‘The remote server returned an error: (400) Bad Request.’ error when auditing SharePoint online and Azure AD

Azure AD and Office 365
9.0-9.7
9.8
9.9
https://kb.netwrix.com/5006
Copy Article URL Copied

Symptom:

Netwrix Auditor for SharePoint Online or Netwrix Auditor for Azure AD throwing an error “The remote server returned an error: (400) Bad Request.”.

Reason:

To collect events from Microsoft cloud services Netwrix Auditor is using O365 Management API . It accesses graph.windows.net and manage.office.com endpoints.
If Unified Auditing is disabled for O365 you will get the “Tenant <TenantGUID> does not exist” error when connecting to manage.office.com/api/v1.0/ endpoint.

Solution:

Enable Unified Auditing for O365.
Before doing that you need to check if the error above is in SpaOnline.log located in ..\Working folder (C:\ProgramData\Netwrix Auditor by default)\Logs\SharePoint Online Auditing\SomeGUID\..
To solve the issue:

  • Open PowerShell on Netwrix Server.
    Make sure you’re running PowerShell version 4.
  • $UserCredential = Get-Credential
    enter credential of the tenant you specified in Netwrix as an Item
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
  • Invoke-Command -session $Session -scriptblock {Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True}
  • Wait for 24 hours and check the status of collections and reports.
  • In case of any further issue submit a case with Netwrix Technical Support

Tracing file error (exception) example:

2019-11-22 12:31:30.4311 (INFO) TID:31 SpaOnlineHost.exe Start POST request url: https://manage.office.com/api/v1.0/be473d84....

2019-11-22 12:31:30.6654 (ERROR) TID:30 SpaOnlineHost.exe Catch WebException: {
"error":{"code":" StartSubscription [TenantId=be473d84-e829-4178-8054-0a2bc888c2a0,ContentType=Audit.SharePoint,ApplicationId=66ebbd8b-734d-425b-81a4-927e42bdfc55,PublisherId=be473d84-e829-4178-8054-0a2bc888c2a0] failed. 
 Exception","message":"Microsoft.Office.Compliance.Audit.DataServiceException: Tenant be473d84-e829-4178-8054-0a2bc888c2a0 does not exist.\r\n   
 at Microsoft.Office.Compliance.Audit.API.AzureManager.GetSubscriptionTableClientForTenant(Guid tenantID, Boolean throwIfTenantNull)\r\n   
 at Microsoft.Office.Compliance.Audit.API.AzureManager.d__22.MoveNext()\r\n--- 
 End of stack trace from previous location where exception was thrown ---\r\n   
 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   
 at Microsoft.Office.Compliance.Audit.API.StartController.d__0.MoveNext()"}

} 

Useful links
https://docs.microsoft.com/en-us/office/office-365-management-api/
https://docs.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api
https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off

Go Up