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 68, in get_messages r.raise_for_status() File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 401 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z'

Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

MaverickT — Fri, 26 Aug 2022 08:15:40 GMT

I had a same issue. It turned out that we needed to add Exchange Administrator role to the Enterprise Application associated with OAuth token. A bit of overkill of privileges, but it is what it takes to make thing working.

Permission cheat-sheet:

https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0

Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

RyanB — Wed, 28 Sep 2022 16:16:40 GMT

Have you tried it with Global Reader role? My Exchange admin doesn't want to give Exchange Administrator privileges and I am not able to get past this error 403 with Global Reader. I am wondering if anyone has had any luck in getting this to work?

From Splunk Employee on another related post:

"jconger Splunk Employee

a month ago

Update: the originally required permissions were either Global Administrator or Exchange Administrator. However, Microsoft has changed that to now allow the Global Reader role."

Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

gordo32 — Wed, 28 Sep 2022 16:40:22 GMT

Sorry... Never closed the loop on this. Yes, adding the AppID to Global Reader role (in addition to the API mentioned above) resolved the issue.

Thanks,

Gord T.

Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

Abdulm1 — Sun, 09 Oct 2022 22:12:03 GMT

Thanks for validating the solution. Do you have the steps to add the AppID to Global Reader Role? I have tried to add the appid using the Role Assignment but the option available is just user or groups, with no option for adding appid. appreciate any guidance.

Re: OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

bala_tse — Fri, 25 Nov 2022 13:21:20 GMT

Go to Global Reader role and click "Add Assignments". Search for your azure application created for splunk and select it and also select type as "Service Principal". This should fix the issue.