All Apps and Add-ons

Microsoft O365 Email Add-on for Splunk


Has anyone installed and configured Microsoft O365 Email Add-on for Splunk?

I have a few concerns such as using a transport rule to bcc every single message sent through our tenant to a single account.  During the day that is about 100k messages an hour. It's a lot all going to one account. We will almost certainly brush up against the 1.4 million daily limit mentioned in the app's description.

Just curious to see how this add-on has worked for others and any issues they've had/seen.


Labels (1)
Tags (3)
0 Karma


I've tried to  get this app working  for a  small tenant but have  been unsuccessful. Im getting secret errors in the log files.  Can anyone help?


2021-04-25 23:26:01,469 ERROR pid=5900 tid=MainThread | Get error when collecting events.
Traceback (most recent call last):
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\ta_microsoft_o365_email_add_on_for_splunk\aob_py3\modinput_wrapper\", line 128, in stream_events
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\", line 132, in collect_events
input_module.collect_events(self, ew)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\", line 185, in collect_events
access_token = _get_access_token(helper)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\", line 64, in _get_access_token
KeyError: 'access_token'

0 Karma



I've been messing around with this app for a few days and just got it working after seeing the same errors as you.

You'll want to make sure your API permissions are set correctly and admin consent is granted in Azure then double check your configuration and input settings in the app.

When adding the account under configuration in the app make sure you're using the Application (Client) ID found in the Overview section in Azure rather than the Client Secrets ID, this ended up being my issue.

Also check that your traffic isn't getting blocked somewhere in your network. I found another thread where someone mentioned that was their issue. I can't find it again but they said something about their firewall not liking the endpoint input option set to worldwide and they were able to get it to work by setting that to USGovGCCHigh so that may be worth trying.

Get Updates on the Splunk Community!

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...