Office 365 Azure configuration

[diogofgm]

I'm trying to setup an input for OAuth2 to connect to an Office 365 email account without success.

I'm using the user and password for the account and in the input I'm using the right tenant in the OAuth2 authority.

Errors I'm getting from splunk:

2023-02-10 17:22:13,325 ERROR pid=21961 tid=MainThread file=base_modinput.py:log_error:309 | get_dmarc_messages: No access token found for client ID: dmarc.report.failures@REDACTED.XXX - result {'error': 'unauthorized_client', 'error_description': "AADSTS700016: Application with identifier 'dmarc.report.failures' was not found in the directory 'REDACTED'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: xxxxxxxx-xxxx-xxxx-xxxx-7c5069335800\r\nCorrelation ID: xxxxxxxx-xxxx-xxxx-xxxx-ae9665091ecd\r\nTimestamp: 2023-02-10 17:22:13Z", 'error_codes': [700016], 'timestamp': '2023-02-10 17:22:13Z', 'trace_id': 'xxxxxxxx-xxxx-xxxx-xxxx-7c5069335800', 'correlation_id': 'xxxxxxxx-xxxx-xxxx-xxxx-ae9665091ecd', 'error_uri': 'https://login.microsoftonline.com/error?code=700016'}

Followed by:

2023-02-10 17:22:13,328 ERROR pid=21961 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-dmarc/bin/ta_dmarc/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-dmarc/bin/dmarc_imap_oauth2.py", line 104, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-dmarc/bin/input_module_dmarc_imap_oauth2.py", line 93, in collect_events
filelist = i2d.process_incoming()
File "/opt/splunk/etc/apps/TA-dmarc/bin/dmarc/imap2dir.py", line 344, in process_incoming
messages = self.get_dmarc_messages()
File "/opt/splunk/etc/apps/TA-dmarc/bin/dmarc/imap2dir.py", line 161, in get_dmarc_messages
info = self.server.select_folder(self.opt_imap_mailbox)
File "/opt/splunk/etc/apps/TA-dmarc/bin/imapclient/imapclient.py", line 763, in select_folder
self._command_and_check('select', self._normalise_folder(folder), readonly)
File "/opt/splunk/etc/apps/TA-dmarc/bin/imapclient/imapclient.py", line 1666, in _command_and_check
typ, data = meth(*args)
File "/opt/splunk/lib/python3.7/imaplib.py", line 745, in select
typ, dat = self._simple_command(name, mailbox)
File "/opt/splunk/lib/python3.7/imaplib.py", line 1196, in _simple_command
return self._command_complete(name, self._command(name, *args))
File "/opt/splunk/lib/python3.7/imaplib.py", line 944, in _command
', '.join(Commands[name])))
imaplib.IMAP4.error: command SELECT illegal in state NONAUTH, only allowed in states AUTH, SELECTED

What configurations do I need to do on the azure side to properly setup this up?

[hkelley]

The OAuth2 input uses client ID and secret (from an Azure service principal), not username and password.

[diogofgm]

Yes, I've used a client id and secret in the account configuration but I get a login failed message in the splunk logs. There is probably something missing in the azure app configuration. I'll update if I get some progress with this.

[hkelley]

I'd start by checking the Azure AD sign-in logs for your service principal. There were definitely a few setup steps when I set mine up. If memory serves, this was the page that helped me.

https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp