All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Microsoft Azure Active Directory Reporting Add-on for Splunk: Can this app be updated to support multiple tenants?

asvoboda
Explorer
‎09-14-2018 08:16 AM

Hi there,

It looks like this TA hardcodes the use of a single tenant into the config. Would it be possible to update the TA such that it can support multiple accounts?

We're trying to pull from two distinct tenants in Azure AD. Other TAs, such as the Splunk TA for AWS and the Microsoft Cloud Services TA let you define multiple accounts, and tie inputs.conf to those accounts.

It looks like, in ta_ms_aad_settings.conf.spec, that the TA only accepts a single client secret/id. The FR here is to treat these as named accounts and do something like the following that the mscs ta does.

 $ cat local/accounts.conf
 [splunk_azure_foo]
 account_class_type = 1
 client_id = client_id1
 client_secret = client_secret1
 tenant_id = tenant_id1

 [splunk_azure_bar]
 account_class_type = 1
 client_id = client_id2
 client_secret = client_secret2
 tenant_id = tenant_id2

So that in our inputs.conf we can target different named accounts and drop them into different indexes and collect that data with different credentials.

Happy to expand on my use case/examples further.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-08-2019 03:44 PM

The add-on was updated to move the client ID and client secret to the input instead of as a global parameter. Also, the back-end API was updated to use Microsoft Graph instead of Azure AD Graph. Microsoft Graph exposes more data for Azure AD events like conditional access policies applied to logons.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 10:40 AM

hi @asvoboda

Thanks for posting. Could you give us some more context for your question? Maybe give us some more details about what you are trying to do with this app? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma
Reply

asvoboda
Explorer
‎09-14-2018 10:48 AM

Sure thing.

We're trying to pull from two distinct tenants in Azure AD. Other TAs, such as the Splunk TA for AWS and the Microsoft Cloud Services TA let you define multiple accounts, and tie inputs.conf to those accounts.

It looks like, in ta_ms_aad_settings.conf.spec, that the TA only accepts a single client secret/id. The FR here is to treat these as named accounts and do something like the following that the mscs ta does.

$ cat local/accounts.conf
[splunk_azure_foo]
account_class_type = 1
client_id = client_id1
client_secret = client_secret1
tenant_id = tenant_id1

[splunk_azure_bar]
account_class_type = 1
client_id = client_id2
client_secret = client_secret2
tenant_id = tenant_id2

so that in our inputs.conf we can target different named accounts and drop them into different indexes and collect that data with different credentials.

Happy to expand on my use case/examples further.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 11:48 AM

thanks @asvoboda,

I moved the extra info up to the question, so it is more visible. Good luck getting your question answered!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...