office365 monitoring errors
search cancel

office365 monitoring errors

book

Article ID: 197620

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

We have setup office365 monitoring and run into issues.

Getting error:

office365 probe is unable to connect to the Microsoft servers.
Office365Monitoringapp is not responding (reason: Connection and/or inventory update failure) {Could not retrieve OAuth access token for client with details <client details>

Various errors:

Caused by: javax.naming.ServiceUnavailableException: Could not retrieve OAuth access token for client with details <client_details>@xxxxxxxx[scope=user_impersonation,grantType=authorization_code,clientId=?????,clientSecret=?????@?????.onmicrosoft.com ????,accessToken=<null>,refreshToken=<null>,username=,authorityUrl=https://login.microsoftonline.com/??/xxxxxxxx/,resourceServer=<url>,resourcePath=/api/v1.0/??/ServiceComms/CurrentStatus?$select=Id%2CStatus%2CIncidentIds,expiresAfter=0] 
 ...
 at com.nimsoft.probe.framework.genprobe.GenInventory.update(GenInventory.java:127) 
 ... 14 more 

The probe deployed machine has internet and the profile state in the Admin console shows profile in pending state.

Environment

  • Release: 9.0.2 or higher
  • Component: UIM - OFFICE365
  • office365 v1.03

Cause

  • permissions

Resolution

First review  the probe configuration in the Admin Console as per the help doc:

office365 AC Configuration

Then follow these instructions:

office365 (Office 365 Monitoring) Release Notes

Prerequisites

Check the Supported platforms and then start at Prerequisites...

office365 prerequisites

Run through the entire process including:

  1. Verify the Global Administrator Rights of the Office 365 User
  2. Register Office365 Application in the Azure Active Directory
  3. How to register an app with the v2.0 endpoint
  4. Integrating Application with Azure Active Directory
  5. Register your application with your Azure Active Directory tenant

Office 365 User Account requires Global Administrator Rights

As far as information transfer is concerned, the office365 probe hits the Microsoft URL's listed below to get the required data using HTTPS calls:

  https://login.microsoftonline.com/

  https://manage.office.com/

  https://graph.windows.net

Also, please do make sure that the robot machine where the probe has been deployed is able to execute a telnet using the commands below:

  telnet login.microsoftonline.com 443

  telnet manage.office.com 443

  telnet graph.windows.net 443

 

During connection validation, the probe uses a url and it tried to login

When it uses the url it tries to collect the Monitoring info and fails with 401 unauthorized.

So it seems in this case, the user does not have the proper permission on this Resource.

You must verify the permission and also please try url with Powershell.

Office 365 Management Activity API FAQs and troubleshooting 

If you get a 401 Unauthorized exception in Power Shell, e.g., This tenant doesn't have permission to access this resource.

Then this needs to be checked by the office 365 admin/support team. 

Below is the raw command just as an example::

$ClientID = "xxxxx"
$ClientSecret = "xxxxx"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "xxxxx.onmicrosoft.com"
$TenantGUID = "xxxxx"
$resource = "https://manage.office.com/"
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
Invoke-WebRequest -Headers $headerParams -Uri "$resource/api/v1.0/$tenantGUID/ServiceComms/CurrentStatus?select=Id%2CStatus%2CIncidentIds"

 

In the office365 log, you may see an error such as:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"5fe53a7f-d456-4e85-9a04-58557a88207b","date":"2020-08-17T15:54:55"}}

Caused by: org.apache.http.client.HttpResponseException: Failed : HTTP error code : HTTP/1.1 403 Forbidden

 

The office 365 administrator should be able to check on this permissions error. You may find this url helpful:

Getting Message "Insufficient privileges to complete the operation" for all operations on users #4

To monitor Office365, global administrator permissions are required as per Microsoft documentation. User service accounts with limited permissions may not work.

 

If you see an error such as:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"869d87ef-11a5-4e0b-9706-f759bd1518a1","date":"2020-08-18T06:11:31"}} while accessing the resource "https://graph.windows.net".

 

Please provide the permission for resource https://graph.windows.net

 

Finally, enable:

a) read application permission for graph API,

AND

b) delegate permission

Additional Information

office365 probe fails with "connection abort" or "connection reset"

Here is the list of supported metrics for the office365 probe.

office365 Metrics

Probe documentation:

office365 AC Configuration

Only the above metrics can be monitored.

You will need to enable the metrics & alarms as per your requirements.

Powered by Wolken Software