Hi there,
It looks like this TA hardcodes the use of a single tenant into the config. Would it be possible to update the TA such that it can support multiple accounts?
We're trying to pull from two distinct tenants in Azure AD. Other TAs, such as the Splunk TA for AWS and the Microsoft Cloud Services TA let you define multiple accounts, and tie inputs.conf to those accounts.
It looks like, in ta_ms_aad_settings.conf.spec, that the TA only accepts a single client secret/id. The FR here is to treat these as named accounts and do something like the following that the mscs ta does.
$ cat local/accounts.conf
[splunk_azure_foo]
account_class_type = 1
client_id = client_id1
client_secret = client_secret1
tenant_id = tenant_id1
[splunk_azure_bar]
account_class_type = 1
client_id = client_id2
client_secret = client_secret2
tenant_id = tenant_id2
So that in our inputs.conf we can target different named accounts and drop them into different indexes and collect that data with different credentials.
Happy to expand on my use case/examples further.
The add-on was updated to move the client ID and client secret to the input instead of as a global parameter. Also, the back-end API was updated to use Microsoft Graph instead of Azure AD Graph. Microsoft Graph exposes more data for Azure AD events like conditional access policies applied to logons.
hi @asvoboda
Thanks for posting. Could you give us some more context for your question? Maybe give us some more details about what you are trying to do with this app? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.
Sure thing.
We're trying to pull from two distinct tenants in Azure AD. Other TAs, such as the Splunk TA for AWS and the Microsoft Cloud Services TA let you define multiple accounts, and tie inputs.conf to those accounts.
It looks like, in ta_ms_aad_settings.conf.spec, that the TA only accepts a single client secret/id. The FR here is to treat these as named accounts and do something like the following that the mscs ta does.
$ cat local/accounts.conf
[splunk_azure_foo]
account_class_type = 1
client_id = client_id1
client_secret = client_secret1
tenant_id = tenant_id1
[splunk_azure_bar]
account_class_type = 1
client_id = client_id2
client_secret = client_secret2
tenant_id = tenant_id2
so that in our inputs.conf we can target different named accounts and drop them into different indexes and collect that data with different credentials.
Happy to expand on my use case/examples further.
thanks @asvoboda,
I moved the extra info up to the question, so it is more visible. Good luck getting your question answered!