QRadar: Office 365 displays error "Unable to start a content subscription"

1. Verify that Office 365 DSMs and Protocols are up to date from FixCentral
2. The "Automatically Acquire Server Certificate(s)" option was removed from the UI and the protocol validates certificates differently now so a copy of the certificates is not needed anymore.
3. Toggle the log source off and on. If you receive an http error 400 or 500, then those errors are related to your Office 365 account in Azure. 

To get the access token, or to check whether you are able to pull the token manually run these commands:

1. To get the access token, type the command:

   curl -d "client_secret=<client secret>&resource=https://manage.office.com&client_id=<client id>&grant_type=client_credentials" -X POST https://login.windows.net/<tenant id>/oauth2/token
2. To stop the subscription, type the command:

   curl -d "" -H "Authorization: Bearer (access token)" -X POST https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/stop?contentType=Audit.AzureActiveDirectory
3. After the subscription is stopped, run following command to start the subscription

   curl -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory
4. Used this command to retrieve the events to QRadar.

   curl -d "" -H "Authorization: Bearer <access token>" -X GET https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory

    
   If you get an error similar to the one displayed, the Client Secret is expired.

   
   {"error":"invalid_client","error_description":"Example0002: Error validating credentials. Example0012: Invalid client secret is provided
   
5. Obtain a new Client Secret from Microsoft®.