A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Office 365 adapter implementation for Flexera FNMS 2019 R2 Error in Flexera portal-System Tasks

Hi there,

We are trying to implement Office 365 adapter in Flexera FNMS 2019 R2.  From Flexera beacon UI, it is showing as imported successfully. But while checking in Flexera portal(Flexera >> System Tasks)  it is showing as error. We have downloaded  the logs as well. Please find the attached screenshots. Please help us to sort out this issue.

(1) Solution
(21) Replies
ChrisG
By Community Manager Community Manager
Community Manager

The log shows the following error details, with exactly 30 seconds between the two lines of logging:

2020-09-24 17:38:50,046 [INFO ] Reading 'Usage' data from 'Flexera_O365' (ver 1.0) data source
2020-09-24 17:38:50,046 [INFO ] Get Usage from Office 365 Exchange (Transfer data from source 'Flexera_O365' to FNMP)
2020-09-24 17:39:20,330 [INFO ] Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1
Error: The underlying connection was closed: An unexpected error occurred on a send.

A common cause of this sort of behavior is having a web proxy or other device between your beacon and the Internet which breaks connections after a period of time (it looks like 30 seconds in your case). That would likely be something to explore with the network team in your organization.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Hi Chris,

Thanks for your update. We have checked with our Network team, and confirmed that there is no firewall / proxy set between beacon server and office 365. Please let us know, any other solution or possibility for this issue.

My guess is that you missout the reports.read.all permission, if you are really sure that you do not have a firewall/proxy.
Otherwise you propably miss access rights to reports api that hides behind graph api

The generated refresh token can only be used to access data that user sees and consents to during the token generation process, which is offline read-only access to Active Directory and Reports (directory.read.all, reports.read.all, and offline_access). Offline means the FlexNet Beacon can connect and get data from Office 365 at schedule run without user actually signing in.

@AnnaMarkose - Yes, I agree with @AnnaMarkose, this is like a permissions issue.

The Logon Account that you are using to generate the Security Token must have the following roles:

1) Reports Reader

2) Cloud Application Administrator

Without those roles, the Security Token will not have all of the permissions for the Graph API calls that FlexNet uses into the portal.

In the past, we have seen a different error when the roles were missing. However, since the usage is failing quickly as per your logs, it will be important to check if you have the minimum roles provided to the user who generated the RefreshToken.

Hi @Alpesh ,

Thanks for the update. We have used an Azure AD account with global admin privilege. As it is the highest privilege it will work right? Please help us with your thoughts.

Hi @kclausen ,

Thanks for the update. We have used an Azure AD account with global admin privilege. As it is the highest privilege it will work right? Please help us with your thoughts.

Hi @mag00_75 ,

Thanks for the update. We have used an Azure AD account with global admin privilege. As it is the highest privilege it will work right? Please help us with your thoughts.

Hi @AnnaMarkose 

I believe it may still fail even if you have the highest permissions in Azure AD. To get the usage information from Office 365 it's the Reports API hidden behind Graph API that produce the details. Easiest is to add the "Reports Reader".

But in the dialog where you consent on behalf of your organsiation, you will also see if you get the correct access rights.
Thats when you have clicked Generate, entered the Azure credentials, a dialog box pop-up listing rights and a check box for consent.

If Reports is not listed in that dialogue box, then you lack permissions to generate a fully working token.

Hi @mag00_75 ,

We have tagged the 'reports reader' role to the account and still we are getting the same error. Please find the attached error log. Please help.

@AnnaMarkose -That may still not provide the correct credentials.  When you log in to your O365 Portal to generate the token, the account that you use MUST be assigned to the following 2 roles (see the attached image):

1) Cloud Application Administrator

2) Reports Reader

 

 

@AnnaMarkose : And the Reports Reader role is a must. By that I mean, the user's Global Admin or Cloud Application Administrator role may be taken away once the token is generated, but the Report Reader role should always be assigned to the user, even after the generation of the token. Without that, the Usage step will always fail. 

Hi @Alpesh ,

We have tagged the 'Reports Reader' role to the account and still we are getting the same error. Please help. Attached the recent error logs.

Hi @kclausen ,

We have tagged the 'Reports Reader' role to our global admin account and still we are having the same issue. Please help us to resolve this issue.

@AnnaMarkose - After you assigned this role, did you generate a new Security Token?  Remember that the beacon authenticates to the Office 365 API using the Security Token, not that logon account.  The logon account is used 1-time to generate the Security Token that has the required priviledges.

@AnnaMarkose: Please try this test as well from the Beacon machine. 

1.) Logon to https://developer.microsoft.com/en-us/graph/graph-explorer using the same credentials that were supplied on the Beacon connection to generate the refresh token

2.) Call this API - https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D90'). More information about this API can be found here: https://docs.microsoft.com/en-us/graph/api/reportroot-getoffice365activeuserdetail.

3.) Check the response code after you call the API. If you see a response code 200, then you are good. However, if you see any other response code, then you are running into some network issues on your end.

Hope this helps.

Thanks!

Yes @kclausen , we have regenerated the token and still we are having the same issue.

@AnnaMarkose - If the Logon Account you are using to generate the Security Token has both the Reports Reader and the Cloud Admin role, you should be good to go.  If you are still getting an error, then there is likely some issue in your environment causing the failure, such as a Firewall/Proxy Server.

If possible, please perform the troubleshooting steps outlined by @Alpesh, and if you have not please provide a Support Ticket.

Perhaps other Community Members have additional suggestions.

When this is resolved, please post the solution on this thread so that other members of the community can use this solution.

Hi @kclausen and @Alpesh ,

Please find the troubleshooting  steps we have done so far.

1) Generated the token using an Azure AD account which is having global admin privilege and 'reports reader' role.

2) Confirmed that there is no firewall/proxy blocking between beacon server and Office 365.

3) Tried the solution mentioned in the knowledge article mentioned below. When we have removed the usage line from the 'ReaderV3.config' file and tried to execute the task, the readerV3.config file got replaced to its previous version and the changes done got reverted back.

Knowledge Article: 

https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Office-365-import-is-failing-during-...

Still the issue is there. Please let me know if we have any other troubleshooting techniques for this. Thank you so much for your help and support.

shooting 

Hi All,

Thanks for your support. We have got our issue fixed. The below mentioned knowledge article has provided the solution. We have removed the usage line from the 'ReaderV3.config' file in our Application server as well as in the Beacon server. Requesting your help on how the consumption of O365 licenses can be fetched from FNMS console .