Getting Data In

Microsoft Azure Addon for Splunk throwing error "log_error:309 | _Splunk_ Unable to obtain access token"

akriti
Explorer

After configuring the addon as specified in the document, the error logs are showing "log_error:309 | _Splunk_ Unable to obtain access token". 

I have been unable to find what the root cause of this error might be. 

The addon has been installed on the IDM. 

Can anyone help me out with this issue?

Labels (2)
Tags (1)
0 Karma

akriti
Explorer

Hey @jwalzerpitt , thanks so much for letting me know! I followed what you did and I'm now getting the exact same error as you (HTTPError: 403 Client Error: Forbidden for url).  I'm trying to troubleshoot it now.

Were you able to fix it?

0 Karma

jwalzerpitt
Influencer

So far I have not been able to fix it. If I do, I will definitely post the fix.

Thx

0 Karma

akriti
Explorer

Hey @jwalzerpitt 

I was able to fix the error. 

Added the Directory.Read.All in the API permissions along with the other permissions mentioned in the addon document for the sign-in input.

Earlier I had configured the API permissions with the type "delegated" on the Azure Portal but after changing it to type "Application" I'm getting all the sign-in data.

Hope this helps.

jwalzerpitt
Influencer

Thx for the reply and info, but I actually opened a case with Microsoft about this and they said the issue was on their side and that they just fixed it. 

I had all permissions and configs set correctly, but once they fixed their issue, sign in events/logs started to flow in.

 

Thx

0 Karma

jwalzerpitt
Influencer

I was also getting this error as well so I created a new client secret and double checked API permissions and I am now getting this error message:

 

Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 92, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 86, in collect_events
sign_in_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...