Reporting

o365 Configuration

mailmetoramu
Explorer

Hello All,

Issue 1:

Looking at my configuration for O365 and we have everything enabled that we possibly can. I then checked the internal logs, and there is a message we are seeing pop up quite often which I will paste below. This indicates there may be a permissions issue in O365 that is not allowing us to pull certain events. The only documentation I can find on how to set that up is available here: https://docs.splunk.com/Documentation/AddOns/released/MSO365/ConfigureappinAzureAD

O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

Issue 2 :

Also we are supposed to get an alert on "MaliciousEmailSubmission"when a user submitted phishing or malware email, even we are not getting that alert too.

Please let me know what may be issue here.

Thanks,

Ramu.R

Labels (1)
Tags (1)
0 Karma

ehowardl3
Path Finder

Check your Azure Active Directory licensing level. Microsoft's Azure Active Directory licensing requires either a Premium P1 or Premium P2 license to be able to pull event information through the Office 365 Management API. Microsoft does not grant permission to use the API to enable subscriptions for Free or Basic licensing options. Further information about Azure Active Directory licensing is available at: https://azure.microsoft.com/en-us/pricing/details/active-directory/

0 Karma

robinettdonWY
Path Finder

I saw this post... https://answers.splunk.com/answers/712405/splunk-add-on-for-o365.html

That states the

O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

message is given if the optional DLP permissions are not granted.

I'm getting the same error and seeing no data. Right now I'm just trying to pull SharePoint Online audit data and have granted the following permissions.

Office 365 Management APIs (4)

ActivityFeed.Read  | Delegated |Read activity data for your organization | Yes |Granted for XXXX
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX 
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX
ServiceHealth.Read | Delegated | Read service health information for your organization | Yes | Granted for XXX

EDIT:
We fixed this and have data now; we missed applying the API permissions to the "Application Permissions" for the registered app and had only granted "Delegated Permissions"

mailmetoramu
Explorer

We currently have MS O365 EMS E3 License which includes Azure AD P1 licensing and enabled to all E3 licenses users.

0 Karma

robinettdonWY
Path Finder

I'm also seeing this issue. Since you use a Azure AD Registered App to grant access to the API and and P1 and P2 licenses are user account based; how would give a P1 license to a registered app?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...