All Apps and Add-ons

Splunk Add-on for Microsoft Office 365 Reporting Web Service 2.0.0 404 ERROR- How to resolve?

Lia
Engager

We've upgrade this add-on to version 2.2.0 and Using Modern Authentication (OAuth), when configured in HF, the internal log shows 404 error as below:

127.0.0.1 - splunk-system-user [14/Aug/2022:20:08:03.558 -0700] "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/MDSLAB_obj_checkpoint_oauth HTTP/1.1" 404 140 "-" "curl" - 1ms

Would anybody can know the cause of this error? Any solutions? Thanks.

Labels (3)
Tags (1)

jconger
Splunk Employee
Splunk Employee

That 404 error indicates a KV store issue.  Try cloning your input and then disabling or deleting the existing input.

0 Karma

kissmyuzi123
Engager

Having the same issue, keen to hear any solutions.

0 Karma

ljramv
Explorer

Hello, has anyone been able to configure the add-on with modern auth? Im getting this same error along with 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc

Followed all the steps, the MS official doc also suggest to add Security Reader role for the App Registration. Shouldn't in theory there be an option to specify the tenant along with client ID and secret? Maybe @jconger might know this one.

Thanks for anyone's reply.

0 Karma

jconger
Splunk Employee
Splunk Employee

Setting up the permissions for this add-on is a 2 step process:

  1. For the Azure AD app registration, add the ReportingWebService.Read.All API permission.
    • This can be found by going to APIs my organization uses => Office 365 Exchange Online.  See the attached screenshot
  2. The Azure AD app registration needs to be assigned a directory role.

message_trace_api_permissions.jpg

ljramv
Explorer

Thanks for your reply @jconger. I did try to recreate the input and restart splunkd on the forwarder. I've also given it the ReportingWebService.Read.All under Applications permissions as stated here https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/ as well as Exchange Administrator and Global Reader role.

Screenshot 2022-09-09 at 17.18.34.png

0 Karma

jconger
Splunk Employee
Splunk Employee

Was the API permission granted?

message_trace_api_granted.jpg

Also, was the role added at the directory level?

mesage_trace_roles.jpg

The input recreation suggestion was for the OP since they were getting a 404 on the KV store.

A question about the tenant was mentioned in the thread above.  The tenant is specified at the input level.  Are you setting up a "Microsoft Office 365 Message Trace (OAuth)" input?  That input requires the tenant ID; whereas, the "Microsoft Office 365 Message Trace (Basic Auth)" input does not.

ljramv
Explorer

Ah theres the problem then, thank you. I did not create a new input but rather copy existing one that was set up with basic auth. Makes more sense for the tenant field to be specified on the account along with the client and secret. Thanks anyway.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...