Microsoft Cloud integration bundle troubleshooting guide

• Symptom: Failure to proceed past the authentication step, not even reaching the Microsoft Auth login screen.

• Common Cause: This may occur due to a delay on Microsoft's end where the system is still processing the app registration.

• Solution: Wait a minute or two before attempting to re-authenticate. This allows time for the backend processes to complete.

• Symptom: Successful authentication only after switching between the new Rewst Cloud Connector and the legacy Rewst Prod App Registration.

• Potential Cause: Existing Rewst Prod installations in the Microsoft tenant might interfere with the new setup.

• Solution:

  • Restart the integration wizard from the beginning.

  • Make sure all configuration steps are correctly completed. Pay extra attention to step 2 and confirm that a notification appears, indicating that the configurations have been updated.

• Error Context: Pertains to errors when consenting on a client (e.g., green shield button on CSP/Graph/EXO integration table).

• Common Issue: Transition to Microsoft's Granular Delegated Admin Privileges (GDAP) introduces complexities in tenant access control.

• About GDAP:

  • Purpose: GDAP enables fine-grained control over tenant access, allowing the creation of groups in your MSP tenant, assignment of permissions, and user allocation.

  • Example: Create specific groups like "Standard M365 Clients - Exchange Administrator" or "Strict M365 Clients - Exchange Administrator" to manage access levels across different clients.

• Rewst's Role: Since Rewst can interact with various endpoints, the correct permissions in both your tenant and client tenant are essential.

• Potential Resolution: Understand and Implement GDAP Utilize GDAP to create groups and assign permissions, ensuring compliance with your security policies.

• Root Cause: Most commonly related to a misunderstanding of Application vs. Delegated permissions within Microsoft Graph Integration.

  • Application Permissions: Granted to applications, not tied to users. Allows access to data without user consent.

  • Delegated Permissions: Tied to specific users, requiring their consent for data access.

• Microsoft's Direction: Microsoft is shifting from Application permissions to Delegated permissions for security reasons. Application permissions lack an audit trail, hiding who accessed data and when. They also allow Microsoft Partners to have a tenant in their organization without the client's awareness.

• Relevance to Tasks:

  • User Permissions: For user-related endpoints, such as reading calendar items, or sending mail as a user, the authenticating account must have the necessary permissions.

  • Example: To send as [email protected] via Rewst, ensure Rewst-Service Account has Send As permission on the SendfromMe account.

• Error Message & Context: Request_BadRequest, Unsupported token. Unable to initialize the authorization context. This manifests as a "Bad Request" error when making calls to Graph, despite seemingly correct integration and tenant delegation credentials.

• Suspected Cause: The error may stem from a cached token or from the integration being authorized prior to setting the checkbox for CSP delegation in CSP, Graph, or Exchange Online.

• Potential Resolution:

  1. Uninstall and Reinstall CSP Integration: Go to CSP integration, click "Uninstall," wait, then click "Install."

  2. Reauthorize CSP with Admin Access: Use the recommended service account with admin access for reauthorization.

  3. Repeat for Other Integrations: Follow steps 1-2 for Exchange Online and Graph, checking Use CSP Delegated Consent before authorizing.

  4. Re-Consent on Behalf of Managed Tenants: Return to CSP integration and click the green shield to re-consent.

As per Microsoft documentation the following needs to be true for resetting a user's password/modifying their password profile.

See Microsoft Documentation

In a delegated scenario the Rewst enterprise applications need to have the 'Directory.AccessAsUser.All' permission (and corresponding GDAP roles)

In a application call scenario(MSP Level/Integration installed at the customer level standalone from CSP) the application must be assigned a priviledged role such as Authentication Administrator or Priviledged Authentication Administrator.

If the refresh token couldn't be retrieved or stored, reauthorization must occur.

A Conditional Access Policy may have set the maximum session time, causing this error. Consider changing the policy or following guidance under Conditional Access.

The absence of MFA setup or Conditional Access policies blocking Rewst's access may lead to this error. Check MFA settings and Conditional Access policies.

Password changes, session revocations, or account disabling may lead to this error. Reauthorization will be needed.

This might occur when a trusted device used for the first authorization has been deleted from the Intune portal. Reauthorization is required.

If the user lacks sufficient access rights or is missing the necessary Exchange role, check the user's rights and Exchange role information. When using GDAP, the user must be in the "Exchange Administrators" group.

This is likely a failure to call Intune APIs. Check if the tenant has the necessary license available.

A key vault is required in your Azure subscription. If you receive an "Invalid Client" error message when authorizing it is likely due to a missing key vault. Creating an empty key vault should resolve the issue.

The request might be malformed if the body doesn't contain JSON or if variables haven't expanded. Look for syntax errors or incorrect bracket usage.

Multiple causes could lead to this error, such as the user not authorizing the Rewst CSP integration or not being in the AdminAgents group. If you're using GDAP, ensure that the user is added to the correct group(s) for Rewst to function.

This could indicate that the relationship between the tenant and the partner has been dissolved from the client side, or that a GDAP relationship has expired. Check the partner relationship information and ensure it is still active.

