Microsoft integrations, such as those with Microsoft CSP, Microsoft Graph, or Microsoft Exchange Online, are among the most intricate and complex due to the diversity of products and services involved. Each has slightly different authentication endpoints and required permissions. This guide serves as a comprehensive resource for common problems that may arise during integration.

Microsoft CSP Authentication Errors

Error Message: Forbidden (403), MFA Required (401)

• Cause: Often related to Multi-Factor Authentication (MFA). Absence of MFA, incorrect MFA configuration, or unsupported third-party MFA provider.

• Requirements: Microsoft mandates the use of the StrongAuthClaim method in MFA requests, confirming additional security checks beyond username and password.

• Potential Resolutions:

  1. Enable MFA with StrongAuthClaim: Make sure the user account for Microsoft CSP integration has MFA enabled using the StrongAuthClaim method (usually with Microsoft MFA).

  2. Confirm MFA at Sign-In: If using Microsoft MFA and encountering errors, ensure MFA confirmation at sign-in. Try incognito browsing or sign out and back in if needed.

  3. Create a Dedicated User Account: Recommended for Microsoft CSP integration with specific requirements (e.g., Global Administrator permissions, MFA with StrongAuthClaim, AdminAgents role added in Partner Center to enable API access).

Client Error: 400 (Bad Request)

Client error 400 Bad Request means there's an issue with the request. It's most likely that an incorrect value is being sent. Please verify the correctness of the values in the request.

Entra UI Pagination and Permissions Display Issues

We've identified a recurring issue within the Entra UI concerning the inconsistent permissions display on the Enterprise App Permissions page. Users may encounter situations where the permissions are either fully paginated and visible or not all permissions are displayed as expected.

Incomplete Display of Permissions

If what you see resembles the screenshot below, it indicates that not all permissions are being displayed. In such cases, the seemingly absent permissions are assigned but not visible due to a limitation within the UI. This known issue stems from a bug on Microsoft's end, which unfortunately is beyond our ability to directly resolve. For visibility into the complete set of permissions under these circumstances, using the API is the recommended approach.

Complete Display of Permissions

If your Entra UI matches the below screenshot, this suggests that all permissions are being properly shown. So if any are missing, they are actually missing. Should there be any unexpected permissions missing in this scenario, it likely points to an bug or failure in the permissions assignment process on the Rewst side.

Consent to Client Permissions

• Error Context: Pertains to errors when consenting on a client (e.g., green shield button on CSP/Graph/EXO integration table).

• About GDAP:

  • Purpose: GDAP enables fine-grained control over tenant access, allowing the creation of groups in your MSP tenant, assignment of permissions, and user allocation.

  • Example: Create specific groups like "Standard M365 Clients - Exchange Administrator" or "Strict M365 Clients - Exchange Administrator" to manage access levels across different clients.

• Rewst's Role: Since Rewst can interact with various endpoints, the correct permissions in both your tenant and client tenant are essential.

• Potential Resolution:

  1. Understand and Implement GDAP: Utilize GDAP to create groups and assign permissions, ensuring compliance with your security policies.

Task Level Permissions for Microsoft Graph & Exchange Online

• Error Message: Access Denied - HTTP Status code 403

• Root Cause: Most commonly related to a misunderstanding of Application vs. Delegated permissions within Microsoft Graph Integration.

  • Application Permissions: Granted to applications, not tied to users. Allows access to data without user consent.

  • Delegated Permissions: Tied to specific users, requiring their consent for data access.

• Microsoft's Direction: Microsoft is shifting from Application permissions to Delegated permissions for security reasons. Application permissions lack an audit trail, hiding who accessed data and when. They also allow Microsoft Partners to have a tenant in their organization without the client's awareness.

• Relevance to Tasks:

  • User Permissions: For user-related endpoints, such as reading calendar items, or sending mail as a user, the authenticating account must have the necessary permissions.

  • Example: To send as SendfromMe@rewstdemo.com via Rewst, ensure Rewst-Service Account has Send As permission on the SendfromMe account.

Handling CSP Delegated Permissions Errors

• Error Message & Context: Request_BadRequest, Unsupported token. Unable to initialize the authorization context. This manifests as a "Bad Request" error when making calls to Graph, despite seemingly correct integration and tenant delegation credentials.

• Suspected Cause: The error may stem from a cached token or from the integration being authorized prior to setting the checkbox for CSP delegation in CSP, Graph, or Exchange Online.

• Potential Resolution:

  1. Uninstall and Reinstall CSP Integration: Go to CSP integration, click "Uninstall," wait, then click "Install."

  3. Repeat for Other Integrations: Follow steps 1-2 for Exchange Online and Graph, checking Use CSP Delegated Consent before authorizing.

  4. Re-Consent on Behalf of Managed Tenants: Return to CSP integration and click the green shield to re-consent.

Additional CSP Error Troubleshooting

This section lists some of the most common errors. For each error, specific steps and guidelines are available to understand the cause and find the right solution. Click on your issue to expand the section and see suggested solutions.