Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
vschmitt_FTNT
Staff
Staff

Created on ‎08-21-2024 06:10 AM

Article Id 335153

Troubleshooting Tip: How to troubleshoot Office365 mail statistics integration

Description

This article describes how to allow FortiSIEM in Azure Entra ID to access mail statistics using OAUTH.

The Office365 integration allows FortiSIEM to fetch audit logs from Office365 and Exchange.

After following the steps outlined in the Microsoft Office365 Audit documentation, Mail statistics are missing in FortiSIEM dashboard and reports.

 

In phoenix.log, errors like the following can be seen:

 

2024-08-21T14:54:42.887411+03:00 GEANFORTISIEMSV phAgentManager[1569601]: [PH_HTTP_CLIENT_GET_INIT_RESPONSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phAgentManager,[fileName]=phHttpClient.cpp,[lineNumber]=1037,[infoURL]=https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailATP?$format=Json&$filt... client failed to get initial response from URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailATP?$format=Json&$filt... Error response: {"ErrorCode":"","Message":"No permission to access the report for the organization ."}
Scope FortiSIEM, Office365, Mail, Exchange.
Solution

In delegate permissions model, the user will need to have an appropriate admin role assigned as well. The supported roles for the Reporting Web Service are Global Reader and Security Reader.

In order for FortiSIEM to access and execute the reports, Azure administrator needs to allow the FortiSIEM App registration to have the following role:

  • Global Reader
  • Security Reader

 

Azure Entra administrator have 2 ways to perform this assignment: GUI or Powershell.

For GUI, in Entra, search for Role Global reader and assign to FortiSIEM App registration. Do the same for Security Reader.

For Powershell CLI:

 

Install-Module -Name AzureAD
Connect-AzureAD
$sp = Get-AzureADServicePrincipal -Filter "AppId eq '800d128c-f9f6-48d2-9fd9-0968868c8be8'"
$sp.ObjectId
$role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Security Reader"}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId

$role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Global Reader"}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId

 

 

691
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.