IBM Support

QRadar: "Unable to obtain a valid access token" error for Office 365 log source

Troubleshooting


Problem

In some cases, when you work with Microsoft Office 365 log source, it goes to error state with the error message: "Unable to obtain a valid access token. An attempt will be made again at the next retry interval."
This article provides information and commands to test the log source configuration.

Cause

The error Unable to obtain a valid access token means that QRadar is unable to pull the authentication token to access and collect events. When this error occurs, the issue is typically invalid credentials or permissions.

Resolving The Problem

The following sections contain commands to test the log source configuration.

1. How to retrieve the access token

This section contains the step to test the credentials (client secret, client ID, and tenant ID) to pull the access token.
  1. SSH to the QRadar console.
  2. Optional. If the Target Event Collector is a different host than the QRadar console, SSH to that QRadar host.
  3. Run the following command to pull the access token.
    • Replace the <client secret>, <client ID>, and <tenant ID> with the corresponding information.
    • In some cases, the URLs login.microsoftonline.com and manage.office.com are different. Confirm the URL with your Microsoft Office admin. 
    curl -d "client_secret=<client secret>&resource=https://manage.office.com&client_id=<client_id>&grant_type=client_credentials" -X POST https://login.windows.net/<tenant id>/oauth2/token
    Output example for correct credentials:
    {"token_type":"Bearer","expires_in":"3599","ext_expires_in":"3599","expires_on":"1591045524",
"not_before":"1591041624","resource":"https://manage.office.com","access_token":"eyJ0exxxx"}
    Note: The access token displayed in this example, eyJ0exxxx, is shortened.
  4. If you get the error code 7000215: 
    {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. 
Ensure the secret being sent in the request is the client secret value, not the client secret 
ID, for a secret added to app 'xxxx'.\r\nTrace ID: xxx\r\nCorrelation ID: 1324567890\r\n
Timestamp: 2022-09-22 13:44:16Z","error_codes":[7000215],"timestamp":"2022-09-22 13:44:16Z",
"trace_id":"xxx","correlation_id":"xxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
    This error is usually displayed when the administrator tries to pull the Access Token. The message refers to wrong credentials (Client ID or Client Secret ID). Confirm the right Client ID and or Client Secret ID is used in the command.

    Result
    If the credentials are correct, the token is displayed in the output.

2. How to stop and start a subscription

After the token is retrieved, it can be used to stop and start the subscription.
Start a subscription
This option is used to begin receiving notifications and retrieving activity data for a tenant.
Run the following command and replace <access token> with the access token:
curl -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory
Stop a subscription
This option is used to stop retrieving data for a tenant. 
Run the following command, replace <access token> with the access token: 
curl -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/stop?contentType=Audit.AzureActiveDirectory

If you get the error Authorization has been denied: 

{"Message":"Authorization has been denied for this request."}

This error is displayed when the administrator tries to start the subscription. Ensure the URLs used to pull the token are correct.


Result
The administrator is able to start or stop a subscription by using the access token.

3. How to retrieve events from the server

To retrieve events from Microsoft Office 365 by using the token, run the following command. Replace <access token> with the Access Token: 

curl -d "" -H "Authorization: Bearer <access token>" -X GET https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory
Notes:
The administrator can change the content type based on the events configured in Microsoft Office 365:
  • Exchange: contentType= Audit.Audit.Exchange
  • SharePoint: contentType= Audit.SharePoint
  • DLP.All: ContentType= DLP.All

If you get the error code AF10001:

{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

This error occurs when the events are retrieved and means that the permissions are not set correctly. In order for QRadar to pull events, the following permissions are required:

  • Activity Feed
    • ActivityFeed.Read
    • ActivityFeed.ReadDlp
  • ServiceHealth
    • ServiceHealth.Read


Result
The administrator is able to pull events from Microsoft Office 365 by using the token. For more information, see Office 365 Management Activity API reference.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 June 2023

UID

ibm17000051

Page Feedback