HTTP Status code 401
Symptoms
Error: "Status Code: 401 | Status Reason: Unauthorized"
Error indicating that authentication to Microsoft Graph API failed
Error response returned from the Message Trace API request
Causes
IBM QRadar successfully connects to the API endpoint, but authentication fails because the application cannot obtain a valid OAuth access token from Microsoft Entra ID
Resolving the problem
To resolve your HTTP Status code 401 error, verify that the following conditions are met.
- Verify that the Client ID, Client Secret, and Tenant ID configured in the log source match the values from the application registered in Microsoft Entra ID.
- Verify that the Client Secret has not expired.
- Ensure that the application has the required Microsoft Graph application permissions to access Message Trace data.
- Ensure that administrator consent is granted for the required permissions.
- Ensure that a service principal is provisioned for Exchange Online for the registered
application.Note: After you create the service principal, provisioning might take several hours to complete. During this time, requests to the Graph-based message trace API can return 401 (Unauthorized) errors.
Service principal-less authentication failed: The service principal for App ID 8bd644d1-64a1-4d4b-ae52-2e0cbf64e373 was not found. Please create a service principal for this app in your tenant. Provisioning may take several hours to complete.