Throwing my 2-cents in here. We've been using the OAuth route since the beginning of the year without issue. We didn't start seeing the 401 error until 4/7. After the errors started on 4/7, it looked like the error was intermittent and ingestion continued until 4/10, at which point the errors became very persistent. Disabling the input and re-enabling seemed to have temporarily brought some belief but the issue persists. Sometimes, based on the log, you can see the skiptoken successfully incrementing until it randomly hits the 401. Debug logs show successful retrieval of the access token and Azure AD logs confirm that the app isn't getting any auth failures. Ideally the consistency of the Microsoft endpoint improves, but maybe the Splunk Add-On for Microsoft Office 365 needs a better method to catch this error and retry instead of starting the collection again at the first message after every failure.
... View more