I have installed the Splunk Add-on for Microsoft Office 365 Reporting Web Service 2.0.0
I m getting
requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...
we are using Modern Authentication (OAuth)
as per the doc we have Office 365 Exchange Online ->ReportingWebService.Read.All
is Exchange Administrator mandatory ?
Working with the Exchange administrator, it isn't clear even with the documentation how to assign the Exchange Admin role for Oauth since there isn't a clear username to assign that role. Any one figure this one out?
The above referenced procedure was accurate to add Exchange Online. Note, by default, it queries one week back and only grabs one hour at a time every query interval, meaning it takes a while to catch up to current mail messages.
Go to AZDS "roles and administrator"
Find Exchange administrator
enter full name of your app registration example: Splunk_siem
add to role.
This fix error 403, but i did not get any mail log through this method. There is message no mail log returned
Yes. If you look into the app details in splunkbase when using OAuth you need either Global Admin (Not recommended) or Exchange Admin roles assigned.
Here is a list of requirements for all azure and O365 splunk add-ons: