Azure AD Application Registration for User and Reports Read Access
Summary
This document describes how to create an Azure AD (Microsoft Entra ID) Application Registration that can be used to access Microsoft Graph APIs with the following application permissions:
User.Read.AllReports.Read.All
The application will authenticate using a client secret and can be used for service-to-service integrations that require access to user and reporting data from Microsoft Graph.
Firewall Requirements (On-Premise)
If the integration is running from an on-premise environment, ensure outbound HTTPS (TCP 443) access is allowed to the following Microsoft endpoints:
| Endpoint | Purpose |
|---|---|
login.microsoftonline.com | Azure AD authentication |
graph.microsoft.com | Microsoft Graph API access |
Network Requirements
- Outbound HTTPS (TCP 443) must be permitted.
- SSL/TLS inspection devices should not interfere with Microsoft authentication traffic.
- DNS resolution must be available for all Microsoft endpoints listed above.
Refer to Microsoft documentation for the latest endpoint requirements.
Azure AD – Application Registration
Step 1: Sign In to Azure Portal
-
Sign in to the Azure portal.
-
Navigate to:
Microsoft Entra ID → App registrations -
Select New registration.
Step 2: Create the Application
Configure the application:
| Setting | Value |
|---|---|
| Name | <Application Name> for example UXM - Microsoft Graph Integration |
| Supported account types | Accounts in this organizational directory only (Single tenant) |
| Redirect URI | Not required |
Select Register.
Step 3: Record Application Details
After registration, note the following values:
| Value | Description |
|---|---|
| Application (client) ID | Used by the integration |
| Directory (tenant) ID | Azure tenant identifier |
These values will be required when configuring the integration.
Step 4: Assign Microsoft Graph Permissions
-
Open the newly created application.
-
Navigate to:
API permissions -
Select Add a permission.
-
Choose:
Microsoft Graph -
Select:
Application permissions -
Add the following permissions:
| Permission | Type |
|---|---|
| User.Read.All | Application |
| Reports.Read.All | Application |
Step 5: Grant Admin Consent
-
After adding permissions, select:
Grant admin consent for <Tenant Name> -
Confirm the action.
-
Verify the status shows:
Granted for <Tenant Name>
Step 6: Verify Permissions
The API permissions page should display:
| Permission | Status |
|---|---|
| User.Read.All | Granted |
| Reports.Read.All | Granted |
Client Secret
Step 1: Create a Client Secret
-
Navigate to:
Certificates & secrets -
Under Client secrets, select New client secret.
-
Configure:
| Setting | Example |
|---|---|
| Description | Integration Secret |
| Expires | Per organizational policy |
- Select Add.
Step 2: Copy the Secret Value
Immediately copy and securely store the following:
- Client Secret Value
Important
The secret value is displayed only once and cannot be retrieved later. If lost, a new secret must be created.
Step 3: Provide Required Configuration Values
The following information is required for the integration:
| Configuration Item | Source |
|---|---|
| Tenant ID | Overview page |
| Client ID | Overview page |
| Client Secret | Certificates & secrets |
| Permissions | User.Read.All, Reports.Read.All |
Example Configuration
Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client Secret: ********************************
Splunk Add-on Configuration
After creating the Azure AD Application Registration and Client Secret, configure the Microsoft Entra ID credentials in the Splunk Add-on.
Prerequisites
Before configuring the add-on, ensure you have:
- Tenant ID
- Client ID (Application ID)
- Client Secret
- Required Microsoft Graph permissions:
User.Read.AllReports.Read.All
- Splunk Add-on installed and accessible in Splunk Web
Configure Account Credentials
-
Open Splunk Web.
-
Navigate to:
Apps → UXM - Microsoft Graph -
Open the add-on configuration page.
-
Select:
Configuration → Accounts -
Click Add Account.
Account Configuration
Populate the fields as follows:
| Field | Value |
|---|---|
| Account Name | Friendly name for the Azure tenant |
| Tenant ID | Azure AD Tenant ID |
| Client ID | Azure AD Application (Client) ID |
| Client Secret | Azure AD Client Secret |
Example:
| Field | Example |
|---|---|
| Account Name | Production Tenant |
| Tenant ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client Secret | ******** |
- Select Save.
Credential Storage
The Splunk UCC Framework app stores sensitive credentials using Splunk's secure storage mechanisms.
- Client secrets are stored as encrypted credentials.
- Secrets are not displayed after saving.
- Access to stored credentials is restricted based on Splunk role permissions.
Note
If the client secret expires or is rotated in Azure, the account configuration must be updated with the new secret.
Configure Inputs
Once the account is created, configure one or more data collection inputs.
-
Navigate to:
Inputs -
Select Create New Input.
-
Configure the input.
Example:
| Field | Value |
|---|---|
| Name | Azure User Collection |
| Account | Production Tenant |
| Interval | 3600 |
| Enabled | Yes |
- Save the input.
The add-on will use the configured account credentials to:
- Authenticate using the OAuth 2.0 Client Credentials flow.
- Obtain an access token from Microsoft Entra ID.
- Query Microsoft Graph APIs.
- Ingest data into Splunk.
Verify Connectivity
After saving the account and input configuration:
- Verify the input status is enabled.
- Review the add-on logs for successful authentication.
- Confirm events are being indexed.
Common log messages include:
Successfully acquired Microsoft Graph access token
Successfully connected to Microsoft Graph API
Troubleshooting
Insufficient Privileges
Error:
Authorization_RequestDenied
Resolution:
- Verify
User.Read.AllandReports.Read.Allpermissions are assigned. - Ensure Admin Consent has been granted.
Invalid Client Secret
Error:
AADSTS7000215: Invalid client secret provided
Resolution:
- Verify the correct client secret value was copied.
- Confirm the secret has not expired.
- Generate a new secret if necessary.
Invalid Tenant or Client ID
Error:
AADSTS700016: Application not found
Resolution:
- Verify the Tenant ID and Client ID values.
- Confirm the application registration exists in the target tenant.