Getting Data In

Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token"

akriti
Explorer

After configuring the addon as specified in the document, the error logs are showing "log_error:309 | _Splunk_ Unable to obtain access token". 

I have been unable to find what the root cause of this error might be. 

The addon has been installed on the IDM. 

Can anyone help me out with this issue?

Labels (2)
Tags (1)
0 Karma

akriti
Explorer

Hey @jwalzerpitt , thanks so much for letting me know! I followed what you did and I'm now getting the exact same error as you (HTTPError: 403 Client Error: Forbidden for url).  I'm trying to troubleshoot it now.

Were you able to fix it?

0 Karma

jwalzerpitt
Motivator

So far I have not been able to fix it. If I do, I will definitely post the fix.

Thx

0 Karma

akriti
Explorer

Hey @jwalzerpitt 

I was able to fix the error. 

Added the Directory.Read.All in the API permissions along with the other permissions mentioned in the addon document for the sign-in input.

Earlier I had configured the API permissions with the type "delegated" on the Azure Portal but after changing it to type "Application" I'm getting all the sign-in data.

Hope this helps.

jwalzerpitt
Motivator

Thx for the reply and info, but I actually opened a case with Microsoft about this and they said the issue was on their side and that they just fixed it. 

I had all permissions and configs set correctly, but once they fixed their issue, sign in events/logs started to flow in.

 

Thx

0 Karma

jwalzerpitt
Motivator

I was also getting this error as well so I created a new client secret and double checked API permissions and I am now getting this error message:

 

Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 92, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 86, in collect_events
sign_in_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...