I am attempting to configure the TA-MS_O365_Reporting app but can't seem to get the permissions correct. I've configured a user account in Azure AD called "splunk" and from the Exchange Admin console assigned it to a custom role with the four required permissions:
But when I enable the input and then check Splunk's internal logs I see the following error:
401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...
Is there something I am missing with regards to setting up the permissions?
Thank you.