Sounds like there is some more configuration you need to do on the Azure side for the API piece. You don't need the redirect URL internet facing from what I can tell from our setup. The app just needs to be able to reach out via 443 and have the open session. Possibly using the wrong ID string when you setup the Azure API piece for the app/splunk configuration?
... View more
v2.1.0 in https://splunkbase.splunk.com/app/3110/ supports it supposedly. I updated the app...and in the MSapp -> inputs> edit your O365 api input> click on the data blank space field and Audit/General shows up to choose > click on it. Save. Wait. I'm keeping my fingers crossed...
... View more
I just figured out this for our configurations.... basically the inputs were under a different app context... I went into each input we had setup and changed it back to the DB Connect app.
... View more
I had to have our Azure admin enter his creds while remoted into my pc when I was setting up the app's configs/API integrations when it prompted to sign in after setting the API key etc for the app to use.
... View more
I created essentially a shell named index within the GUI (settings>indexes) on the hvy fwdr box called mscloud within the "Splunk_TA_microsoft-cloudservices app context" so that within the mscloud setup pieces you can choose that index. With forwarding setup correctly, it doesn't go to the local index, but would auto-forward onto the index cluster under the mscloud index name.
... View more
Double check to see if you O365 tenant has DLP policies enabled for at least testing/monitor only, and the DLP policy items show up under:
sourcetype - ms:o365:management
user=DlpAgent
... View more
I had our O365 admin use his Admin acct to auth in an incognito window after hitting add. It then has the admin prompt for the access the API/app needs, hit ok... splunk app then adds fine.
... View more
Once you configure the API items for 0365 piece, it prompts for the o365 admin to login to grant the splunk app access it needs... it then auto-populates the tenant ID automatically after the token/authentication pieces go through.
... View more