I have installed the Splunk Add-on for Microsoft Office 365 Reporting Web Service 2.0.0
I m getting
requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...
we are using Modern Authentication (OAuth)
as per the doc we have Office 365 Exchange Online ->ReportingWebService.Read.All
is Exchange Administrator mandatory ?
Working with the Exchange administrator, it isn't clear even with the documentation how to assign the Exchange Admin role for Oauth since there isn't a clear username to assign that role. Any one figure this one out?
The above referenced procedure was accurate to add Exchange Online. Note, by default, it queries one week back and only grabs one hour at a time every query interval, meaning it takes a while to catch up to current mail messages.
Go to AZDS "roles and administrator"
Find Exchange administrator
enter full name of your app registration example: Splunk_siem
add to role.
This fix error 403, but i did not get any mail log through this method. There is message no mail log returned
after adding also Global reader as mention @diogofgm and complete reinstall of addon, logs started to flow. Lets see how stable will be input
Yes. If you look into the app details in splunkbase when using OAuth you need either Global Admin (Not recommended) or Exchange Admin roles assigned.
Here is a list of requirements for all azure and O365 splunk add-ons:
https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0