office365 monitoring errors

book

Article ID: 197620

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

We have setup office365 monitoring and run into issues. Getting error: office365 probe is unable to connect to the Microsoft servers.
Office365Monitoringapp is not responding (reason: Connection and/or inventory update failure) {Could not retrieve OAuth access token for client with details [email protected].

The probe deployed machine has internet and the profile state in admin console shows profile in pending state.

Cause

- permissions

Environment

Release : 9.0.2

Component : UIM - OFFICE365

office365 v1.03

Resolution

Various errors:

Caused by: javax.naming.ServiceUnavailableException: Could not retrieve OAuth access token for client with details [email protected][scope=user_impersonation,grantType=authorization_code,clientId=0bbfa4c6-6385-406a-aa77-176802ec86f2,[email protected] L7BF3m}yG}fxH?M7,accessToken=<null>,refreshToken=<null>,username=,authorityUrl=https://login.microsoftonline.com/021af73b-7bf8-4014-aa49-bcf0xxxxx9b1/oauth2/token/,resourceServer=https://manage.office.com,resourcePath=/api/v1.0/021af73b-7bf8-4014-aa49-bcf05c8e29b1/ServiceComms/CurrentStatus?$select=Id%2CStatus%2CIncidentIds,expiresAfter=0] 
 at com.ca.ce.auth.oauth2.common.OAuthUtils.updateAccessToken(OAuthUtils.java:93) 
 at com.ca.ce.auth.oauth2.ReadProfileInfo.oAuthCredentialLogin(ReadProfileInfo.java:30) 
 at com.nimsoft.probe.application.office365.impl.Office365StatusService.getResponseFromAPI(Office365StatusService.java:65) 
 at com.nimsoft.probe.application.office365.impl.Office365StatusService.<init>(Office365StatusService.java:50) 
 at com.nimsoft.probe.application.office365.Office365Probe.getUpdatedInventory(Office365Probe.java:484) 
 at com.nimsoft.probe.framework.genprobe.GenInventory.update(GenInventory.java:127) 
 ... 14 more 

 First review  the probe configuration in the Admin Console as per the help doc

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/office365-office-365-monitoring/office365-ac-configuration.html

Then follow these instructions:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/office365-office-365-monitoring/office365-office-365-monitoring-release-notes.html

Prerequisites

Check the Supported platforms and then start at Prerequisites...

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/office365-office-365-monitoring/office365-office-365-monitoring-release-notes.html#concept.dita_f9838e3abf1efcda543d7734cbeff5387137b273_Prerequisites

Run through the entire process including:

- Verify the Global Administrator Rights of the Office 365 User
- Register Office365 Application in the Azure Active Directory
- How to register an app with the v2.0 endpoint
- Integrating Application with Azure Active Directory
- Register your application with your Azure Active Directory tenant

https://knowledge.broadcom.com/external/article/129444/office-365-user-account-requires-global.html

As far as information transfer is concerned, the office365 probe hits the Microsoft URL's listed below to get the required data using HTTPS calls:

  https://login.microsoftonline.com/

  https://manage.office.com/

  https://graph.windows.net

Also, please do make sure that the robot machine where the probe has been deployed is able to execute a telnet using the commands below:

  telnet login.microsoftonline.com 443

  telnet manage.office.com 443

  telnet graph.windows.net 443

 

During connection validation, the probe runs the url below..

https://login.microsoftonline.com/021af73b-7bf8-4014-aa49-bcf05c8e29b1/oauth2/token/,resourceServer=https://manage.office.com,resourcePath=/api/v1.0/021af73b-7bf8-4014-aa49-bcf05c8e29b1/ServiceComms/CurrentStatus?$select=Id

While in this case during update inventory, the probe uses the url below to collect the Monitoring info and fails with 401 unauthorized.

So it seems in this case, the user does not have the proper permission on this Resource.

authorityUrl=https://login.microsoftonline.com/021af73b-7bf8-4014-aa49-bcf05xxxxxxx/oauth2/token/,resourceServer=https://manage.office.com,resourcePath=/api/v1.0/021af73b-7bf8-4014-aa49-bcf05c8e29b1/ServiceComms/CurrentStatus?$select=Id%2CStatus%2CIncidentIds

You must verify the permission and also please try the above url with Powershell.

https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api 

If you get a 401 Unauthorized exception in Power Shell, e.g., This tenant doesn't have permission to access this resource https://manage.office.com/api/v1.0/021af73b-7bf8-4014-aa49-bcf05c8e29b1/ServiceComms/CurrentStatus?select=Id%2CStatus%2CIncidentIds

Then this needs to be checked by the office 365 admin/support team. 

Below is the raw command just as an example::

$ClientID = "0bbfa4c6-6385-406a-aa77-xxxxxxec86f2"
$ClientSecret = "uzwS9_-8hQE0Ixxxxxxxxxx_HrmPp72_Zq"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "CNMC.onmicrosoft.com"
$TenantGUID = "021af73b-7bf8-xxx4-xxxx-bcf05c8e29b1"
$resource = "https://manage.office.com/"
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
Invoke-WebRequest -Headers $headerParams -Uri "$resource/api/v1.0/$tenantGUID/ServiceComms/CurrentStatus?select=Id%2CStatus%2CIncidentIds"

 

In the office365 log, you may see an error such as:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"5fe53a7f-d456-4e85-9a04-58557a88207b","date":"2020-08-17T15:54:55"}}

Caused by: org.apache.http.client.HttpResponseException: Failed : HTTP error code : HTTP/1.1 403 Forbidden

 

The office 365 administrator should be able to check on this permissions error. You may find this url helpful:

https://github.com/Azure-Samples/active-directory-java-graphapi-web/issues/4

To monitor Office365, global administrator permissions are required as per Microsoft documentation. User service accounts with limited permissions may not work.

 

If you see an error such as:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"869d87ef-11a5-4e0b-9706-f759bd1518a1","date":"2020-08-18T06:11:31"}} while accessing the resource "https://graph.windows.net".

 

Please provide the permission for resource https://graph.windows.net

 

Finally, enable:

a) read application permission for graph API,

AND

b) delegate permission

Additional Information

https://knowledge.broadcom.com/external/article/145537/office365-probe-fails-with-connection-ab.html

Here is the list of supported metrics for the office365 probe.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/office365-office-365-monitoring/office365-metrics.html

Probe documentation:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/office365-office-365-monitoring/office365-ac-configuration.html

Only the above metrics can be monitored.

You will need to enable the metrics & alarms as per your requirements.