All Apps and Add-ons

OAuth permissions for Splunk Add-on for Microsoft Office 365 Reporting Web Service- Why am I getting a 401 Error?

gordo32
Communicator

I saw that a new version of this add-on was released to support OAuth.

The instructions for setting up the Client ID is truncated: "The Reporting Web Service should now appear in the list of applications that your app requires permissions for <blank"

I added ReportingWebService.Read.All to the Client ID I already use for other O365 logs, and configured the new TA but this still gives me a 401 error. Are there additional premissions required?

Labels (1)

MaverickT
Communicator

I had a same issue. It turned out that we needed to add Exchange Administrator role to the Enterprise Application associated with OAuth token.  A bit of overkill of privileges, but it is what it takes to make thing working.

Permission cheat-sheet:

https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0

0 Karma

RyanB
New Member

Have you tried it with Global Reader role? My Exchange admin doesn't want to give Exchange Administrator privileges and I am not able to get past this error 403 with Global Reader. I am wondering if anyone has had any luck in getting this to work?

 

 

From Splunk Employee on another related post:

"jconger Splunk Employee

a month ago

Update: the originally required permissions were either Global Administrator or Exchange Administrator.  However, Microsoft has changed that to now allow the Global Reader role."

0 Karma

gordo32
Communicator

Sorry... Never closed the loop on this. Yes, adding the AppID to Global Reader role (in addition to the API mentioned above) resolved the issue.

Thanks,

Gord T.

0 Karma

Abdulm1
Explorer

Thanks for validating the solution. Do you have the steps to add the AppID to Global Reader Role?  I have tried to add the appid using the Role Assignment but the option available is just user or groups, with no option for adding appid.  appreciate any guidance. 

0 Karma

bala_tse
Engager

Go to Global Reader role and click "Add Assignments". Search for your azure application created for splunk and select it and also select type as "Service Principal". This should fix the issue.

gordo32
Communicator

@splunklabs Any feedback on this? Has anyone managed to get this working? I've played around with various settings, like providing Organization.Read.All, etc, with no luck.

BTW, the confusion around error code is because _auth.log returns 403, but the other log returns 401 (see below).

From ta_ms_o365_reporting_ms_o365_message_trace_oauth.log

2022-08-18 19:10:06,228 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2022-08-18 19:10:06,229 INFO pid=1745907 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling
2022-08-18 19:10:06,241 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:10:06,443 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:10:07,546 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z'
2022-08-18 19:10:07,547 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events
get_events_continuous(helper, ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous
message_response = get_messages(helper, microsoft_trace_url)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages
raise e
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages
r.raise_for_status()
File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z'

 

From ta_ms_o365_reporting_ms_o365_message_trace.log

2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling
2022-08-18 19:06:22,692 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:06:27,816 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 401 Client Error:  for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z'
2022-08-18 19:06:27,817 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 357, in collect_events
    get_events_continuous(helper, ew)
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 99, in get_events_continuous
    message_response = get_messages(helper, microsoft_trace_url, global_microsoft_office_365_username, global_microsoft_office_365_password)
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 74, in get_messages
    raise e
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 68, in get_messages
    r.raise_for_status()
  File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error:  for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z'

 

0 Karma

gsddrake
Engager

I have the same issue, followed the recommended permissions but I receive a 403.

2022-08-09 09:14:20,818 ERROR pid=656295 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events
    get_events_continuous(helper, ew)
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous
    message_response = get_messages(helper, microsoft_trace_url)
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages
    raise e
  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages
    r.raise_for_status()
  File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error:  for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-07T10:01:10Z'%20and%20EndDate%20eq%20datetime'2022-08-07T11:01:10Z'
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...