Skip to main content

Azure AD Application Registration for User and Reports Read Access

Summary

This document describes how to create an Azure AD (Microsoft Entra ID) Application Registration that can be used to access Microsoft Graph APIs with the following application permissions:

  • User.Read.All
  • Reports.Read.All

The application will authenticate using a client secret and can be used for service-to-service integrations that require access to user and reporting data from Microsoft Graph.


Firewall Requirements (On-Premise)

If the integration is running from an on-premise environment, ensure outbound HTTPS (TCP 443) access is allowed to the following Microsoft endpoints:

EndpointPurpose
login.microsoftonline.comAzure AD authentication
graph.microsoft.comMicrosoft Graph API access

Network Requirements

  • Outbound HTTPS (TCP 443) must be permitted.
  • SSL/TLS inspection devices should not interfere with Microsoft authentication traffic.
  • DNS resolution must be available for all Microsoft endpoints listed above.

Refer to Microsoft documentation for the latest endpoint requirements.


Azure AD – Application Registration

Step 1: Sign In to Azure Portal

  1. Sign in to the Azure portal.

  2. Navigate to:

    Microsoft Entra ID → App registrations
  3. Select New registration.

Step 2: Create the Application

Configure the application:

SettingValue
Name<Application Name> for example UXM - Microsoft Graph Integration
Supported account typesAccounts in this organizational directory only (Single tenant)
Redirect URINot required

Select Register.

Step 3: Record Application Details

After registration, note the following values:

ValueDescription
Application (client) IDUsed by the integration
Directory (tenant) IDAzure tenant identifier

These values will be required when configuring the integration.

Step 4: Assign Microsoft Graph Permissions

  1. Open the newly created application.

  2. Navigate to:

    API permissions
  3. Select Add a permission.

  4. Choose:

    Microsoft Graph
  5. Select:

    Application permissions
  6. Add the following permissions:

PermissionType
User.Read.AllApplication
Reports.Read.AllApplication
  1. After adding permissions, select:

    Grant admin consent for <Tenant Name>
  2. Confirm the action.

  3. Verify the status shows:

    Granted for <Tenant Name>

Step 6: Verify Permissions

The API permissions page should display:

PermissionStatus
User.Read.AllGranted
Reports.Read.AllGranted

Client Secret

Step 1: Create a Client Secret

  1. Navigate to:

    Certificates & secrets
  2. Under Client secrets, select New client secret.

  3. Configure:

SettingExample
DescriptionIntegration Secret
ExpiresPer organizational policy
  1. Select Add.

Step 2: Copy the Secret Value

Immediately copy and securely store the following:

  • Client Secret Value

Important

The secret value is displayed only once and cannot be retrieved later. If lost, a new secret must be created.

Step 3: Provide Required Configuration Values

The following information is required for the integration:

Configuration ItemSource
Tenant IDOverview page
Client IDOverview page
Client SecretCertificates & secrets
PermissionsUser.Read.All, Reports.Read.All

Example Configuration

Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client Secret: ********************************

Splunk Add-on Configuration

After creating the Azure AD Application Registration and Client Secret, configure the Microsoft Entra ID credentials in the Splunk Add-on.

Prerequisites

Before configuring the add-on, ensure you have:

  • Tenant ID
  • Client ID (Application ID)
  • Client Secret
  • Required Microsoft Graph permissions:
    • User.Read.All
    • Reports.Read.All
  • Splunk Add-on installed and accessible in Splunk Web

Configure Account Credentials

  1. Open Splunk Web.

  2. Navigate to:

    Apps → UXM - Microsoft Graph
  3. Open the add-on configuration page.

  4. Select:

    Configuration → Accounts
  5. Click Add Account.

Account Configuration

Populate the fields as follows:

FieldValue
Account NameFriendly name for the Azure tenant
Tenant IDAzure AD Tenant ID
Client IDAzure AD Application (Client) ID
Client SecretAzure AD Client Secret

Example:

FieldExample
Account NameProduction Tenant
Tenant IDxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client IDxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Client Secret********
  1. Select Save.

Credential Storage

The Splunk UCC Framework app stores sensitive credentials using Splunk's secure storage mechanisms.

  • Client secrets are stored as encrypted credentials.
  • Secrets are not displayed after saving.
  • Access to stored credentials is restricted based on Splunk role permissions.

Note

If the client secret expires or is rotated in Azure, the account configuration must be updated with the new secret.


Configure Inputs

Once the account is created, configure one or more data collection inputs.

  1. Navigate to:

    Inputs
  2. Select Create New Input.

  3. Configure the input.

Example:

FieldValue
NameAzure User Collection
AccountProduction Tenant
Interval3600
EnabledYes
  1. Save the input.

The add-on will use the configured account credentials to:

  1. Authenticate using the OAuth 2.0 Client Credentials flow.
  2. Obtain an access token from Microsoft Entra ID.
  3. Query Microsoft Graph APIs.
  4. Ingest data into Splunk.

Verify Connectivity

After saving the account and input configuration:

  1. Verify the input status is enabled.
  2. Review the add-on logs for successful authentication.
  3. Confirm events are being indexed.

Common log messages include:

Successfully acquired Microsoft Graph access token
Successfully connected to Microsoft Graph API

Troubleshooting

Insufficient Privileges

Error:

Authorization_RequestDenied

Resolution:

  • Verify User.Read.All and Reports.Read.All permissions are assigned.
  • Ensure Admin Consent has been granted.

Invalid Client Secret

Error:

AADSTS7000215: Invalid client secret provided

Resolution:

  • Verify the correct client secret value was copied.
  • Confirm the secret has not expired.
  • Generate a new secret if necessary.

Invalid Tenant or Client ID

Error:

AADSTS700016: Application not found

Resolution:

  • Verify the Tenant ID and Client ID values.
  • Confirm the application registration exists in the target tenant.