No permission to fetch Azure AD Audit data. There might be some delay after changing the application permissions.
No permission to fetch Sharepoint Online Audit data. There might be some delay after changing the application permissions.
No permission to fetch Exchange Online Audit data. There might be some delay after changing the application permissions.
And yes, we have verified that the permissions below exist. Service Status and Operational Messages work, just not the rest. Any ideas?
Going to answer my own question since we got it working. I think it was because the permissions were granted after adding the account to Splunk.
Fixed by:
Removed Inputs config
Removed account config
Added account config
Added inputs config
Kept the certificate configuration as-is.
Going to answer my own question since we got it working. I think it was because the permissions were granted after adding the account to Splunk.
Fixed by:
Removed Inputs config
Removed account config
Added account config
Added inputs config
Kept the certificate configuration as-is.
Thank you!!! Removing and re-adding the account resolved this for me.
This answer didn't work for me initially. After giving up in frustration I tried it again the next day for kicks and giggles...and it worked!!!