Recommended Posts

  • LogicMonitor Staff

This is unofficial...On my own and on the side, I designed a DataSource to monitor Office 365 using Microsoft's API. See more on my blog http://blog.MikeSuding.com.  All the usual disclaimers apply...use at your own risk. I will try to help if it doesn't work for you.

Edited by Mike Suding
Link to post
Share on other sites

I am seeing this error when trying to create the application:

Quote

New-AzureADApplication : Error occurred while executing NewApplication
Code: Request_BadRequest
Message: Cannot convert a primitive value to the expected type 'Edm.Guid'. See the inner exception for more details.
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\jamiller\Downloads\Office365\Setup-Office365Monitoring_7.ps1:449 char:27
+ ... reatedApp = New-AzureADApplication -DisplayName $TargetApplicationNam ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewAppl
   ication

 

I tried add an application manually and it was saying I needed Azure AD premium.  Could this be a reason this is not working?

Link to post
Share on other sites
  • 3 weeks later...
  • 6 months later...

Hello all,

 

reviving an old post but I was wondering if @Jason Miller or @Mike Suding found a solution to the error posted above? I'm also having the same issue and not sure what is causing it. I have made an account on Azure AD with Application Administrator and still no luck. Here is the error message:

True
New-AzureADApplication : Error occurred while executing NewApplication
Code: Request_BadRequest
Message: Invalid value specified for property 'resourceAppId' of resource 'RequiredResourceAccess'.
RequestId: c5cdfae2-8e7e-4593-afcd-1495f4c121e1
DateTimeStamp: Thu, 28 Feb 2019 16:02:45 GMT
Details: PropertyName  - resourceAppId, PropertyErrorCode  - InvalidValue
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\navee.sharma\Downloads\Office365-master\Setup-Office365-Monitoring_18.ps1:467 char:27
+ ... reatedApp = New-AzureADApplication -DisplayName $TargetApplicationNam ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewAppl
   ication

Any help would be greatly appreciated :)

Link to post
Share on other sites
  • 2 months later...

Hi Mike

I've been looking at testing this out but continually getting API response of 1041.

The properties get populated for the device but the datasources dont.

Any ideas what would be causing that?

Thanks

[05/23/2019 11:45:36] API call: https://XXXXX.logicmonitor.com/santaba/rest/device/devices?filter=displayName:xxxxxxxx
[05/23/2019 11:45:36] Response code is 200
[05/23/2019 11:45:36] Deploying tokens of target app
[05/23/2019 11:45:36] Generating Oauth Form
[05/23/2019 11:46:19] Requesting Office 365 tokens
[05/23/2019 11:46:20] Response: Token type: Bearer; Scope: ServiceHealth.Read; Expires in: 3600; Resource: https://manage.office.com
[05/23/2019 11:46:20] Requesting Graph API tokens
[05/23/2019 11:46:20] Response: Token type: Bearer; Scope: Reports.Read.All; Expires in: 3599; Resource: https://graph.microsoft.com
[05/23/2019 11:46:20] Updating device properties, device id is 383
[05/23/2019 11:46:20] API call: https://XXXXX.logicmonitor.com/santaba/rest/device/devices/383?patchFields=customProperties&opType=replace
[05/23/2019 11:46:20] Response code is 200
[05/23/2019 11:46:20] Importing Office 365 datasource template.
[05/23/2019 11:46:20] Importing DataSource.
[05/23/2019 11:46:20] API call: https://XXXXXX.logicmonitor.com/santaba/rest/setting/datasources/importxml
[05/23/2019 11:46:20] Response code is 1041

...................... all imports give 1041

Link to post
Share on other sites

Hi Mike,

Thanks for the offer of a meeting. I found a workaround which was to manually import the XML files. Its working away and datasources are pulling in the data.

Would you happen to know if anyone in the community has done anything on monitoring/alerting on security in O365?

BTW- the datasources are great and I definitely will have a use for them on first view.

Joe

Link to post
Share on other sites
  • LogicMonitor Staff

@joedalton, What exactly do you want to monitor with regards to security? I did create a prototype for the 'risky sign-ins' and 'identity' stuff (I forgot Microsoft terminology) but I was not able to simulate/create events so I couldn't test it.  If you have events that you want to detect/monitor, and are willing to let me test on your account, please let me know.

Link to post
Share on other sites

Hi Mike, The customer wants the O365 Audit logs monitored and a report to be submitted daily. What we currently have now is a powershell script that pulls out a csv with relevant security events. We then present a daily report based on these events. It is a bit labor intensive and I think we can use LM to automate it. I'm trying to develop a PS script to embed in a datasource to search this audit log at set intervals. If I can have LM pull these events in (not too worried about the alerting for now) I can then create a dashboard & reports. When you say test on my account, do you mean the O365 a/c? I dont have anything in LM yet as I'm still cooking a PS script to do what I need.

This is what I am currently using to pull events for the previous 24 hours.

 

$CreateEXOPSSession = (Get-ChildItem -Path $env:userprofile -Filter CreateExoPSSession.ps1 -Recurse -ErrorAction SilentlyContinue -Force | Select -Last 1).DirectoryName
. "$CreateEXOPSSession\CreateExoPSSession.ps1"
Connect-EXOPSSession -UserPrincipalName test@test.com

#Output files directory
$outputFile = "C:\Users\john.doe\Desktop\AuditRecords.csv"

# Set Dates
$StartDate = (Get-Date).AddDays(-1)
$EndDate = (Get-Date)


$AlertOperations = @('FileDeletedFirstStageRecycleBin','FileDeletedSecondStageRecycleBin',...............................................LOTS MORE!!!!)


Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations $AlertOperations -ResultSize 5000|epcsv $outputFile -NoTypeInformation -Append

EXIT

 

 

 

Link to post
Share on other sites
  • 11 months later...

Hi @Mike Suding,

Trying to use the Office365 Datasource but it failing to configure 

[05/19/2020 12:36:40] Connecting to AzureAD 
[05/19/2020 12:36:50] Getting list of registered applications 
[05/19/2020 12:36:50] Creating new App 
[05/19/2020 12:36:52] App Id is 9b6b0f04-8583-407b-9283-3bbea0281005 
[05/19/2020 12:37:07] Application verified 
[05/19/2020 12:37:07] Disconnecting from AzureAD 
[05/19/2020 12:37:07] Step 1 complete. Continue with Step2. 
[05/19/2020 12:37:14] Obtaining list of devices 
[05/19/2020 12:37:14] API call: https://xxxxxx.logicmonitor.com/santaba/rest/device/devices?filter=displayName:xxxxxx 
[05/19/2020 12:37:15] Response code is 200 
[05/19/2020 12:37:15] Deploying tokens of target app 
[05/19/2020 12:37:15] Generating Oauth Form 
[05/19/2020 12:40:30] Requesting Office 365 tokens 
[05/19/2020 12:40:31] Response: Token type: ; Scope: ; Expires in: ; Resource:  
[05/19/2020 12:40:31] Requesting Graph API tokens 
[05/19/2020 12:40:31] Response: Token type: ; Scope: ; Expires in: ; Resource:  
[05/19/2020 12:40:31] Updating device properties, device id is 27 
[05/19/2020 12:40:31] API call: https://xxxxxxxx.logicmonitor.com/santaba/rest/device/devices/27?patchFields=customProperties&opType=replace 
[05/19/2020 12:40:32] Response code is 1007 

 

Any ideas what would be causing that?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.