I am in the process of trying to configure a Tenant in this add-on. Some of the required values are available in the Azure AD integration application. There are a number of others that I have not been able to find values for.
The first 3 items I have values for, the last 3 I do not. Assistance with this would be appreciated.
TL;DR = the last three parameters (Cloud App Security Token, Tenant Subdomain, and Tenant Data Center) are only used by the Cloud Application Security Input. If you do not plan on using that input in the add-on, you can leave those fields blank. If you do plan on using that input, here is a quick how-to about getting the needed values:
The first three parameters (Tenant ID, Client ID, and Client Secret) are used by the following inputs:
The Microsoft 365 App has a good walkthrough about creating the Azure AD application registration and assigning the necessary permissions (it is in the Help > Setup Guide menu in the app). If you are configuring additional Microsoft Cloud add-ons, here is a good reference for the necessary permissions needed along with sourcetypes and APIs used => http://bit.ly/Splunk_Azure_Permissions
I am exactly in the same situation.
To get a token for value 4 we followed the following steps and used curl to get a token, unfortunately that token does not pass Splunk addon validation but passed ms validation as valid token .
We then tested the token with jwt.ms and it comes back as valid with proper roles.
For step 5 and 6 we used our assigned cloudapps url
But still no luck. Since the app is Splunk built I hope they can help here.
We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain, and Tenant Data Center values may not be required.
I have not had an opportunity to test this yet, but I would suggest giving that a try.
I believe the last 3 are only needed in a multi tenant situation. Ran across this when ours expired and we had to update.
Submit a ticket to support asking them to update and clarify the documentation. That is the only way it will get changed.
its the same outcome with or without those URL's is the token validation part which seems either broken or needs something different.
I wish they had a better documentation for this new requirement of a secret and cloud token.
Many customers will run into this once the secrets expire.