Getting Data In

Azure AD Add-on for MS Office 365 questions

Path Finder

I am in the process of trying to configure a Tenant in this add-on.  Some of the required values are available in the Azure AD integration application.  There are a number of others that I have not been able to find values for.

The first 3 items I have values for, the last 3 I do not.  Assistance with this would be appreciated.

  • Tenant ID is the Directory ID from Azure Active Directory.
  • Client ID is the Application ID from the registered application within the Azure Active Directory.
  • Client Secret is the registered application key for the corresponding application.
  • Cloud Application Security Token is the registered application key for the corresponding tenant.
  • Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>
  • Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>
Labels (2)
Tags (1)

Splunk Employee
Splunk Employee

TL;DR = the last three parameters (Cloud App Security Token, Tenant Subdomain, and Tenant Data Center) are only used by the Cloud Application Security Input.  If you do not plan on using that input in the add-on, you can leave those fields blank.  If you do plan on using that input, here is a quick how-to about getting the needed values:

  • Log on to the Cloud App Security portal
  • Once logged in, go to Settings > Security extensions
  • Click the Add token button
  • Give the token a name and click Generate
  • The token will be displayed.  This is the only time the token will be displayed by the way.
  • Copy the token, tenant subdomain (splunkpartner in my case), and data center (us3 in my case).

image.pngimage (1).png


The first three parameters (Tenant ID, Client ID, and Client Secret) are used by the following inputs:

  • Management Activity
  • Service Status
  • Service Message
  • Graph API

The Microsoft 365 App has a good walkthrough about creating the Azure AD application registration and assigning the necessary permissions (it is in the Help > Setup Guide menu in the app).  If you are configuring additional Microsoft Cloud add-ons, here is a good reference for the necessary permissions needed along with sourcetypes and APIs used =>



Thx for posting @jconger as followed the instructions you laid out and was able to add a few Defender for Cloud App inputs - alerts and policies

0 Karma


Hi @adamblock2 
Where can we see the "Cloud App Security Token"

0 Karma

Splunk Employee
Splunk Employee

In the screenshot above, the API token is the value to use for the "Cloud App Security Token".


I am exactly in the same situation.

To get a token for value 4 we followed the following steps and used curl to get a token, unfortunately that token does not pass Splunk addon validation but passed ms validation as valid token .

We then tested the token with and it comes back as valid with proper roles.

For step 5 and 6 we used our assigned cloudapps url

like .


But still no luck. Since the app is Splunk built I hope they can help here.



Tags (1)
0 Karma

Path Finder

We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain,  and Tenant Data Center values may not be required.

I have not had an opportunity to test this yet, but I would suggest giving that a try.

0 Karma


I believe the last 3 are only needed in a multi tenant situation. Ran across this when ours expired and we had to update.

Submit a ticket to support asking them to update and clarify the documentation. That is the only way it will get changed. 

0 Karma


its the same outcome with or without those URL's is the token validation part which seems either broken or needs something different.

I wish they had a better documentation for this new requirement of a secret and cloud token.


Many customers will run into this once the secrets expire.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...