fix: fix oauth token generation error handling path

.pre-commit-config.yaml

@@ -51,6 +51,7 @@ repos:
     rev: v1.89.0
     hooks:
       - id: semgrep
+        additional_dependencies: ["setuptools==81.0.0"]
   - repo: https://github.com/Yelp/detect-secrets
     rev: v1.5.0
     hooks:

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright (c) 2017-2025 Splunk Inc.
+   Copyright (c) 2017-2026 Splunk Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

NOTICE

@@ -1,5 +1,5 @@
 Splunk SOAR App: MS Graph for Office 365
-Copyright (c) 2017-2025 Splunk Inc.
+Copyright (c) 2017-2026 Splunk Inc.
 Third Party Software Attributions:
 
 @@@@============================================================================

README.md

@@ -520,6 +520,8 @@ This section explains each configuration field in user-friendly terms.
 - **Checked**: Application permissions (organization-wide access for automation)
 - **Unchecked**: Delegated permissions (user-specific access for single-user scenarios)
 
+**Note**: If your organization uses [Role Based Access Control for Exchange Applications](https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac) (the successor to Application Access Policies) to restrict mailbox access, ensure **Admin Access Required** is checked. This enables the application permissions mode compatible with Exchange App RBAC.
+
 #### **Admin Consent Already Provided** (Optional, Default: Unchecked)
 
 - Check after completing admin consent process in Azure AD
@@ -2216,7 +2218,7 @@ ______________________________________________________________________
 
 Auto-generated Splunk SOAR Connector documentation.
 
-Copyright 2025 Splunk Inc.
+Copyright 2026 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

__init__.py

@@ -1,6 +1,6 @@
 # File: __init__.py
 #
-# Copyright (c) 2017-2025 Splunk Inc.
+# Copyright (c) 2017-2026 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

manual_readme_content.md

@@ -510,6 +510,8 @@ This section explains each configuration field in user-friendly terms.
 - **Checked**: Application permissions (organization-wide access for automation)
 - **Unchecked**: Delegated permissions (user-specific access for single-user scenarios)
 
+**Note**: If your organization uses [Role Based Access Control for Exchange Applications](https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac) (the successor to Application Access Policies) to restrict mailbox access, ensure **Admin Access Required** is checked. This enables the application permissions mode compatible with Exchange App RBAC.
+
 #### **Admin Consent Already Provided** (Optional, Default: Unchecked)
 
 - Check after completing admin consent process in Azure AD

office365.json

@@ -32,7 +32,7 @@
             "name": "Anton Neledov"
         }
     ],
-    "license": "Copyright (c) 2017-2025 Splunk Inc.",
+    "license": "Copyright (c) 2017-2026 Splunk Inc.",
     "app_version": "4.1.0",
     "utctime_updated": "2026-01-09T05:33:39.032641Z",
     "package_name": "phantom_msgraphoffice365",
@@ -8752,17 +8752,13 @@
     ],
     "pip39_dependencies": {
         "wheel": [
-            {
-                "module": "PyJWT",
-                "input_file": "wheels/py3/PyJWT-2.10.1-py3-none-any.whl"
-            },
             {
                 "module": "cffi",
                 "input_file": "wheels/py39/cffi-2.0.0-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl"
             },
             {
                 "module": "cryptography",
-                "input_file": "wheels/py3/cryptography-46.0.3-cp38-abi3-manylinux_2_28_x86_64.whl"
+                "input_file": "wheels/py3/cryptography-46.0.5-cp38-abi3-manylinux_2_28_x86_64.whl"
             },
             {
                 "module": "msal",
@@ -8772,6 +8768,10 @@
                 "module": "pycparser",
                 "input_file": "wheels/py3/pycparser-2.23-py3-none-any.whl"
             },
+            {
+                "module": "pyjwt",
+                "input_file": "wheels/py3/pyjwt-2.12.1-py3-none-any.whl"
+            },
             {
                 "module": "typing_extensions",
                 "input_file": "wheels/py3/typing_extensions-4.15.0-py3-none-any.whl"
@@ -8780,25 +8780,25 @@
     },
     "pip313_dependencies": {
         "wheel": [
-            {
-                "module": "PyJWT",
-                "input_file": "wheels/py3/PyJWT-2.10.1-py3-none-any.whl"
-            },
             {
                 "module": "cffi",
                 "input_file": "wheels/py313/cffi-2.0.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl"
             },
             {
                 "module": "cryptography",
-                "input_file": "wheels/py3/cryptography-46.0.3-cp311-abi3-manylinux_2_28_x86_64.whl"
+                "input_file": "wheels/py3/cryptography-46.0.5-cp311-abi3-manylinux_2_28_x86_64.whl"
             },
             {
                 "module": "msal",
                 "input_file": "wheels/py3/msal-1.34.0-py3-none-any.whl"
             },
             {
                 "module": "pycparser",
-                "input_file": "wheels/py3/pycparser-2.23-py3-none-any.whl"
+                "input_file": "wheels/py3/pycparser-3.0-py3-none-any.whl"
+            },
+            {
+                "module": "pyjwt",
+                "input_file": "wheels/py3/pyjwt-2.12.1-py3-none-any.whl"
             }
         ]
     }

