Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Azure AD Add-on for MS Office 365 questions

adamblock2
Path Finder
‎11-30-2021 02:02 PM

I am in the process of trying to configure a Tenant in this add-on.  Some of the required values are available in the Azure AD integration application.  There are a number of others that I have not been able to find values for.

The first 3 items I have values for, the last 3 I do not.  Assistance with this would be appreciated.

  • Tenant ID is the Directory ID from Azure Active Directory.
  • Client ID is the Application ID from the registered application within the Azure Active Directory.
  • Client Secret is the registered application key for the corresponding application.
  • Cloud Application Security Token is the registered application key for the corresponding tenant.
  • Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
  • Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
     
     
Labels (2)
Labels
Tags (1)
Reply

jconger
Splunk Employee
Splunk Employee
‎01-26-2022 10:34 AM

TL;DR = the last three parameters (Cloud App Security Token, Tenant Subdomain, and Tenant Data Center) are only used by the Cloud Application Security Input.  If you do not plan on using that input in the add-on, you can leave those fields blank.  If you do plan on using that input, here is a quick how-to about getting the needed values:

  • Log on to the Cloud App Security portal https://portal.cloudappsecurity.com/
  • Once logged in, go to Settings > Security extensions
  • Click the Add token button
  • Give the token a name and click Generate
  • The token will be displayed.  This is the only time the token will be displayed by the way.
  • Copy the token, tenant subdomain (splunkpartner in my case), and data center (us3 in my case).

image.pngimage (1).png

 

The first three parameters (Tenant ID, Client ID, and Client Secret) are used by the following inputs:

  • Management Activity
  • Service Status
  • Service Message
  • Graph API

The Microsoft 365 App has a good walkthrough about creating the Azure AD application registration and assigning the necessary permissions (it is in the Help > Setup Guide menu in the app).  If you are configuring additional Microsoft Cloud add-ons, here is a good reference for the necessary permissions needed along with sourcetypes and APIs used => http://bit.ly/Splunk_Azure_Permissions

 

Reply

jwalzerpitt
Influencer
‎06-23-2022 07:24 AM

Thx for posting @jconger as followed the instructions you laid out and was able to add a few Defender for Cloud App inputs - alerts and policies

0 Karma
Reply

jadengoho
Builder
‎02-28-2022 07:04 PM

Hi @adamblock2 
Where can we see the "Cloud App Security Token"

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎03-01-2022 06:15 AM

In the screenshot above, the API token is the value to use for the "Cloud App Security Token".

Reply

marcluescher
Explorer
‎12-08-2021 02:38 PM

I am exactly in the same situation.

To get a token for value 4 we followed the following steps and used curl to get a token, unfortunately that token does not pass Splunk addon validation but passed ms validation as valid token .

https://docs.microsoft.com/en-us/defender-cloud-apps/api-authentication

We then tested the token with jwt.ms and it comes back as valid with proper roles.

For step 5 and 6 we used our assigned cloudapps url

like https://tenant.portal.cloudappsecurity.com .

 

But still no luck. Since the app is Splunk built I hope they can help here.

 

 

Tags (1)
0 Karma
Reply

adamblock2
Path Finder
‎12-08-2021 02:47 PM

We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain,  and Tenant Data Center values may not be required.

I have not had an opportunity to test this yet, but I would suggest giving that a try.

0 Karma
Reply

aplackemeier
Explorer
‎12-22-2021 10:45 AM

I believe the last 3 are only needed in a multi tenant situation. Ran across this when ours expired and we had to update. 

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Submit a ticket to support asking them to update and clarify the documentation. That is the only way it will get changed. 

0 Karma
Reply

marcluescher
Explorer
‎12-08-2021 02:54 PM

its the same outcome with or without those URL's is the token validation part which seems either broken or needs something different.

I wish they had a better documentation for this new requirement of a secret and cloud token.

 

Many customers will run into this once the secrets expire.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...