So we followed the instructions for the document to a T but when i do a search of the index, there's no data. We have an Azure AD Premium P1 and double checked the granted permissions and they're perfect.
https://splunkbase.splunk.com/app/3757/#/details
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-configure-prerequis...
Any tips on what to look for in terms of troubleshooting this? Or this because we haven't installed the add-on for the heavy forwarder?
Thanks