Mistake of default environment variables about O365 Data Connector

[NobufumiMurata]

Describe the bug

The environment variable of the default LoginEndpoint of the template used in the "Deploy the Azure Function App" procedure has a "/" at the end like "https://login.microsoftonline.com/", but if this slash is added, the following error occurs when the function app is executed.

EXCEPTION: MCASActivity-SecurityEvents: Invalid Login Endpoint Uri. Exception : Type : Microsoft.PowerShell.Commands.WriteErrorException Message : MCASActivity-SecurityEvents: Invalid Login Endpoint Uri. HResult : -2146233087 CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,_TimerTrigger_ InvocationInfo : MyCommand : _TimerTrigger_ ScriptLineNumber : 257 OffsetInLine : 3 HistoryId : 1 ScriptName : C:\home\site\wwwroot\TimerTrigger\run.ps1 Line : Write-Error -Message "MCASActivity-SecurityEvents: Invalid Login Endpoint Uri." -ErrorAction Stop PositionMessage : At C:\home\site\wwwroot\TimerTrigger\run.ps1:257 char:3 + Write-Error -Message "MCASActivity-SecurityEvents: Invalid Lo … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PSScriptRoot : C:\home\site\wwwroot\TimerTrigger PSCommandPath : C:\home\site\wwwroot\TimerTrigger\run.ps1 InvocationName : _TimerTrigger_ CommandOrigin : Internal ScriptStackTrace : at <ScriptBlock>, C:\home\site\wwwroot\TimerTrigger\run.ps1: line 257

I have confirmed at the error in run.ps1 with the following code, and it is verified with a URL without a slash as shown in "https://login.microsoftonline.com".

$LoginURL = $env:loginEndpoint
if (-Not [string]::IsNullOrEmpty($LoginURL)){
	if($LoginURL.Trim() -notin @("https://login.microsoftonline.us","https://login.partner.microsoftonline.cn","https://login.microsoftonline.com"))
	{
		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Login Endpoint Uri." -ErrorAction Stop
		Exit
	}
}

When I erased the trailing slash in that environment variable, the function app now exited gracefully.

To Reproduce
Steps to reproduce the behavior:

1. Go to readme.md
2. Deploy to click "Deploy to Azure" button.
3. Wait to trigger function app.
4. See error

Expected behavior
The function app run correctly with default settings using "Deploy to Azure" button

Screenshots
N/A

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Edge
• Version: 130.0.2849.13

Smartphone (please complete the following information):

• Device: N/A
• OS: N/A
• Browser: N/A
• Version: N/A

Additional context
Nothing in particular

[v-sudkharat]

Hi @NobufumiMurata, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[NobufumiMurata]

Hi @v-sudkharat ,
I have investigated further and would inform you with what I notice.
”WEBSITE_RUN_FROM_PACKAGE” enviroment variable sets following URL as default.
https://aka.ms/sentinel-O365APItoAS-functionapp

This URL hosts package of function apps source and "run.ps1" in this package was written with the URL without a slash.
The source code in Github repository is correct URL with a slash as shown in "https://login.microsoftonline.com/".

I think this difference of describing is the root cause of this matter.

Could you confirm that please.

[v-sudkharat]

Hi @NobufumiMurata, Yes correct, the "/" cause the script failure.
We have updated the script, could you please update the below URL in ”WEBSITE_RUN_FROM_PACKAGE" and let us know is your issue gets resolve :
After updating below URL just restart the function app once.
WEBSITE_RUN_FROM_PACKAGE = https://github.com/Azure/Azure-Sentinel/raw/afc4f318aace409cd8edbd2ebc8c13bf0c7106bd/DataConnectors/O365%20Data/O365APItoAS-Template.zip

Thanks!

[NobufumiMurata]

Hi @v-sudkharat
I have updated "WEBSITE_RUN_FROM_PACKAGE" value to new URL you sent , but my function apps is still running error with the same EXCEPTION message.

I confirmed the new code and I notice that there are two modifications.
One is added TrimEnd('/') opperation and the other is added "/" charactor at the If opperation condition's URLs.
Therefore I think the code still run incorrectly.

$LoginURL = $env:loginEndpoint.TrimEnd('/')
if (-Not [string]::IsNullOrEmpty($LoginURL)){
	if($LoginURL.Trim() -notin @("https://login.microsoftonline.us/","https://login.partner.microsoftonline.cn/","https://login.microsoftonline.com/"))
	{
		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Login Endpoint Uri." -ErrorAction Stop
		Exit
	}
}

Could you confirm that again?

[v-sudkharat]

Hey @NobufumiMurata,
Updated some changes, can you please check with below URl :
https://github.com/Azure/Azure-Sentinel/raw/e5623cfbc80d7e18f8f1b0e47e1d8a14481ccff8/DataConnectors/O365%20Data/O365APItoAS-Template.zip

And run it manually. Thanks!

[NobufumiMurata]

Hi @v-sudkharat
I have confirmed my function app had executed with success status and O365 audit data had been ingested to my sentinel workspace.

Thank you for your kind response.