Had a question and apologies in advanced if the topic has already been brought up. We are currently utilizing the Microsoft Office 365 Reporting Mail Add-on for Splunk to ingest message trace logs, but just recently we've been running into consistent 401 unauthorized errors. We've double checked and triple checked that the account used to query the API is not locked and we are able to get results when we manually call the URI:
Invoke-RestMethod -Method GET -Uri "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?" -Credential $cred
Has anyone run into this issue? If so, would be very appreciated if there would be any feedback as to how it was resolved (or at least a pathway to remediation).
Thank you again
Went through a long trial and error period and we got it somewhat stable. For whatever reason, we had to increase our interval from 5 minutes to 10 minutes and lower the delay throttle from 24 hours to 12 hours. We are getting the logs consistently (at least within the 24hour period). Weird the issue decided to start just recently, but at least we are getting logs 🙂
Thx for the update and for sharing your settings for the add-on / one would think Microsoft would have a better API for message trace logs knowing the importance of those logs
Glad you got it working and hope it stays that way!