We have had Microsoft Azure Add-On 3.0.0 installed and running successfully.
This was resolved, and a new Secret was generated in the Azure AD Portal, and configured into the Azure Add-On in Splunk. But we are getting an error, seems to be token related. Have tried deleting and recreating the input, but doesn't seem to matter. The only thing changed was creating the new secret in the portal and then configuring the app to use it. It was previously working OK until the old secret expired.
2021-04-08 10:59:07,307 ERROR pid=3520 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 84, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 61, in collect_events access_token = azauth.get_graph_access_token(client_id, client_secret, tenant_id, helper) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 18, in get_graph_access_token raise e File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 16, in get_graph_access_token return _get_access_token(endpoint, helper, payload) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 39, in _get_access_token raise e File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 37, in _get_access_token return response['access_token'] KeyError: 'access_token'
It looks like we were missing some permissions (needed both Directory.Read.All and AuditLog.Read.All) but that only resolved not getting the audit logs. Sign-in logs are still a no-show, but looks like the error is now due to API query limits being hit: