I have the same issue, followed the recommended permissions but I receive a 403. 2022-08-09 09:14:20,818 ERROR pid=656295 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 355, in collect_events get_events_continuous(helper, ew) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 96, in get_events_continuous message_response = get_messages(helper, microsoft_trace_url) File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 74, in get_messages raise e File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace_oauth.py", line 66, in get_messages r.raise_for_status() File "/opt/splunk/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-08-07T10:01:10Z'%20and%20EndDate%20eq%20datetime'2022-08-07T11:01:10Z' ... View more

I have MFA & Modern Auth enabled, and cannot use this add-on anymore. Role permissions are not the issue because I tested w/ Global Admin. I receive a 401 when visiting this site as others have mentioned: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace ... View more

Upvoting, I took the app and made changes necessary for Splunk Cloud approval but would prefer to leverage Splunkbase version. ... View more