Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Microsoft Office 365 Reporting Add-on for Splunk: ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Microsoft Office 365 Reporting Add-on for Splunk: Why do I get the following error"HTTP Request error: 401 Client Error: Unauthorized" even though I am the global admin?
Hi,
Just setting up the Microsoft Office 365 Reporting Add-on for Splunk, im a global admin in o365 but cant authenticate against the below URL (have tried manually in the browser)
2018-02-20 14:35:09,114 ERROR pid=2418 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...359Z'
I guess this is a new restriction on the Microsoft side? is anyone else using this method successfully?
There is an alternative (long winded) method detailed in the below doc which uses an Azure playbook and a Splunk HTTP Endpoint Collector:
https://www.splunk.com/blog/2017/10/05/splunking-microsoft-cloud-data-part-3.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to retrieve the logging data necessary, you need to grant a user object the ability to read the message tracking logs. By default, Exchange Online doesn’t have a role with only that as its permission (or anything really close), so we’re going to:
Create a user account
Create a role group
Add some roles to it (Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients)
Add the newly created user to it
Note: Only the ViewOnlyRecipients role is needed for the add-on to work, as that is what the reporting services API requires. I’ve found it’s useful, though, to have the others so you can check the message trace, message tracking, transport configuration, and message audit data with one account. If you are going for a least-privilege configuration, remove the MessageTracking, ViewOnlyAuditLogs, and ViewOnlyConfiguration lines.
Regards : sevenmentor.com/office-365-admin-training-in-pune.php
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to retrieve the logging data necessary, you need to grant a user object the ability to read the message tracking logs. By default, Exchange Online doesn’t have a role with only that as its permission (or anything really close), so we’re going to:
Create a user account
Create a role group
Add some roles to it (Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients)
Add the newly created user to it
Note: Only the ViewOnlyRecipients role is needed for the add-on to work, as that is what the reporting services API requires. I’ve found it’s useful, though, to have the others so you can check the message trace, message tracking, transport configuration, and message audit data with one account. If you are going for a least-privilege configuration, remove the MessageTracking, ViewOnlyAuditLogs, and ViewOnlyConfiguration lines.
Regards : office 365 admin training in pune
,In order to retrieve the logging data necessary, you need to grant a user object the ability to read the message tracking logs. By default, Exchange Online doesn’t have a role with only that as its permission (or anything really close), so we’re going to:
Create a user account
Create a role group
Add some roles to it (Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients)
Add the newly created user to it
Note: Only the ViewOnlyRecipients role is needed for the add-on to work, as that is what the reporting services API requires. I’ve found it’s useful, though, to have the others so you can check the message trace, message tracking, transport configuration, and message audit data with one account. If you are going for a least-privilege configuration, remove the MessageTracking, ViewOnlyAuditLogs, and ViewOnlyConfiguration lines.
Regards : office 365 admin training in pune
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you able to run a Message Trace Report from the Office 365 Admin Center? https://technet.microsoft.com/en-us/library/jj200712(v=exchg.150).aspx
Whatever credentials you use there will work with the add-on. Also, you can use cURL or Postman outside of Splunk for testing. See this answer for more detail about using Postman -> https://answers.splunk.com/answers/637059/why-am-i-getting-an-error-instead-of-data-with-mso.html
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