office365_connector.py

@@ -1,6 +1,6 @@
 # File: office365_connector.py
 #
-# Copyright (c) 2017-2025 Splunk Inc.
+# Copyright (c) 2017-2026 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -1427,22 +1427,25 @@ def _handle_test_connectivity(self, param):
         if self._admin_access or self._state["auth_type"] == "cba":
             message_failed = "API to fetch details of all the users failed"
             self.save_progress("Getting info about all users to verify token")
-            ret_val, response = self._make_rest_call_helper(action_result, "/users", params=params)
+            ret_val, _response = self._make_rest_call_helper(action_result, "/users", params=params)
         else:
             message_failed = "API to get user details failed"
             self.save_progress("Getting info about a single user to verify token")
-            ret_val, response = self._make_rest_call_helper(action_result, "/me", params=params)
+            ret_val, _response = self._make_rest_call_helper(action_result, "/me", params=params)
 
         if phantom.is_fail(ret_val):
+            result_msg = action_result.get_message()
+            if "403" in result_msg:
+                self.save_progress(
+                    "Warning: connectivity to Microsoft Graph was verified but the "
+                    "User.Read.All permission is not granted. Some actions may not work. "
+                    "For email use cases, ensure Mail.Read or Mail.ReadWrite permissions are configured.\nTest Connectivity Passed."
+                )
+                return action_result.set_status(phantom.APP_SUCCESS)
             self.save_progress(message_failed)
             self.save_progress("Test Connectivity Failed")
             return action_result.set_status(phantom.APP_ERROR)
 
-        value = response.get("value")
-
-        if value:
-            self.save_progress("Got user info")
-
         self.save_progress("Test Connectivity Passed")
 
         return action_result.set_status(phantom.APP_SUCCESS)
@@ -3238,9 +3241,12 @@ def _generate_new_oauth_access_token(self, action_result):
                 data["refresh_token"] = self._refresh_token
                 data["grant_type"] = "refresh_token"
             else:
-                return action_result.set_status(
-                    phantom.APP_ERROR,
-                    "Unexpected details retrieved from the state file.",
+                return (
+                    action_result.set_status(
+                        phantom.APP_ERROR,
+                        "Unexpected details retrieved from the state file.",
+                    ),
+                    None,
                 )
 
         self.debug_print("Generating token...")

office365_consts.py

@@ -1,6 +1,6 @@
 # File: office365_consts.py
 #
-# Copyright (c) 2017-2025 Splunk Inc.
+# Copyright (c) 2017-2026 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

office365_get_email.html

@@ -11,7 +11,7 @@
 {% block widget_content %}
   <!-- Main Start Block -->
   <!-- File: office365_get_email.html
-  Copyright (c) 2017-2025 Splunk Inc.
+  Copyright (c) 2017-2026 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

office365_get_rule.html

@@ -11,7 +11,7 @@
 {% block widget_content %}
   <!-- Main Start Block -->
   <!-- File: office365_get_rule.html
-  Copyright (c) 2017-2025 Splunk Inc.
+  Copyright (c) 2017-2026 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

office365_list_events.html

@@ -11,7 +11,7 @@
 {% block widget_content %}
   <!-- Main Start Block -->
   <!-- File: office365_list_events.html
-  Copyright (c) 2017-2025 Splunk Inc.
+  Copyright (c) 2017-2026 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

office365_list_rules.html

@@ -11,7 +11,7 @@
 {% block widget_content %}
   <!-- Main Start Block -->
   <!-- File: office365_list_rules.html
-  Copyright (c) 2017-2025 Splunk Inc.
+  Copyright (c) 2017-2026 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

office365_resolve_name.html

@@ -11,7 +11,7 @@
 {% block widget_content %}
   <!-- Main Start Block -->
   <!-- File: office365_resolve_name.html
-  Copyright (c) 2017-2025 Splunk Inc.
+  Copyright (c) 2017-2026 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

office365_run_query.html

@@ -11,7 +11,7 @@
 {% block widget_content %}
   <!-- Main Start Block -->
   <!-- File: office365_run_query.html
-  Copyright (c) 2017-2025 Splunk Inc.
+  Copyright (c) 2017-2026 Splunk Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

office365_view.py

@@ -1,6 +1,6 @@
 # File: office365_view.py
 #
-# Copyright (c) 2017-2025 Splunk Inc.
+# Copyright (c) 2017-2026 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

process_email.py

@@ -1,6 +1,6 @@
 # File: process_email.py
 #
-# Copyright (c) 2017-2025 Splunk Inc.
+# Copyright (c) 2017-2026 Splunk Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

release_notes/unreleased.md

@@ -1 +1,4 @@
 **Unreleased**
+
+* Fixed an OAuth token generation crash by returning a consistent tuple.
+* Test Connectivity now passes with a warning when Microsoft Graph returns a 403 (Forbidden), indicating connectivity is successful but the User.Read.All permission is not granted.