All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Microsoft Azure Active Directory Reporting Add-on for Splunk: Can this app be updated to support multiple tenants?

asvoboda
Explorer
‎09-14-2018 08:16 AM

Hi there,

It looks like this TA hardcodes the use of a single tenant into the config. Would it be possible to update the TA such that it can support multiple accounts?

We're trying to pull from two distinct tenants in Azure AD. Other TAs, such as the Splunk TA for AWS and the Microsoft Cloud Services TA let you define multiple accounts, and tie inputs.conf to those accounts.

It looks like, in ta_ms_aad_settings.conf.spec, that the TA only accepts a single client secret/id. The FR here is to treat these as named accounts and do something like the following that the mscs ta does.

 $ cat local/accounts.conf
 [splunk_azure_foo]
 account_class_type = 1
 client_id = client_id1
 client_secret = client_secret1
 tenant_id = tenant_id1

 [splunk_azure_bar]
 account_class_type = 1
 client_id = client_id2
 client_secret = client_secret2
 tenant_id = tenant_id2

So that in our inputs.conf we can target different named accounts and drop them into different indexes and collect that data with different credentials.

Happy to expand on my use case/examples further.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-08-2019 03:44 PM

The add-on was updated to move the client ID and client secret to the input instead of as a global parameter. Also, the back-end API was updated to use Microsoft Graph instead of Azure AD Graph. Microsoft Graph exposes more data for Azure AD events like conditional access policies applied to logons.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 10:40 AM

hi @asvoboda

Thanks for posting. Could you give us some more context for your question? Maybe give us some more details about what you are trying to do with this app? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma
Reply

asvoboda
Explorer
‎09-14-2018 10:48 AM

Sure thing.

We're trying to pull from two distinct tenants in Azure AD. Other TAs, such as the Splunk TA for AWS and the Microsoft Cloud Services TA let you define multiple accounts, and tie inputs.conf to those accounts.

It looks like, in ta_ms_aad_settings.conf.spec, that the TA only accepts a single client secret/id. The FR here is to treat these as named accounts and do something like the following that the mscs ta does.

$ cat local/accounts.conf
[splunk_azure_foo]
account_class_type = 1
client_id = client_id1
client_secret = client_secret1
tenant_id = tenant_id1

[splunk_azure_bar]
account_class_type = 1
client_id = client_id2
client_secret = client_secret2
tenant_id = tenant_id2

so that in our inputs.conf we can target different named accounts and drop them into different indexes and collect that data with different credentials.

Happy to expand on my use case/examples further.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 11:48 AM

thanks @asvoboda,

I moved the extra info up to the question, so it is more visible. Good luck getting your question answered!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...