I created Azure Audit input. I have no logs when I open 'Search tab' and search for logs by index(specified when creating Audit input).
User which I use in 'Azure App Account' is Global administrator in azure.
I had to have our Azure admin enter his creds while remoted into my pc when I was setting up the app's configs/API integrations when it prompted to sign in after setting the API key etc for the app to use.
I basically have the same issue, but I do know it's a permissions issue. My splunk logs show this error:
APIError: "status=403, error_code=AuthorizationFailed, error_msg=The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx1133' with object id ''xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx1133' does not have authorization to perform action 'microsoft.insights/eventtypes/values/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx12f4'."
I thought I configured everything correctly, but it's not pulling it. I use the same Active Directory Application in Azure AD for pulling Office 365 Management API Inputs and that works fine.