All Apps and Add-ons

Why Receiving 401 error when attempting to connect to Reporting URL?

adalbor
Builder

Hey All,

Just recently installed the Microsoft Office 365 Reporting Add-on for Splunk on one of our Heavy Forwarders.
I was able to successfully setup the input but am receiving an error when attempting to connect to the reporting URL

HTTP Request error: 401 Client Error: Unauthorized for url

I can login to the Exchange Admin center using the exact same user and run a message trace report with no issues but cant figure out why the Splunk Add-on is having issues.

Any help would be greatly appreciated!

Thanks!

Labels (1)
0 Karma

Joelthemole
Engager

I have managed to resolve this on my OAUTH setup.

 

Error 401 is permissions error, this is from the official add on trouble shooting: The Splunk Add-on for Microsoft Office 365 requires ReportingWebService.Read.All. Verify this permission is selected, saved, and then granted within the Office 365 Management Activity API configuration on Azure Active Directory.

 

So in order to fix:

  1. In the Azure Portal, go to App registrations > All applications
  2. Select your application
  3. Select API Permissions
  4. Click Add a permission to display the Request API permission flyout page
  5. On the APIs my organization uses tab, select Office 365 Exchange Online
  6. On the flyout page, select Application permissions, and then click Add permissions
  7. The Reporting Web Service should now appear in the list of applications that your app requires permissions for
  8. Select Grant admin consent for "YourTenant" to consent to the permissions given to your app
Tags (1)

jwalzerpitt
Influencer

Had the same issue until I put @xxx.yyy at the end of our O365 username and was able to start pulling message trace logs

0 Karma

itrimble1
Path Finder

Is your company using Legacy auth ?

gsddrake
Engager

I have MFA & Modern Auth enabled, and cannot use this add-on anymore. Role permissions are not the issue because I tested w/ Global Admin. I receive a 401 when visiting this site as others have mentioned: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace

0 Karma

adalbor
Builder

Yeah its not a role issue, has to do with the fact that if you are using anything other than basic (insecure) auth it doesn't work.

0 Karma

jconger
Splunk Employee
Splunk Employee

The Microsoft Office 365 Reporting Add-on uses basic authentication (meaning username and password). This isn’t ideal, but it’s the way the MSFT API behind-the-scenes works and we’re limited to that. An easy troubleshooting step is to try hitting this URL -> https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace You’ll get prompted for a username and password. Use the same username and password configured on the add-on. If you see data, you should be good to go. If not, then some adjustments need to be made on either the account or any access policies applied to the account.

Priyankakumari1
Explorer

@jconger  thanks, I am able to see the data on browser, however on splunkd logs its same 401 error.

Has anyone solved this?

0 Karma

ChadLangUAB
Path Finder

I'm able to connect successfully (http 200) to https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace via Postman and also via browser with the add-on account and view data, however in splunkd.log you can observe the error:

HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...'

Any ideas? We're stumped with no support options.

0 Karma

adalbor
Builder

Thanks for the info jconger but the issue resides with the fact that if you use conditional access policies or any other proper security controls, you are unable to access your message tracking logs via this add-on.

There needs to be a better way to access this while still being able to secure your environment.

0 Karma

centrafraserk
Path Finder

I am having the same issue where we are receiving 401 as well after double checking that the user does in fact have the ability to run message trace history. Is this related to MFA? If you figured out a solution I would be very interested, let me know please.

0 Karma

adalbor
Builder

Does anyone know if there is a way to use something besides Basic Auth with this add-on?
Our conditional access policy does not allow Basic Auth

0 Karma

adalbor
Builder

There are no contact email addresses for this app and no official splunk support.
Anyone out there have any recommendations?

0 Karma

centrafraserk
Path Finder

Did you have any luck solving this? I am having the same issue.

0 Karma

adalbor
Builder

Nope never been able to solve it. As of right now we are without message tracking logs in Exchange Online. Its not related to MFA for us as the acct I use to connect is a service account with MFA not enabled.

I tried emailing one of the developers of the add-on but no response and the forum is quiet.

0 Karma

centrafraserk
Path Finder

That's too bad. We are a modern auth only shop as well so it would make sense to me that it could be causing issues. I tried modifying this addon's python script from the HTTPBasicAuth request to use the HTTPDigestAuth but unfortunately something so simple was not the answer. Our team even made an exception to my account to allow for legacy auth and that doesn't seem to solve the issue either. I'll keep checking this thread to see if any other users are experiencing this to see if we can at least pin down the source of the cause.

0 Karma

ChadLangUAB
Path Finder

Has anyone made any progress with this Add-on? It would be much preferable to the PS conflagration we have in place.

I'm getting the 401 error in the splunkd.log as well but the user is able to access the URL and view data.

0 Karma

adalbor
Builder

Nope still no luck. We are currently exploring other options, have our Azure admin looking into it. We might end up using Event Hub to get these events but not 100% sure on the specifics. Thanks for the update on trying the .py script.

Will update when I find a solution

0 Karma

adalbor
Builder

Doesn't look like Event Hub can pull these logs either.

So far the only option I can see right now is use Powershell to pull the logs down and use a UF with the Powershell output in the inputs of the UF.

Im not a fan of this idea so not sure we will end up using or testing this.

0 Karma

pruthvikrishnap
Contributor

HI Ada,
Initial check, try to fetch the Trace Report from the Office 365 Admin Center?
Some docs on this:
https://technet.microsoft.com/en-us/library/jj200712(v=exchg.150).aspx

credentials generally should work when used with add-on.
Try configuring it from Postman just to test.

0 Karma

adalbor
Builder

We are able to fetch the trace report from the admin center with the same credentials as I stated above.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...