Overview
If your Microsoft 365 Cloud Connector is offline (red status) and shows an error message like "Insufficient Permissions" or "Invalid Credentials," we recommend reviewing the error message in Report Builder to see more details. This can help you understand what resolution steps are needed for each of these common scenarios:
- The client secret has expired and must be rotated to a new secret, which is a requirement for secure app access in the integration with Microsoft.
Note: Blumira also generates a finding for this error as soon as the expiration is detected. - During the setup of the Cloud Connector, someone mistakenly skipped the step for turning on auditing in the Microsoft compliance portal, or it has since been turned off in Microsoft.
- The Tenant ID used during the configuration was incorrect or no longer exists.
Recommended: Starting with a new Cloud Connector is the fastest way to re-establish logging and ensure the correct credentials are in place for a secure connection, specifically in cases where the exact problem is not clear from the error messages.
Before you begin
This article assumes you have already registered the app in Microsoft Entra that is used by the Blumira integration. If the app no longer exists, you should instead complete the procedure in Integrating with Microsoft 365, which includes creating a new app registration in Microsoft Entra.
If the failing Blumira Cloud Connector is associated with a Microsoft tenant you no longer manage, you can delete the Cloud Connector (Settings > Cloud Connectors > Edit Cloud Connector).
Reviewing error message details in Blumira System logs
To see the full details of the error messages from your Cloud Connector, you can run a report in Report Builder by doing the following:
- In Blumira, navigate to Reporting > Report Builder.
- In Data Sources, select Blumira System.
- Click Edit Report and then click Add Filter to add optional filters. For example:
-
message
containserror
-
device_address
contains365
-
- Click Submit.
- Review the
message
column to see the full error message in each log.
Fixing the error
There may be more than one message that explains the error state for your Cloud Connector. This table explains some of those errors and what to do in each scenario:
Error Message Contains | Possible Solution |
Failed to obtain auth token or start subscriptions. Error: Failed to obtain o365 auth token. Error: AADSTS7000222: The provided client secret keys for app <UUID> are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. | Regenerate your Client Secret value in Microsoft, then update the value in your Cloud Connector. |
Failed to obtain auth token or start subscriptions. Error: Failed to subscribe. Error: Please make sure that Unified Audit Logging is enabled: https://blumira.help/365 Error: Failed to get list of subscriptions. Error: Status code 401. | |
Error code: AF10001, error message: The permission set () sent in the request does not include the expected permission. | Complete Steps 1 - 8 in Updating your Microsoft credentials. |
Application with identifier '<UUID>' was not found in the <TENANT> can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. |
Update your Microsoft credentials and create a new Cloud Connector. |
Turn on auditing in the Microsoft compliance portal
To ensure that Microsoft auditing is enabled, do one of the following:
- If you use Microsoft Compliance, log in to https://compliance.microsoft.com/auditlogsearch and click Start recording user and admin activity.
- If you use Microsoft Purview, log in to https://purview.microsoft.com/ and navigate to Audit then click Start recording user and admin activity.
Note: Audit logs must be searchable before the integration can be configured. It can take 60 minutes to 72 hours for the change to take effect in Microsoft and before logs can be accessed. Your Cloud Connector may continue to show an error while the Audit change is processing and if the audit log search options are inactive, like in the image below.
Updating your Microsoft credentials
To gather your Microsoft credentials and update your Blumira Cloud Connector, do the following:
- Log in to the Azure management portal as a Global Admin.
- Select Microsoft Entra ID.
- Select the tenant that is associated with the Blumira account you want to send logs to. If you only have a single tenant, continue to the next step.
- Click App registrations.
- In the applications list, select your Blumira integration.
- Copy and save the Application (client) ID and the Directory (tenant) ID to be used in later steps.
- In the lefthand menu, click API Permissions.
- Verify that permissions have been granted along with admin consent (green checkmark in the status column) for the following APIs:
- Microsoft Graph API, which requires "User.Read.All" access
- Office 365 Management API, which requires "ActivityFeed.Read" and "ActivityFeed.ReadDlp" access.
- If admin consent is not granted (displays a warning icon), click Grant admin consent above the API Permissions table.
- In the lefthand menu, click Certificates & secrets.
- Click New client secret.
- In the Description box, type a descriptive name (e.g., Blumira sensor).
- Next to Expires, select an expiration timeframe up to 24 months for this client secret.
Important: The integration will fail when the client secret expires, so ensure that you set a reminder to update it in Microsoft and in Blumira before the chosen expiration date. - Click Add.
- Under Client secrets, in the Value column, copy the client secret value for the Blumira integration, which you will use in later steps.
Important: Do not copy the Secret ID, which will not work for the integration. - In Blumira, navigate to Settings > Cloud Connectors.
- Click Add Cloud Connector.
- In the Available Cloud Connectors window, click Microsoft 365.
- In the Cloud Connector Name box, type a name to help identify the specific integration.
- Enter the credentials that you collected in the previous steps.
- Click Connect.
- To delete the failing connector, open the Edit Cloud Connector details window for the broken connector, then click Remove.