Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

o365 Configuration

mailmetoramu
Explorer
‎03-22-2019 06:56 AM

Hello All,

Issue 1:

Looking at my configuration for O365 and we have everything enabled that we possibly can. I then checked the internal logs, and there is a message we are seeing pop up quite often which I will paste below. This indicates there may be a permissions issue in O365 that is not allowing us to pull certain events. The only documentation I can find on how to set that up is available here: https://docs.splunk.com/Documentation/AddOns/released/MSO365/ConfigureappinAzureAD

O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

Issue 2 :

Also we are supposed to get an alert on "MaliciousEmailSubmission"when a user submitted phishing or malware email, even we are not getting that alert too.

Please let me know what may be issue here.

Thanks,

Ramu.R

Tags (1)
0 Karma
Reply

ehowardl3
Path Finder
‎03-23-2019 07:20 AM

Check your Azure Active Directory licensing level. Microsoft's Azure Active Directory licensing requires either a Premium P1 or Premium P2 license to be able to pull event information through the Office 365 Management API. Microsoft does not grant permission to use the API to enable subscriptions for Free or Basic licensing options. Further information about Azure Active Directory licensing is available at: https://azure.microsoft.com/en-us/pricing/details/active-directory/

0 Karma
Reply

robinettdonWY
Path Finder
‎04-21-2020 08:51 AM

I saw this post... https://answers.splunk.com/answers/712405/splunk-add-on-for-o365.html

That states the 

O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

message is given if the optional DLP permissions are not granted.

I'm getting the same error and seeing no data. Right now I'm just trying to pull SharePoint Online audit data and have granted the following permissions. 

Office 365 Management APIs (4)

ActivityFeed.Read  | Delegated |Read activity data for your organization | Yes |Granted for XXXX
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX 
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX
ServiceHealth.Read | Delegated | Read service health information for your organization | Yes | Granted for XXX

EDIT:
We fixed this and have data now; we missed applying the API permissions to the "Application Permissions" for the registered app and had only granted "Delegated Permissions"

Reply

mailmetoramu
Explorer
‎03-27-2019 07:45 AM

We currently have MS O365 EMS E3 License which includes Azure AD P1 licensing and enabled to all E3 licenses users.

0 Karma
Reply

robinettdonWY
Path Finder
‎04-21-2020 08:25 AM

I'm also seeing this issue. Since you use a Azure AD Registered App to grant access to the API and and P1 and P2 licenses are user account based; how would give a P1 license to a registered app?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...