I saw that a new version of this add-on was released to support OAuth.
The instructions for setting up the Client ID is truncated: "The Reporting Web Service should now appear in the list of applications that your app requires permissions for <blank"
I added ReportingWebService.Read.All to the Client ID I already use for other O365 logs, and configured the new TA but this still gives me a 401 error. Are there additional premissions required?
I had a same issue. It turned out that we needed to add Exchange Administrator role to the Enterprise Application associated with OAuth token. A bit of overkill of privileges, but it is what it takes to make thing working.
Permission cheat-sheet:
https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
Have you tried it with Global Reader role? My Exchange admin doesn't want to give Exchange Administrator privileges and I am not able to get past this error 403 with Global Reader. I am wondering if anyone has had any luck in getting this to work?
From Splunk Employee on another related post:
"jconger Splunk Employee
Update: the originally required permissions were either Global Administrator or Exchange Administrator. However, Microsoft has changed that to now allow the Global Reader role."
Sorry... Never closed the loop on this. Yes, adding the AppID to Global Reader role (in addition to the API mentioned above) resolved the issue.
Thanks,
Gord T.
Thanks for validating the solution. Do you have the steps to add the AppID to Global Reader Role? I have tried to add the appid using the Role Assignment but the option available is just user or groups, with no option for adding appid. appreciate any guidance.
Go to Global Reader role and click "Add Assignments". Search for your azure application created for splunk and select it and also select type as "Service Principal". This should fix the issue.
@splunklabs Any feedback on this? Has anyone managed to get this working? I've played around with various settings, like providing Organization.Read.All, etc, with no luck.
BTW, the confusion around error code is because _auth.log returns 403, but the other log returns 401 (see below).
From ta_ms_o365_reporting_ms_o365_message_trace_oauth.log
2022-08-18 19:10:06,228 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2022-08-18 19:10:06,229 INFO pid=1745907 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling
2022-08-18 19:10:06,241 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:10:06,443 INFO pid=1745907 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:10:07,546 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z'
2022-08-18 19:10:07,547 ERROR pid=1745907 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events
get_events_continuous(helper, ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous
message_response = get_messages(helper, microsoft_trace_url)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages
raise e
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages
r.raise_for_status()
File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-13T19:10:06.241464Z'%20and%20EndDate%20eq%20datetime'2022-08-13T20:10:06.241464Z'
From ta_ms_o365_reporting_ms_o365_message_trace.log
2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO
2022-08-18 19:06:22,623 INFO pid=1743945 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling
2022-08-18 19:06:22,692 INFO pid=1743945 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled!
2022-08-18 19:06:27,816 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | _Splunk_ HTTP Request error: 401 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z'
2022-08-18 19:06:27,817 ERROR pid=1743945 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 357, in collect_events
get_events_continuous(helper, ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 99, in get_events_continuous
message_response = get_messages(helper, microsoft_trace_url, global_microsoft_office_365_username, global_microsoft_office_365_password)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 74, in get_messages
raise e
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py", line 68, in get_messages
r.raise_for_status()
File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-03T01:59:37.734559Z'%20and%20EndDate%20eq%20datetime'2022-08-03T02:59:37.734559Z'
I have the same issue, followed the recommended permissions but I receive a 403.
2022-08-09 09:14:20,818 ERROR pid=656295 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events
get_events_continuous(helper, ew)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous
message_response = get_messages(helper, microsoft_trace_url)
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages
raise e
File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages
r.raise_for_status()
File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-07T10:01:10Z'%20and%20EndDate%20eq%20datetime'2022-08-07T11:01:10Z'