Below is the log messages once in enable the inputs for TA-MS-AAD -
Microsoft Azure Active Directory Reporting Add-on for Splunk. The application id has the permissions
o Windows Azure Active Directory - Read directory data
o Microsoft Graph - Read all audit log data
03-04-2019 20:55:08.538 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py" ERROR401 Client Error: Unauthorized for url: https://graph.windows.net/mycompany.onmicrosoft.com/activities/signinEvents?api-version=beta&$filter...
Your Azure AD application registration will need the following API permissions:
Windows Azure Service Management API
Windows Azure Active Directory
The application will also need Reader access to your subscription(s).
View solution in original post