I am also curious as it seems this issue isnt getting fixed. The short answer my Splunk team got from their Splunk rep was that the account that is forwarding to the Exchange app indexes needs to be in the same domain with organizational management role in Exchange XD. Im sorry but the expectation that an Exchange team using this app would give full open ended access to a service account just to forward admin audit logs is insane.
... View more