- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: o365 Configuration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
o365 Configuration
Hello All,
Issue 1:
Looking at my configuration for O365 and we have everything enabled that we possibly can. I then checked the internal logs, and there is a message we are seeing pop up quite often which I will paste below. This indicates there may be a permissions issue in O365 that is not allowing us to pull certain events. The only documentation I can find on how to set that up is available here: https://docs.splunk.com/Documentation/AddOns/released/MSO365/ConfigureappinAzureAD
O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
Issue 2 :
Also we are supposed to get an alert on "MaliciousEmailSubmission"when a user submitted phishing or malware email, even we are not getting that alert too.
Please let me know what may be issue here.
Thanks,
Ramu.R
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your Azure Active Directory licensing level. Microsoft's Azure Active Directory licensing requires either a Premium P1 or Premium P2 license to be able to pull event information through the Office 365 Management API. Microsoft does not grant permission to use the API to enable subscriptions for Free or Basic licensing options. Further information about Azure Active Directory licensing is available at: https://azure.microsoft.com/en-us/pricing/details/active-directory/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I saw this post... https://answers.splunk.com/answers/712405/splunk-add-on-for-o365.html
That states the
O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
message is given if the optional DLP permissions are not granted.
I'm getting the same error and seeing no data. Right now I'm just trying to pull SharePoint Online audit data and have granted the following permissions.
Office 365 Management APIs (4)
ActivityFeed.Read | Delegated |Read activity data for your organization | Yes |Granted for XXXX
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX
ServiceHealth.Read | Delegated | Read service health information for your organization | Yes | Granted for XXX
EDIT:
We fixed this and have data now; we missed applying the API permissions to the "Application Permissions" for the registered app and had only granted "Delegated Permissions"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We currently have MS O365 EMS E3 License which includes Azure AD P1 licensing and enabled to all E3 licenses users.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm also seeing this issue. Since you use a Azure AD Registered App to grant access to the API and and P1 and P2 licenses are user account based; how would give a P1 license to a registered app?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
