Solved: Splunk Add-on for Microsoft Cloud Services: No per...

kmanson · ‎07-07-2016

No permission to fetch Azure AD Audit data. There might be some delay after changing the application permissions.
No permission to fetch Sharepoint Online Audit data. There might be some delay after changing the application permissions.
No permission to fetch Exchange Online Audit data. There might be some delay after changing the application permissions.

And yes, we have verified that the permissions below exist. Service Status and Operational Messages work, just not the rest. Any ideas?

http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/ConfigureappinAzureAD#Create_an...

kmanson · ‎08-11-2016

Going to answer my own question since we got it working. I think it was because the permissions were granted after adding the account to Splunk.
Fixed by:
Removed Inputs config
Removed account config
Added account config
Added inputs config
Kept the certificate configuration as-is.

View solution in original post

kmanson · ‎08-11-2016

Going to answer my own question since we got it working. I think it was because the permissions were granted after adding the account to Splunk.
Fixed by:
Removed Inputs config
Removed account config
Added account config
Added inputs config
Kept the certificate configuration as-is.

andrewgarvin · ‎11-30-2016

Thank you!!! Removing and re-adding the account resolved this for me.

suarezry · ‎11-16-2016

This answer didn't work for me initially. After giving up in frustration I tried it again the next day for kicks and giggles...and it worked!!!

Splunk Add-on for Microsoft Cloud Services: No permission to fetch Azure AD Audit data.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases