All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Microsoft Azure Add-On 3.0.0 - KeyError: Access_Token

jcleary47
Path Finder
‎04-08-2021 09:03 AM

We have had Microsoft Azure Add-On 3.0.0 installed and running successfully.

This was resolved, and a new Secret was generated in the Azure AD Portal, and configured into the Azure Add-On in Splunk. But we are getting an error, seems to be token related. Have tried deleting and recreating the input, but doesn't seem to matter. The only thing changed was creating the new secret in the portal and then configuring the app to use it. It was previously working OK until the old secret expired.

2021-04-08 10:59:07,307 ERROR pid=3520 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 84, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 61, in collect_events
access_token = azauth.get_graph_access_token(client_id, client_secret, tenant_id, helper)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 18, in get_graph_access_token
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 16, in get_graph_access_token
return _get_access_token(endpoint, helper, payload)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 39, in _get_access_token
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 37, in _get_access_token
return response['access_token']
KeyError: 'access_token'

Labels (1)
Labels
0 Karma
Reply

jcleary47
Path Finder
‎04-09-2021 08:30 AM

It looks like we were missing some permissions (needed both Directory.Read.All and AuditLog.Read.All) but that only resolved not getting the audit logs. Sign-in logs are still a no-show, but looks like the error is now due to API query limits being hit:

HTTPError: 429 Client Error: Too Many Requests for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activit...

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...