We've set up the Microsoft Teams add on and have it working for one client. We were wondering can the same webhook can be used to connect to multiple tenants or if we'll need to create a new webhook per tenant?
Okay, I got this up and running for our test tenancy first with no problems. Generic webhook, plus subscription and call record inputs, and account unique to that tenancy and it's Azure AD app.
I then created a new Azure AD app in the live tenancy, followed by a subscription and call record input on Splunk with the live tenancy's tenantID, and a new account with the live tenancy's clientID and secret. The subscription and call record inputs both point at the previous generic webhook.
Call records are being ingested successfully from both tenancies into the same index, and are identifiable using the 'source' field in the records as I gave them uniquely identifiable names relating to the tenancy name.
All good so far, but the wrinkle seems to be that every call record header that gets pushed to the webhook is passed onto *both* call record inputs to be requested from graph.microsoft.com. One always fails, as the call either took place on live or testing but not both, and returns a 404.
It seems that the intelligence isn't there for the webhook to extract a tenantID from the call record header and pass it on to the relevant call record input. Disabling the call record input for the testing tenancy (where there are very few calls going on) bears this out.
This works for my needs, I can turn the logging on and off for the testing tenancy as and when I need it, but if you're hoping to capture logs for multiple live tenancies I'd be inclined to set up a unique webhook for each one.
Well, out of curiosity I went back and set up a separate webhook on a different port and it's still not working properly, I'm getting 404 errors for nonexistent call records.
Whenever I (re)start the subscription for the second tenancy I can see the *wrong* webhook being restarted (they're running on different ports). I'm not convinced that, even with an additional webhook configured, the Graph API is being told the correct webhook to use.
Sadly I think there's something missing in the code for this to allow multiple tenancies to run on one node. FWIW, I'm running this on a heavy forwarder with separate indexer and search nodes.
I was wondering the same thing as I'm about to set this up for our testing tenancy, and then our live one. It would be handy to have all data in one index via one "add on" as we can obviously differentiate between tenancies using tenantID in the data.
I'll give it a try and report back if no one else replies before me.