Ms-Graph Multi-Tenancy
164 views
Skip to first unread message
wazuh
Mar 17, 2025, 7:50:37 AM3/17/25
to Wazuh | Mailing List
Hi I've got Wazuh v 4.9.2 and I am trying to test the multi-tenancy for MS-Graph that was introduced in wazuh 4.8.0 in this pull request:
Multiple tenants in ms-graph by lsayanes · Pull Request #19064 · wazuh/wazuh · GitHub
When I have the ms-graph integration on 2 different managers, both tenants work with no issues. However when I tried to follow the guide in this 4.8.0 integration I get the following error on both tenants when wazuh scans the tenant:
WARNING: Received unsuccessful status code when attempting to get relationship 'alerts_v2' logs: Status code was '403' & response was '{"error":{"code":"Unauthorized","message":"Unauthorized request - Account is not provisioned.","innerError":{"date":"2025-03-14T13:29:07","request-id":"id1","client-request-id":"id2"}}}'
However what i find weird is that in the official documentation Microsoft Graph API setup · Wazuh documentation it says that graph does not support multi-tenancy. (and thats for wazuh version 4.11.0) whilst the release notes of version 4.8.0 says the opposite. Anyone can give a hand or confirmation on whether multi-tenancy is possible?
Jorest Brice Tankoua Njassep
Mar 19, 2025, 4:47:26 AM3/19/25
to Wazuh | Mailing List
Hi,
Regarding the 'Unauthorized request - Account is not provisioned' error (403), this typically indicates insufficient permissions or improper account setup. Consult Microsoft forums for detailed troubleshooting steps related to this specific error:
https://learn.microsoft.com/en-us/answers/questions/1470144/regarding-graph-api
wazuh
Mar 19, 2025, 5:31:05 AM3/19/25
to Wazuh | Mailing List
Thing is this error from Microsoft usually does not mean what it is supposed to mean. Had this error once too when unified logging was on enabled on the tenant. But in my specific situation when i i have the setup as such it works with no problems for both tenants:
<ms-graph>
<enabled>yes</enabled>
<only_future_events>no</only_future_events>
<curl_max_size>10M</curl_max_size>
<run_on_start>no</run_on_start>
<interval>1m</interval>
<version>v1.0</version>
<api_auth>
<tenant_id>tenant_1</tenant_id>
<client_id>client_1</client_id>
<secret_value>secret_1</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
<relationship>incidents</relationship>
</resource>
</ms-graph>
however the moment I put in this configuration both tenants start giving me the error, so i do not see how it could be a permission problem on Microsoft o365 side:
<ms-graph>
<enabled>yes</enabled>
<only_future_events>no</only_future_events>
<curl_max_size>10M</curl_max_size>
<run_on_start>no</run_on_start>
<interval>1m</interval>
<version>v1.0</version>
<api_auth>
<tenant_id>tenant_1</tenant_id>
<client_id>client_1</client_id>
<secret_value>secret_1</secret_value>
<api_type>global</api_type>
</api_auth>
<ms-graph>
<enabled>yes</enabled>
<only_future_events>no</only_future_events>
<curl_max_size>10M</curl_max_size>
<run_on_start>no</run_on_start>
<interval>1m</interval>
<version>v1.0</version>
<api_auth>
<tenant_id>tenant_1</tenant_id>
<client_id>client_1</client_id>
<secret_value>secret_1</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
<relationship>incidents</relationship>
</resource>
</ms-graph>
however the moment I put in this configuration both tenants start giving me the error, so i do not see how it could be a permission problem on Microsoft o365 side:
<ms-graph>
<enabled>yes</enabled>
<only_future_events>no</only_future_events>
<curl_max_size>10M</curl_max_size>
<run_on_start>no</run_on_start>
<interval>1m</interval>
<version>v1.0</version>
<api_auth>
<tenant_id>tenant_1</tenant_id>
<client_id>client_1</client_id>
<secret_value>secret_1</secret_value>
<api_type>global</api_type>
</api_auth>
<api_auth>
<tenant_id>tenant_2</tenant_id>
<client_id>client_2</client_id>
<secret_value>secret_2</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
<relationship>incidents</relationship>
</resource>
</ms-graph>
<tenant_id>tenant_2</tenant_id>
<client_id>client_2</client_id>
<secret_value>secret_2</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
<relationship>incidents</relationship>
</resource>
</ms-graph>
Jorest Brice Tankoua Njassep
Mar 21, 2025, 4:33:42 AM3/21/25
to Wazuh | Mailing List
Hi,
Sorry for the late reply
Try adding 2 <ms-grapg> blocks as below
Sorry for the late reply
Try adding 2 <ms-grapg> blocks as below
<tenant_id>tenant_2</tenant_id>
<client_id>client_2</client_id>
<secret_value>secret_2</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
<relationship>incidents</relationship>
</resource>
</ms-graph>
<client_id>client_2</client_id>
<secret_value>secret_2</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
<relationship>incidents</relationship>
</resource>
</ms-graph>
wazuh
Mar 21, 2025, 8:00:32 AM3/21/25
to Wazuh | Mailing List
After this implementation it appears that wazuh only reads the last configuration. here is the ossec.log. At 13:25 wazuh manager restarted and started using the new configuration. It ignored tenant1 ms-graph configuration and used the one below, which is for tenant2:
2025/03/21 13:17:23 wazuh-modulesd:ms-graph: INFO: Scanning tenant 'tenant1'
2025/03/21 13:22:23 wazuh-modulesd:ms-graph: INFO: Scanning tenant ' tenant1'
2025/03/21 13:25:22 wazuh-modulesd:ms-graph: INFO: Started module.
2025/03/21 13:25:22 wazuh-modulesd:ms-graph: INFO: Obtaining access token.
2025/03/21 13:25:22 wazuh-modulesd:ms-graph: INFO: Scanning tenant 'tenant2'
2025/03/21 13:30:22 wazuh-modulesd:ms-graph: INFO: Scanning tenant 'tenant2'
2025/03/21 13:17:23 wazuh-modulesd:ms-graph: INFO: Scanning tenant 'tenant1'
2025/03/21 13:22:23 wazuh-modulesd:ms-graph: INFO: Scanning tenant ' tenant1'
2025/03/21 13:25:22 wazuh-modulesd:ms-graph: INFO: Started module.
2025/03/21 13:25:22 wazuh-modulesd:ms-graph: INFO: Obtaining access token.
2025/03/21 13:25:22 wazuh-modulesd:ms-graph: INFO: Scanning tenant 'tenant2'
2025/03/21 13:30:22 wazuh-modulesd:ms-graph: INFO: Scanning tenant 'tenant2'
Message has been deleted
Jorest Brice Tankoua Njassep
Mar 24, 2025, 7:58:30 AM3/24/25
to Wazuh | Mailing List
Hi
Can you confirm you if each tenant works fine when you define it as standalone in Wazuh configuration file ?
Reply all
Reply to author
Forward
0 new messages