Splunk SOAR (f.k.a. Phantom)

Phantom MS Graph API for office 365


Hi there, we are trying to configure MS Graph API for Office 365 to process emails from mailboxes. Created an Azure Enterprise Application and gave required api access to the application. Administrator has done the consent in the Azure portal. However when we try to connect to the app, it’s still asking to do the ‘test connection’ and asked admin consent. Is this a bug? And is there a way to use the phantom app without this consent being done via app (instead to be done in Azure portal)? thanks 

Labels (1)


Is there any update about this behaviour?
We have had an application generated, given adequate permissions in Azure Portal and had an admin give their consent. No matter what, the app doesn't connect.

We oberved that, the Azure application was granted "Application" type permissions by the admin (as required for our needs) but, during the test connectivity process, the SOAR's Graph app asks for "Delegated" type permissions. There is no place in the asset settings to define the permission type the app is asking for and, in our context, "Delegated" isn't acceptable.

Also, even while the admin has already given consent to the Azure app, the consent is asked once again throught the login portal.  @lluebeck_splunk The token is written into the asset internal state file, but these files get frequently corrupted in many apps, so constant connectivity tests are needed.
@enfinality57 We are getting this error on a daily basis: "Error occurred while loading the state file due to its unexpected format. Resetting the state file with the default format." and token information gets lost.

From what I see in the source code this state file corruption happens in several connectors.

These kind of errors should rise some kind of alert or appear somewhere in the system health given their impact on functionality, or at least be documented so external monitoring can be setup to take care of them.

0 Karma

Splunk Employee
Splunk Employee

To answer your question: No this is the intended way to get this connection verified and established. By doing so a token will be generated and some information will be written to a phantom internal state file.

0 Karma


So if this is the intended method of the MS Graph API, does this have to be done once a day? once a week? Or every time you want to use the app within phantom? What if you have a playbook using this APP daily automatically? 

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...