cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Hi,

Has anyone been experiencing issues connecting to O365 lately? My one customer keeps getting Inventory gathering failed. Error: The remote server returned an error: (403) Forbidden. I regenerated the token but keep getting a 403. I test the connection and it is showing success. Anyone else experiencing the same?

(1) Solution
The adapter must be granted permissions to access the Microsoft data. The application requires read only access to this data.
The change that Microsoft has announced requires that the individual account granting our adapter the read only access must now have an elevated privilege.
This does not impact the application's read only permissions. We don't store the grantor's credentials either. 
Customers should follow Microsoft's guidance on the elevated privilege for the grantor and obtain a new refresh token from the elevated account for the adapter to continue functioning.  
 

View solution in original post

(32) Replies

I also want to add it is failing on Usage.

Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1
Error: The remote server returned an error: (403) Forbidden.
2019-12-19 12:20:11,622 [INFO ] All retries have been attempted for Reader 'Get Usage from Office 365 Exchange'

Hi Steven,

Not completely sure, but I believe one of my customer got rid if this by removing existing connections and cretaing new ones.

It took some manual effort to then:

  • remove the data related to the old connection(s) (ImportedSoftwareLicense, ImportedUser, ImportedSoftwareLicenseAllocation)
  • relink the new ImportedSoftwareLicenses to existing SoftwareLicense
  • remove SoftwareLicenses created by the new connection(s)

Best regards,

Markward

This just started happening on Monday. This has been working great ever since they came out with the new connector. Now it stopped working. That may be a workaround, but that is unacceptable.

Erick Hacking, CSAM, CHAMP
IT Software Asset Manager, Lead Sr.

Mine also started Monday.

Hi @steven_donovan1 

We experienced the same errors and found the issue in the Graph API that it do a redirect to other URL's.

We used the proxy configuration in the Powershell GUI for the connector

In addition to that we added the following URL's

https://reports.office.com

https://reportsweu.office.com

To read more have a look at

https://docs.microsoft.com/en-us/graph/api/reportroot-getoffice365activeuserdetail

Same error here, also started on the morning of the 19th.

Yes!!!

I'm using the new connector. I renewed my token (three times). And I keep getting the same error! I have a case open. 01962481

Erick Hacking, CSAM, CHAMP
IT Software Asset Manager, Lead Sr.
mfranz
By Level 17 Champion
Level 17 Champion

Checked my test environment. 403 since yesterday.

To get things working until this is ultimatively resolved, I removed the Usage.xml line from the readerV3.config. No usage data, but the rest of the reader and complianc eimport is working again.

ours stopped working as well - is there a hotfix on the way from Flexera?

All, 

Is this on-prem or cloud implementations? 

@BradAkers I have a couple of cloud customers having this issue.

Hi @BradAkers 

Facing this issue in cloud solution for one of the customer from November.

Regards

@winvarma 

Please follow @NancyA's advise above including the link to the relevant Microsoft article providing guidance regarding authorization.

Thanks,

@mfranz I remember that trick with the depreciated adapter.

@mfranz  for cloud do we have to copy the file and move it to the object adapter folder. I tried commenting the line out but it switched back.

All:

It looks like Microsoft has unexpectedly changed the Graph API that we use and in order to have access to the Software Usage report, accounts must now have a higher level of privilege, which is why your Office 365 connections are failing on the "gathering usage" step.

The following update was posted by Microsoft on December 17.  Flexera will need to research this and determine the best way to remediate.

https://docs.microsoft.com/en-us/graph/reportroot-authorization

The adapter must be granted permissions to access the Microsoft data. The application requires read only access to this data.
The change that Microsoft has announced requires that the individual account granting our adapter the read only access must now have an elevated privilege.
This does not impact the application's read only permissions. We don't store the grantor's credentials either. 
Customers should follow Microsoft's guidance on the elevated privilege for the grantor and obtain a new refresh token from the elevated account for the adapter to continue functioning.  
 

When I look in Azure at Permissions & Consent for FlexNet Beacon I see that Microsoft Graph has the following:

API Name                Type              Permission                                                                                         Granted through
Microsoft Graph   Delegated   Read directory data                                                                       Admin consent
Microsoft Graph   Delegated   Read all usage reports                                                                  Admin consent
Microsoft Graph   Delegated   Maintain access to data you have given it access to       Admin consent
Microsoft Graph   Delegated   Read directory data                                                                       User consent
Microsoft Graph   Delegated   Read all usage reports                                                                  User consent
Microsoft Graph   Delegated   Maintain access to data you have given it access to       User consent

What am I missing? What else needs to happen? I'm not an Azure expert.

Erick Hacking, CSAM, CHAMP
IT Software Asset Manager, Lead Sr.