We are trying to implement Office 365 adapter in Flexera FNMS 2019 R2. From Flexera beacon UI, it is showing as imported successfully. But while checking in Flexera portal(Flexera >> System Tasks) it is showing as error. We have downloaded the logs as well. Please find the attached screenshots. Please help us to sort out this issue.
The log shows the following error details, with exactly 30 seconds between the two lines of logging:
2020-09-24 17:38:50,046 [INFO ] Reading 'Usage' data from 'Flexera_O365' (ver 1.0) data source 2020-09-24 17:38:50,046 [INFO ] Get Usage from Office 365 Exchange (Transfer data from source 'Flexera_O365' to FNMP) 2020-09-24 17:39:20,330 [INFO ] Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1 Error: The underlying connection was closed: An unexpected error occurred on a send.
A common cause of this sort of behavior is having a web proxy or other device between your beacon and the Internet which breaks connections after a period of time (it looks like 30 seconds in your case). That would likely be something to explore with the network team in your organization.
Thanks for your update. We have checked with our Network team, and confirmed that there is no firewall / proxy set between beacon server and office 365. Please let us know, any other solution or possibility for this issue.
Otherwise you propably miss access rights to reports api that hides behind graph api
The generated refresh token can only be used to access data that user sees and consents to during the token generation process, which is offline read-only access to Active Directory and Reports (directory.read.all, reports.read.all, and offline_access). Offline means the FlexNet Beacon can connect and get data from Office 365 at schedule run without user actually signing in.
The Logon Account that you are using to generate the Security Token must have the following roles:
1) Reports Reader
2) Cloud Application Administrator
Without those roles, the Security Token will not have all of the permissions for the Graph API calls that FlexNet uses into the portal.
In the past, we have seen a different error when the roles were missing. However, since the usage is failing quickly as per your logs, it will be important to check if you have the minimum roles provided to the user who generated the RefreshToken.
I believe it may still fail even if you have the highest permissions in Azure AD. To get the usage information from Office 365 it's the Reports API hidden behind Graph API that produce the details. Easiest is to add the "Reports Reader".
But in the dialog where you consent on behalf of your organsiation, you will also see if you get the correct access rights.
Thats when you have clicked Generate, entered the Azure credentials, a dialog box pop-up listing rights and a check box for consent.
If Reports is not listed in that dialogue box, then you lack permissions to generate a fully working token.
@AnnaMarkose -That may still not provide the correct credentials. When you log in to your O365 Portal to generate the token, the account that you use MUST be assigned to the following 2 roles (see the attached image):
1) Cloud Application Administrator
2) Reports Reader
@AnnaMarkose : And the Reports Reader role is a must. By that I mean, the user's Global Admin or Cloud Application Administrator role may be taken away once the token is generated, but the Report Reader role should always be assigned to the user, even after the generation of the token. Without that, the Usage step will always fail.
@AnnaMarkose - After you assigned this role, did you generate a new Security Token? Remember that the beacon authenticates to the Office 365 API using the Security Token, not that logon account. The logon account is used 1-time to generate the Security Token that has the required priviledges.
@AnnaMarkose: Please try this test as well from the Beacon machine.
1.) Logon to https://developer.microsoft.com/en-us/graph/graph-explorer using the same credentials that were supplied on the Beacon connection to generate the refresh token
2.) Call this API - https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D90'). More information about this API can be found here: https://docs.microsoft.com/en-us/graph/api/reportroot-getoffice365activeuserdetail.
3.) Check the response code after you call the API. If you see a response code 200, then you are good. However, if you see any other response code, then you are running into some network issues on your end.
Hope this helps.
@AnnaMarkose - If the Logon Account you are using to generate the Security Token has both the Reports Reader and the Cloud Admin role, you should be good to go. If you are still getting an error, then there is likely some issue in your environment causing the failure, such as a Firewall/Proxy Server.
If possible, please perform the troubleshooting steps outlined by @Alpesh, and if you have not please provide a Support Ticket.
Perhaps other Community Members have additional suggestions.
When this is resolved, please post the solution on this thread so that other members of the community can use this solution.
Please find the troubleshooting steps we have done so far.
1) Generated the token using an Azure AD account which is having global admin privilege and 'reports reader' role.
2) Confirmed that there is no firewall/proxy blocking between beacon server and Office 365.
3) Tried the solution mentioned in the knowledge article mentioned below. When we have removed the usage line from the 'ReaderV3.config' file and tried to execute the task, the readerV3.config file got replaced to its previous version and the changes done got reverted back.
Still the issue is there. Please let me know if we have any other troubleshooting techniques for this. Thank you so much for your help and support.
Thanks for your support. We have got our issue fixed. The below mentioned knowledge article has provided the solution. We have removed the usage line from the 'ReaderV3.config' file in our Application server as well as in the Beacon server. Requesting your help on how the consumption of O365 licenses can be fetched from FNMS console .