Skip to content

Office365 Integration not working with Multiple Tenants #26956

New issue
New issue
Open
Open
Office365 Integration not working with Multiple Tenants#26956
@bile0026

Description

@bile0026
bile0026
opened on Nov 21, 2024
Wazuh version Component Install type Install method Platform
4.9.0 and 4.9.2-1 server manager Packages/Sources Ubuntu 22.04

I have configured tenants in the o365 integration but I'm only receiving data for one. They are all setup with their own "registered app" in each inidividual tenant on the Azure/Entra side. Only 1 of the 3 configured tenants is returning data. And not even the first one listed. It's the 2nd one that is working.

Relevant Config

<office365>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <curl_max_size>20M</curl_max_size>
    <only_future_events>no</only_future_events>
    <api_auth>
      <tenant_id>5224efa5-29d9-4c4f-ae00-</tenant_id>
      <client_id>651435a6-eb27-4000-a75e-</client_id>
      <client_secret>AKj8Q~PRZSAxWvKoUAZo3HU</client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <api_auth>
      <tenant_id>fe26f993-ab38-4fa7-b1b6-</tenant_id>
      <client_id>9cfb8de9-304c-413d-814e-</client_id>
      <client_secret>CF_8Q~liJkJcdixvxWUqiar</client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <api_auth>
      <tenant_id>657040cd-abea-43ff-a1b7-</tenant_id>
      <client_id>76910b39-f9f5-4556-8e9e-</client_id>
      <client_secret>7Db8Q~gnmb~~SM2E4UqKzv3</client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
      <subscription>Audit.SharePoint</subscription>
      <subscription>Audit.Exchange</subscription>
      <subscription>Audit.AzureActiveDirectory</subscription>
      <subscription>Audit.General</subscription>
      <subscription>DLP.All</subscription>
    </subscriptions>
  </office365>

If I do a curl with each set of IDs/Secrets I get 200 responses for each:

Curl

curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k

Response

HTTP/2 200 
cache-control: no-store, no-cache
pragma: no-cache
content-type: application/json; charset=utf-8
expires: -1
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
p3p: CP="DSP CUR OTPi IND OTRi ONL FIN"
x-ms-request-id: 38766d55-732f-4eb5-ac5a-9b5906152400
x-ms-ests-server: 2.1.19395.9 - WUS3 ProdSlices
x-ms-srs: 1.P
x-xss-protection: 0
set-cookie: fpc=Ah2NgBmAIRpNv7iSMIJrJeVwcG; expires=Sat, 21-Dec-2024 03:19:45 GMT; path=/; secure; HttpOnly; SameSite=None
set-cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
set-cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
date: Thu, 21 Nov 2024 03:19:45 GMT
content-length: 1476

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eXAiOiJKV1QiLCJhbG

I’m seeing this in the logs for each of the non-working tenants after enabling debug2. %CLIENT_ID% is being inserted in the wrong spots it seems? The tenantid in this log is actually the application/client id, not the tenant id. The “tenant id does not exist” message is also showing the correct tenant id I show in my entra id console so I’m not sure why it would say that it doesn’t exist.

2024/11/20 22:13:47 wazuh-modulesd:office365[157022] wm_office365.c:635 at wm_office365_manage_subscription(): DEBUG: Error while managing subscription: '{"error":{"code":"StartSubscription [CorrId=8ac8b328-3f09-4e8a-8177-ca3f8ff0f09c][TenantId=<%CLIENT_ID%>,ContentType=Audit.SharePoint,ApplicationId=<%CLIENT_ID%>,PublisherId=00000000-0000-0000-0000-000000000000][AppId","message":"51435a6-eb27-4000-a75e-191db0916d12] failed. Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant %TENANT_ID% does not exist.\r\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetSubscriptionTableClientForTenantAsync>d__52.MoveNext() in d:\\dbs\\sh\\nibr\\1114_061042_0\\cmd\\5\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 2113\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetAPISubscriptionAsync>d__22.MoveNext() in d:\\dbs\\sh\\nibr\\1114_061042_0\\cmd\\5\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 549\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Office.Compliance.Audit.API.StartController.<StartSubscription>d__0.MoveNext() in d:\\dbs\\sh\\nibr\\1114_061042_0\\cmd\\4g\\sources\\dev\\auditing\\src\\auditapiservice\\apifrontendservicerole\\Controllers\\StartController.cs:line 76"}}'

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions