We have setup office365 monitoring and run into issues. Getting error: office365 probe is unable to connect to the Microsoft servers.
Office365Monitoringapp is not responding (reason: Connection and/or inventory update failure) {Could not retrieve OAuth access token for client with details [email protected].
The probe deployed machine has internet and the profile state in admin console shows profile in pending state.
- permissions
Release : 9.0.2
Component : UIM - OFFICE365
office365 v1.03
Various errors:
Caused by: javax.naming.ServiceUnavailableException: Could not retrieve OAuth access token for client with details [email protected][scope=user_impersonation,grantType=authorization_code,clientId=0bbfa4c6-6385-406a-aa77-176802ec86f2,[email protected] L7BF3m}yG}fxH?M7,accessToken=<null>,refreshToken=<null>,username=,authorityUrl=https://login.microsoftonline.com/021af73b-7bf8-4014-aa49-bcf0xxxxx9b1/oauth2/token/,resourceServer=https://manage.office.com,resourcePath=/api/v1.0/021af73b-7bf8-4014-aa49-bcf05c8e29b1/ServiceComms/CurrentStatus?$select=Id%2CStatus%2CIncidentIds,expiresAfter=0]
at com.ca.ce.auth.oauth2.common.OAuthUtils.updateAccessToken(OAuthUtils.java:93)
at com.ca.ce.auth.oauth2.ReadProfileInfo.oAuthCredentialLogin(ReadProfileInfo.java:30)
at com.nimsoft.probe.application.office365.impl.Office365StatusService.getResponseFromAPI(Office365StatusService.java:65)
at com.nimsoft.probe.application.office365.impl.Office365StatusService.<init>(Office365StatusService.java:50)
at com.nimsoft.probe.application.office365.Office365Probe.getUpdatedInventory(Office365Probe.java:484)
at com.nimsoft.probe.framework.genprobe.GenInventory.update(GenInventory.java:127)
... 14 more
First review the probe configuration in the Admin Console as per the help doc
Then follow these instructions:
Prerequisites
Check the Supported platforms and then start at Prerequisites...
Run through the entire process including:
- Verify the Global Administrator Rights of the Office 365 User
- Register Office365 Application in the Azure Active Directory
- How to register an app with the v2.0 endpoint
- Integrating Application with Azure Active Directory
- Register your application with your Azure Active Directory tenant
https://knowledge.broadcom.com/external/article/129444/office-365-user-account-requires-global.html
As far as information transfer is concerned, the office365 probe hits the Microsoft URL's listed below to get the required data using HTTPS calls:
https://login.microsoftonline.com/
https://manage.office.com/
https://graph.windows.net
Also, please do make sure that the robot machine where the probe has been deployed is able to execute a telnet using the commands below:
telnet login.microsoftonline.com 443
telnet manage.office.com 443
telnet graph.windows.net 443
During connection validation, the probe runs the url below..
While in this case during update inventory, the probe uses the url below to collect the Monitoring info and fails with 401 unauthorized.
So it seems in this case, the user does not have the proper permission on this Resource.
authorityUrl=https://login.microsoftonline.com/021af73b-7bf8-4014-aa49-bcf05xxxxxxx/oauth2/token/,resourceServer=https://manage.office.com,resourcePath=/api/v1.0/021af73b-7bf8-4014-aa49-bcf05c8e29b1/ServiceComms/CurrentStatus?$select=Id%2CStatus%2CIncidentIds
You must verify the permission and also please try the above url with Powershell.
If you get a 401 Unauthorized exception in Power Shell, e.g., This tenant doesn't have permission to access this resource https://manage.office.com/api/v1.0/021af73b-7bf8-4014-aa49-bcf05c8e29b1/ServiceComms/CurrentStatus?select=Id%2CStatus%2CIncidentIds
Then this needs to be checked by the office 365 admin/support team.
Below is the raw command just as an example::
$ClientID = "0bbfa4c6-6385-406a-aa77-xxxxxxec86f2"
$ClientSecret = "uzwS9_-8hQE0Ixxxxxxxxxx_HrmPp72_Zq"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "CNMC.onmicrosoft.com"
$TenantGUID = "021af73b-7bf8-xxx4-xxxx-bcf05c8e29b1"
$resource = "https://manage.office.com/"
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
Invoke-WebRequest -Headers $headerParams -Uri "$resource/api/v1.0/$tenantGUID/ServiceComms/CurrentStatus?select=Id%2CStatus%2CIncidentIds"
In the office365 log, you may see an error such as:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"5fe53a7f-d456-4e85-9a04-58557a88207b","date":"2020-08-17T15:54:55"}}
…
…
Caused by: org.apache.http.client.HttpResponseException: Failed : HTTP error code : HTTP/1.1 403 Forbidden
The office 365 administrator should be able to check on this permissions error. You may find this url helpful:
https://github.com/Azure-Samples/active-directory-java-graphapi-web/issues/4
To monitor Office365, global administrator permissions are required as per Microsoft documentation. User service accounts with limited permissions may not work.
If you see an error such as:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"869d87ef-11a5-4e0b-9706-f759bd1518a1","date":"2020-08-18T06:11:31"}} while accessing the resource "https://graph.windows.net".
Please provide the permission for resource https://graph.windows.net
Finally, enable:
a) read application permission for graph API,
AND
b) delegate permission
https://knowledge.broadcom.com/external/article/145537/office365-probe-fails-with-connection-ab.html
Here is the list of supported metrics for the office365 probe.
Probe documentation:
Only the above metrics can be monitored.
You will need to enable the metrics & alarms as per your requirements.