Is your company using Legacy auth ?

I have MFA & Modern Auth enabled, and cannot use this add-on anymore. Role permissions are not the issue because I tested w/ Global Admin. I receive a 401 when visiting this site as others have mentioned: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace

Yeah its not a role issue, has to do with the fact that if you are using anything other than basic (insecure) auth it doesn't work.

@jconger  thanks, I am able to see the data on browser, however on splunkd logs its same 401 error.

Has anyone solved this?

I'm able to connect successfully (http 200) to https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace via Postman and also via browser with the add-on account and view data, however in splunkd.log you can observe the error:

HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...'

Any ideas? We're stumped with no support options.

Thanks for the info jconger but the issue resides with the fact that if you use conditional access policies or any other proper security controls, you are unable to access your message tracking logs via this add-on.

There needs to be a better way to access this while still being able to secure your environment.

There are no contact email addresses for this app and no official splunk support.
Anyone out there have any recommendations?

Did you have any luck solving this? I am having the same issue.

Nope never been able to solve it. As of right now we are without message tracking logs in Exchange Online. Its not related to MFA for us as the acct I use to connect is a service account with MFA not enabled.

I tried emailing one of the developers of the add-on but no response and the forum is quiet.

That's too bad. We are a modern auth only shop as well so it would make sense to me that it could be causing issues. I tried modifying this addon's python script from the HTTPBasicAuth request to use the HTTPDigestAuth but unfortunately something so simple was not the answer. Our team even made an exception to my account to allow for legacy auth and that doesn't seem to solve the issue either. I'll keep checking this thread to see if any other users are experiencing this to see if we can at least pin down the source of the cause.

Has anyone made any progress with this Add-on? It would be much preferable to the PS conflagration we have in place.

I'm getting the 401 error in the splunkd.log as well but the user is able to access the URL and view data.

Nope still no luck. We are currently exploring other options, have our Azure admin looking into it. We might end up using Event Hub to get these events but not 100% sure on the specifics. Thanks for the update on trying the .py script.

Will update when I find a solution

Doesn't look like Event Hub can pull these logs either.

So far the only option I can see right now is use Powershell to pull the logs down and use a UF with the Powershell output in the inputs of the UF.

Im not a fan of this idea so not sure we will end up using or testing this.

We are able to fetch the trace report from the admin center with the same credentials as I stated above.