Hello,
I am trying to setup this integration with the Qradar.
The log source type is Microsoft Office 365 Message Trace.
The application should have role Secure Reader or Global Reader.
My understanding is , the Security Reader and the Global Reader can only by assign to Service Principal of the application, which we have, but we are still getting the same error.
This seems to be issue with rights in the Azure, does anyone know what exactly is needed to get this work?
The IBM information how to setup this are somehow too general to get this right :/
When using the Qradar built-in log source connectivity test to Azure, the test is 99% of the way successful.
But when the sample events are to be downloaded I see the following error:
- Successfully obtained Azure AD Access Token with supplied credentials
- Access Token Roles: [ReportingWebService.Read.All]
- Access Token contained expected role [ReportingWebService.Read.All]
Events (0):
- Initializing...
- Setting event count limit as 5.
- Finished Initialization.
- Collecting events.
- Error: Error obtaining sample events :: Exception occurred while executing: The registered App must have either 'Security Reader' or 'Global Reader' role assigned.
- Finished collecting events.
Regards
Tysa
------------------------------
tysa
------------------------------