Microsoft Graph API - AADSTS900023

Question

I work for a MSSP, and we're providing Threat Intelligence to our customers using the TIIndicators portion of Log Analytics, leveraging the Threat Indicator (Deprecated) Data Connector.

We're encountering an issue with one customer in particular, wherein the error response we receive is:

AADSTS900023: Specified tenant identifier 'REDACTED' is neither a valid DNS name, nor a valid external domain. Trace ID: REDACTED Correlation ID: REDACTED Timestamp: 2023-10-23 14:46:58Z

We have confirmed that the credentials on the client end are correct, with appropriate permissions, and that the Tenant ID is correct, however the issue persists.

Answer 1

Hi @Michael Wiggins , this could be caused by a few different things. We can try to troubleshoot. If nothing works we can open a support ticker for you.

If everything is configured correctly, the issue could be with the Sentinel Data Connector. Do you have an analytics rule that automatically pulls the data from the TIIndicators table and sends it to your customer via MS Graph and you're getting the error because the tenant or DNS is invalid? I would check there first.

Second, please review the following threads that have similar issues. You may find the solution there:

• https://github.com/caddy-dns/azure/issues/3
• https://stackoverflow.com/questions/70935069/how-to-use-a-token-authentification-from-graph-api-in-azure-http-trigger-functio
• https://stackoverflow.com/questions/75112233/the-nodejs-console-application-fails-to-obtain-an-ad-token-while-a-similar-net

Make sure that the Tenant ID is the actual GUID of your tenant.

Please let me know if this helps. If not I can help you further.

Best,

James

Answer 2

Hi James,

I'd actually figured it out shortly before you responded, and you hit the nail on the head to an extent.

The issue I was encountering was that there was an incorrect character in the Tenant ID for the integration, which was causing the above error haha.