After configuring the addon as specified in the document, the error logs are showing "log_error:309 | _Splunk_ Unable to obtain access token".
I have been unable to find what the root cause of this error might be.
The addon has been installed on the IDM.
Can anyone help me out with this issue?
Hey @jwalzerpitt , thanks so much for letting me know! I followed what you did and I'm now getting the exact same error as you (HTTPError: 403 Client Error: Forbidden for url). I'm trying to troubleshoot it now.
Were you able to fix it?
So far I have not been able to fix it. If I do, I will definitely post the fix.
I was able to fix the error.
Added the Directory.Read.All in the API permissions along with the other permissions mentioned in the addon document for the sign-in input.
Earlier I had configured the API permissions with the type "delegated" on the Azure Portal but after changing it to type "Application" I'm getting all the sign-in data.
Hope this helps.
Thx for the reply and info, but I actually opened a case with Microsoft about this and they said the issue was on their side and that they just fixed it.
I had all permissions and configs set correctly, but once they fixed their issue, sign in events/logs started to flow in.
I was also getting this error as well so I created a new client secret and double checked API permissions and I am now getting this error message:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 92, in collect_events
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 86, in collect_events
sign_in_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...