Looking to ingest logs from O365 using the Microsoft Cloud Services app and having trouble with linking the O365 Account. Does the Redirect URL need to be accessible from the Internet? I wasn't able to find a straight answer within the documentation. I'm getting error after I type in credentials to authenticate with O365:
AADSTS70001: Application with identifier 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx' was not found in the directory xxxxxx.com
The redirect URL does not need to be accessible from the Internet. The error you are experiencing sounds like a misconfiguration of the Application ID (a.k.a. Client ID).
BUT, I would highly recommend using the Splunk Add-on for Microsoft Office 365 instead. The consent framework steps (all that redirect stuff) have been removed in that add-on and some improvements have been made as well for O365 data ingestion.
The challenge to using the Splunk Add-on for Microsoft Office 365, is that the Microsoft Office 365 App for Splunk depends on the Splunk Add-on for Microsoft Cloud Services. The Splunk Add-on for Microsoft Office 365 does not pull back all the same sourcetypes and extractions as the Splunk Add-on for Microsoft Cloud Services does. So the App panels are no longer populating. This just means we have to update all the code, but just so you know.
Sounds like there is some more configuration you need to do on the Azure side for the API piece. You don't need the redirect URL internet facing from what I can tell from our setup. The app just needs to be able to reach out via 443 and have the open session. Possibly using the wrong ID string when you setup the Azure API piece for the app/splunk configuration?