Getting Data In

Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token"

akriti
Explorer

After configuring the addon as specified in the document, the error logs are showing "log_error:309 | _Splunk_ Unable to obtain access token". 

I have been unable to find what the root cause of this error might be. 

The addon has been installed on the IDM. 

Can anyone help me out with this issue?

Labels (2)
Tags (1)
0 Karma

akriti
Explorer

Hey @jwalzerpitt , thanks so much for letting me know! I followed what you did and I'm now getting the exact same error as you (HTTPError: 403 Client Error: Forbidden for url).  I'm trying to troubleshoot it now.

Were you able to fix it?

0 Karma

jwalzerpitt
Influencer

So far I have not been able to fix it. If I do, I will definitely post the fix.

Thx

0 Karma

akriti
Explorer

Hey @jwalzerpitt 

I was able to fix the error. 

Added the Directory.Read.All in the API permissions along with the other permissions mentioned in the addon document for the sign-in input.

Earlier I had configured the API permissions with the type "delegated" on the Azure Portal but after changing it to type "Application" I'm getting all the sign-in data.

Hope this helps.

jwalzerpitt
Influencer

Thx for the reply and info, but I actually opened a case with Microsoft about this and they said the issue was on their side and that they just fixed it. 

I had all permissions and configs set correctly, but once they fixed their issue, sign in events/logs started to flow in.

 

Thx

0 Karma

jwalzerpitt
Influencer

I was also getting this error as well so I created a new client secret and double checked API permissions and I am now getting this error message:

 

Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 92, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 86, in collect_events
sign_in_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...