All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Microsoft Office 365 Reporting Add-on for Splunk: Why do I get the following error"HTTP Request error: 401 Client Error: Unauthorized" even though I am the global admin?

samhodgson
Path Finder
‎02-20-2018 06:44 AM

Hi,

Just setting up the Microsoft Office 365 Reporting Add-on for Splunk, im a global admin in o365 but cant authenticate against the below URL (have tried manually in the browser)

2018-02-20 14:35:09,114 ERROR pid=2418 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...359Z'
I guess this is a new restriction on the Microsoft side? is anyone else using this method successfully?

There is an alternative (long winded) method detailed in the below doc which uses an Azure playbook and a Splunk HTTP Endpoint Collector:

https://www.splunk.com/blog/2017/10/05/splunking-microsoft-cloud-data-part-3.html

0 Karma
Reply

pallavi7mentor
New Member
‎11-28-2019 05:53 AM

In order to retrieve the logging data necessary, you need to grant a user object the ability to read the message tracking logs. By default, Exchange Online doesn’t have a role with only that as its permission (or anything really close), so we’re going to:

Create a user account
Create a role group
Add some roles to it (Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients)
Add the newly created user to it
Note: Only the ViewOnlyRecipients role is needed for the add-on to work, as that is what the reporting services API requires. I’ve found it’s useful, though, to have the others so you can check the message trace, message tracking, transport configuration, and message audit data with one account. If you are going for a least-privilege configuration, remove the MessageTracking, ViewOnlyAuditLogs, and ViewOnlyConfiguration lines.

Regards : sevenmentor.com/office-365-admin-training-in-pune.php

0 Karma
Reply

pallavi7mentor
New Member
‎11-28-2019 05:52 AM

In order to retrieve the logging data necessary, you need to grant a user object the ability to read the message tracking logs. By default, Exchange Online doesn’t have a role with only that as its permission (or anything really close), so we’re going to:

Create a user account
Create a role group
Add some roles to it (Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients)
Add the newly created user to it
Note: Only the ViewOnlyRecipients role is needed for the add-on to work, as that is what the reporting services API requires. I’ve found it’s useful, though, to have the others so you can check the message trace, message tracking, transport configuration, and message audit data with one account. If you are going for a least-privilege configuration, remove the MessageTracking, ViewOnlyAuditLogs, and ViewOnlyConfiguration lines.

Regards : office 365 admin training in pune

,In order to retrieve the logging data necessary, you need to grant a user object the ability to read the message tracking logs. By default, Exchange Online doesn’t have a role with only that as its permission (or anything really close), so we’re going to:

Create a user account
Create a role group
Add some roles to it (Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients)
Add the newly created user to it
Note: Only the ViewOnlyRecipients role is needed for the add-on to work, as that is what the reporting services API requires. I’ve found it’s useful, though, to have the others so you can check the message trace, message tracking, transport configuration, and message audit data with one account. If you are going for a least-privilege configuration, remove the MessageTracking, ViewOnlyAuditLogs, and ViewOnlyConfiguration lines.

Regards : office 365 admin training in pune

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-03-2018 07:52 AM

Are you able to run a Message Trace Report from the Office 365 Admin Center? https://technet.microsoft.com/en-us/library/jj200712(v=exchg.150).aspx

Whatever credentials you use there will work with the add-on. Also, you can use cURL or Postman outside of Splunk for testing. See this answer for more detail about using Postman -> https://answers.splunk.com/answers/637059/why-am-i-getting-an-error-instead-of-data-with-mso.html

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...