We are trying to implement Office 365 adapter in Flexera FNMS 2019 R2. From Flexera beacon UI, it is showing as imported successfully. But while checking in Flexera portal(Flexera >> System Tasks) it is showing as error. We have downloaded the logs as well. Please find the attached screenshots. Please help us to sort out this issue.
Sep 24, 2020 04:15 AM
Oct 08, 2020 09:20 PM
The log shows the following error details, with exactly 30 seconds between the two lines of logging:
2020-09-24 17:38:50,046 [INFO ] Reading 'Usage' data from 'Flexera_O365' (ver 1.0) data source 2020-09-24 17:38:50,046 [INFO ] Get Usage from Office 365 Exchange (Transfer data from source 'Flexera_O365' to FNMP) 2020-09-24 17:39:20,330 [INFO ] Failed to execute Reader 'Get Usage from Office 365 Exchange' from file C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\microsoft 365\Usage.xml, at step line 1 Error: The underlying connection was closed: An unexpected error occurred on a send.
A common cause of this sort of behavior is having a web proxy or other device between your beacon and the Internet which breaks connections after a period of time (it looks like 30 seconds in your case). That would likely be something to explore with the network team in your organization.
Sep 24, 2020 04:26 AM
Thanks for your update. We have checked with our Network team, and confirmed that there is no firewall / proxy set between beacon server and office 365. Please let us know, any other solution or possibility for this issue.
Sep 25, 2020 09:27 AM
Sep 25, 2020 11:16 AM
The Logon Account that you are using to generate the Security Token must have the following roles:
1) Reports Reader
2) Cloud Application Administrator
Without those roles, the Security Token will not have all of the permissions for the Graph API calls that FlexNet uses into the portal.
Sep 25, 2020 11:44 AM
In the past, we have seen a different error when the roles were missing. However, since the usage is failing quickly as per your logs, it will be important to check if you have the minimum roles provided to the user who generated the RefreshToken.
Sep 25, 2020 01:56 PM
I believe it may still fail even if you have the highest permissions in Azure AD. To get the usage information from Office 365 it's the Reports API hidden behind Graph API that produce the details. Easiest is to add the "Reports Reader".
But in the dialog where you consent on behalf of your organsiation, you will also see if you get the correct access rights.
Thats when you have clicked Generate, entered the Azure credentials, a dialog box pop-up listing rights and a check box for consent.
If Reports is not listed in that dialogue box, then you lack permissions to generate a fully working token.
Sep 29, 2020 12:39 AM
@AnnaMarkose -That may still not provide the correct credentials. When you log in to your O365 Portal to generate the token, the account that you use MUST be assigned to the following 2 roles (see the attached image):
1) Cloud Application Administrator
2) Reports Reader
Sep 29, 2020 07:17 AM
@AnnaMarkose : And the Reports Reader role is a must. By that I mean, the user's Global Admin or Cloud Application Administrator role may be taken away once the token is generated, but the Report Reader role should always be assigned to the user, even after the generation of the token. Without that, the Usage step will always fail.
Sep 29, 2020 04:35 PM
@AnnaMarkose - After you assigned this role, did you generate a new Security Token? Remember that the beacon authenticates to the Office 365 API using the Security Token, not that logon account. The logon account is used 1-time to generate the Security Token that has the required priviledges.
Oct 05, 2020 06:42 AM
@AnnaMarkose: Please try this test as well from the Beacon machine.
1.) Logon to https://developer.microsoft.com/en-us/graph/graph-explorer using the same credentials that were supplied on the Beacon connection to generate the refresh token
2.) Call this API - https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D90'). More information about this API can be found here: https://docs.microsoft.com/en-us/graph/api/reportroot-getoffice365activeuserdetail.
3.) Check the response code after you call the API. If you see a response code 200, then you are good. However, if you see any other response code, then you are running into some network issues on your end.
Hope this helps.
Oct 06, 2020 12:10 AM
@AnnaMarkose - If the Logon Account you are using to generate the Security Token has both the Reports Reader and the Cloud Admin role, you should be good to go. If you are still getting an error, then there is likely some issue in your environment causing the failure, such as a Firewall/Proxy Server.
If possible, please perform the troubleshooting steps outlined by @Alpesh, and if you have not please provide a Support Ticket.
Perhaps other Community Members have additional suggestions.
When this is resolved, please post the solution on this thread so that other members of the community can use this solution.
Oct 06, 2020 06:37 AM
Please find the troubleshooting steps we have done so far.
1) Generated the token using an Azure AD account which is having global admin privilege and 'reports reader' role.
2) Confirmed that there is no firewall/proxy blocking between beacon server and Office 365.
3) Tried the solution mentioned in the knowledge article mentioned below. When we have removed the usage line from the 'ReaderV3.config' file and tried to execute the task, the readerV3.config file got replaced to its previous version and the changes done got reverted back.
Still the issue is there. Please let me know if we have any other troubleshooting techniques for this. Thank you so much for your help and support.
Oct 07, 2020 10:56 AM
Thanks for your support. We have got our issue fixed. The below mentioned knowledge article has provided the solution. We have removed the usage line from the 'ReaderV3.config' file in our Application server as well as in the Beacon server. Requesting your help on how the consumption of O365 licenses can be fetched from FNMS console .
Oct 08, 2020 09:19 PM