Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token"

akriti
Explorer
‎04-26-2021 11:55 AM

After configuring the addon as specified in the document, the error logs are showing "log_error:309 | _Splunk_ Unable to obtain access token". 

I have been unable to find what the root cause of this error might be. 

The addon has been installed on the IDM. 

Can anyone help me out with this issue?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

akriti
Explorer
‎04-28-2021 01:37 PM

Hey @jwalzerpitt , thanks so much for letting me know! I followed what you did and I'm now getting the exact same error as you (HTTPError: 403 Client Error: Forbidden for url).  I'm trying to troubleshoot it now.

Were you able to fix it?

0 Karma
Reply

jwalzerpitt
Influencer
‎04-29-2021 05:48 AM

So far I have not been able to fix it. If I do, I will definitely post the fix.

Thx

0 Karma
Reply

akriti
Explorer
‎05-12-2021 01:16 PM

Hey @jwalzerpitt 

I was able to fix the error. 

Added the Directory.Read.All in the API permissions along with the other permissions mentioned in the addon document for the sign-in input.

Earlier I had configured the API permissions with the type "delegated" on the Azure Portal but after changing it to type "Application" I'm getting all the sign-in data.

Hope this helps.

Reply

jwalzerpitt
Influencer
‎05-13-2021 05:10 AM

Thx for the reply and info, but I actually opened a case with Microsoft about this and they said the issue was on their side and that they just fixed it. 

I had all permissions and configs set correctly, but once they fixed their issue, sign in events/logs started to flow in.

 

Thx

0 Karma
Reply

jwalzerpitt
Influencer
‎04-27-2021 01:08 PM

I was also getting this error as well so I created a new client secret and double checked API permissions and I am now getting this error message:

 

Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 92, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 86, in collect_events
sign_in_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...