Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
vschmitt_FTNT
Staff
Staff

Created on ‎05-16-2024 01:59 AM

Article Id 315390

Troubleshooting Tip: Office365 Management API - connectivity/pull events troubleshooting tips

Description This article describes the configuration of Office365 Management API on FortiSIEM which needs a configuration part on Azure portal and FortiSIEM. This document will describe the different aspects of the configuration and the error messages that can be tracked when the configuration is not compliant or when client credentials have expired.
Scope FortiSIEM, Office365, Management API.
Solution

Integration of Office365 Management API in FortiSIEM needs an Application Registration created on Azure Portal.
In FortiSIEM Access Method Definition the following elements need to be reported from that Application :

 

  • Application (client) ID in the Client ID field.
  • Directory (tenant) ID in the Tenant ID field.

access_method_definition_clientid.png

  •  Client Secret in the Client Secret field.

access_method_definition_password.png
Note: Secret ID is not used. Do not put this Secret ID in the Client ID field.

 

Once configured, the following errors will be thrown if there is a misconfiguration or authorization issue.

Error Message Phoenix.log trace Possible Issue Possible Fix
Office access token empty phDiscover[14057]: [PH_HTTP_CLIENT_GET_INIT_RESPONSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phDiscover,[fileName]=phHttpClient.cpp,[lineNumber]=1018,[infoURL]=https://login.windows.net/9[...]a/oauth2/token,[phLogDetail]=Http client failed to get initial response from URL: https://login.windows.net/9[...]a/oauth2/token. Error response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '7[...]2'. [...]} The client's secret is not valid. Client ID is not well set
Client Secret is not well set
Client Secret has been renewed and not updated on FSIEM.
Office access token empty phAgentManager[14053]: [PH_HTTP_CLIENT_GET_INIT_RESPONSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phAgentManager,[fileName]=phHttpClient.cpp,[lineNumber]=1018,[infoURL]=https://login.windows.net/9[...]ba/oauth2/token,[phLogDetail]=Http client failed to get initial response from URL: https://login.windows.net/9[...]ba/oauth2/token. Error response: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '7[...]a2' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security[...]} The client's secret has expired. Renew the Client secret and update the FSIEM client secret.
Invalid Office Authentication phDiscover[14057]: [PH_HTTP_CLIENT_GET_INIT_RESPONSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phDiscover,[fileName]=phHttpClient.cpp,[lineNumber]=1018,[infoURL]=https://manage.office.com/api/v1.0/9[...]ba/activity/feed/subscriptions/list?PublisherIdentifier=9[.... client failed to get initial response from URL: https://manage.office.com/api/v1.0/9[...]ba/activity/feed/subscriptions/list?PublisherIdentifier=9[..... Error response: {"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}} The Azure application does not have enough permission. Add Office365 API permissions and Grant Admin consent.

 

866
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.