I installed version 3.0.1 of the Microsoft Azure Add-on for Splunk on one of our Heavy Forwarders. I was able to configure and get all the inputs working except "Microsoft Azure Active Directory Sign-ins", "Microsoft Azure Active Directory Users", and "Microsoft Azure Active Directory Audit" (I'm trying to avoid using the EventHub because of the necessary firewall rules, etc.). All of our Splunk servers are Linux and we have version 8.0.5 installed.
The error I'm seeing is:
2020-08-10 16:25:11,467 ERROR pid=23994 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 88, in collect_events
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 85, in collect_events
sign_in_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2020-08-09T16:25:10.822417Z+and+createdDateTime+le+2020-08-10T21:18:11.232754Z
I assume this means the necessary permissions are not in place in Azure. Our Azure admin followed the "Setup an Azure AD Application Registration" documentation built-in to the app ( which is really nice btw ). He doublechecked and he did everything in the instructions. Any ideas on what we might be missing? I looked at the troubleshooting search and didn't come across anything that seemed to spell out what the problem was (beyond what the error above indicates).