Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk SOAR
- :
- Phantom MS Graph API for office 365
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Phantom MS Graph API for office 365
Hi there, we are trying to configure MS Graph API for Office 365 to process emails from mailboxes. Created an Azure Enterprise Application and gave required api access to the application. Administrator has done the consent in the Azure portal. However when we try to connect to the app, it’s still asking to do the ‘test connection’ and asked admin consent. Is this a bug? And is there a way to use the phantom app without this consent being done via app (instead to be done in Azure portal)? thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any update about this behaviour?
We have had an application generated, given adequate permissions in Azure Portal and had an admin give their consent. No matter what, the app doesn't connect.
We oberved that, the Azure application was granted "Application" type permissions by the admin (as required for our needs) but, during the test connectivity process, the SOAR's Graph app asks for "Delegated" type permissions. There is no place in the asset settings to define the permission type the app is asking for and, in our context, "Delegated" isn't acceptable.
Also, even while the admin has already given consent to the Azure app, the consent is asked once again throught the login portal. @lluebeck_splunk The token is written into the asset internal state file, but these files get frequently corrupted in many apps, so constant connectivity tests are needed.
@enfinality57 We are getting this error on a daily basis: "Error occurred while loading the state file due to its unexpected format. Resetting the state file with the default format." and token information gets lost.
From what I see in the source code this state file corruption happens in several connectors.
These kind of errors should rise some kind of alert or appear somewhere in the system health given their impact on functionality, or at least be documented so external monitoring can be setup to take care of them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To answer your question: No this is the intended way to get this connection verified and established. By doing so a token will be generated and some information will be written to a phantom internal state file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if this is the intended method of the MS Graph API, does this have to be done once a day? once a week? Or every time you want to use the app within phantom? What if you have a playbook using this APP daily automatically?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