This means that Exchange connections are no longer possible. Please verify Exchange subscription availability.

If GDAP has been deployed and you're seeing this error, it may be because the user is not in any GDAP groups. Verify the user's GDAP group membership.

If you're unable to connect to Teams Admin cente, this might mean the tenant is missing a Teams license. Check to ensure the necessary licenses are available.

This error is mainly seen around security tasks and is likely due to a missing license such as M365 BP or Azure AD P1. Check the tenant's license information to ensure that the necessary licenses are available for the requested operation.

• Cause: Often related to Multi-Factor Authentication (MFA). Absence of MFA, incorrect MFA configuration, or unsupported third-party MFA provider.

• Requirements: Microsoft mandates the use of the StrongAuthClaim method in MFA requests, confirming additional security checks beyond username and password.

• Potential Resolutions:

  1. Enable MFA with StrongAuthClaim: Make sure the user account for Microsoft CSP integration has MFA enabled using the StrongAuthClaim method (usually with Microsoft MFA).

  2. Confirm MFA at Sign-In: If using Microsoft MFA and encountering errors, ensure MFA confirmation at sign-in. Try incognito browsing or sign out and back in if needed.

  3. Create a Dedicated User Account: Recommended for Microsoft CSP integration with specific requirements (e.g., Global Administrator permissions, MFA with StrongAuthClaim, AdminAgents role added in Partner Center to enable API access).

Duo / Third Party MFA Notice: Duo MFA was removed from Microsoft's supported list in 2022. Users must switch to Microsoft MFA to comply with requirements. See Microsoft Partner Account - MFA Requirements

This feature requires a P1 license or higher. Check the client's tenant license information to ensure that the necessary licenses are in place.

Client error 400 Bad Request means there's an issue with the request. It's most likely that an incorrect value is being sent. Please verify the correctness of the values in the request.

When in the context of authorizing the Microsoft Cloud Bundle this error can sometimes be related to Conditional Access policies, either on the MSP tenant (if failing to authorize) or on the customer tenant (when performing CPV consent aka clicking the blue shield).

If the issue is during the initial authorization, then it is important to check your conditional access policies and modify them to either exclude the user used to authorize the integration (typically the Rewst@ user) or to address the conflict (as an example, limiting access by location).

If the issue is during CPV consent of a customer then you will need to check the customer's conditional access policies and modify them to exclude the service provider tenant or address the conflict (example from above could apply).

This is an Azure specific error. The Azure APIs are using delegated permissions. If it was working before and then stopped working post migration, it's likely that the Azure integration was authorized with a different account than what was used post migration, and the user used to authorize probably doesn’t have the required roles assigned to it in Azure. Assign roles to the user to solve this issue.

Alternatively, it is possible that the tenant does not have licensed users in the Azure/O365. This means that you are missing service principals.

This is an Azure specific error and it happens when re-authorizing the Microsoft Cloud Integration Bundle. You must set up an Azure Key Vault. It can be empty but it needs to be setup and available.

This happens when trying to re-consent a client or multiple clients. Make sure to check partner center relationships since you are likely missing one or more GDAP roles.

Note that if the client has other relationships with interfering roles it will also cause the consent to fail. You'll need to terminate any other interfering relationships.

We've identified a recurring issue within the Entra UI concerning the inconsistent permissions display on the Enterprise App Permissions page. Users may encounter situations where the permissions are either fully paginated and visible or not all permissions are displayed as expected.

Incomplete display of permissions

If what you see resembles the screenshot below, it indicates that not all permissions are being displayed. In such cases, the seemingly absent permissions are assigned but not visible due to a limitation within the UI. This known issue stems from a bug on Microsoft's end, which unfortunately is beyond our ability to directly resolve. For visibility into the complete set of permissions under these circumstances, using the API is the recommended approach.

Complete display of permissions

If your Entra UI matches the below screenshot, this suggests that all permissions are being properly shown. So if any are missing, they are actually missing. Should there be any unexpected permissions missing in this scenario, it likely points to an bug or failure in the permissions assignment process on the Rewst side.

This is a matter of allowing Microsoft time to do its work. It could take up to 48 hours for this to self resolve - just give it time and try to re-consent.

Note that this error will display all the multiple permissions that are missing, more than the example referenced. This happens when trying to re-consent a client or multiple clients. Check partner center relationships since there are likely missing one or more recommended GDAP roles.

This comes from the Microsoft side when the permissions exist and we try to add them back.

Initially attempt to remove some delegated permissions from the enterprise app in your Microsoft Entra portal. If that doesn’t work, you'll want to remove the integration and re-add it.

During the setup, do not click the select all permissions option. Just click next.

The error can be caused by multiple reasons and presents itself when consenting a child organization:

1. User has not authorized the app

2. User is a guest user in the tenant

3. Conditional Access policy is blocking access

4. User is not added to the correct group

This error likely happens if you skipped the step to use the Unpack our Configure New GDAP Relationship Crate. Unpack the Crate. Then, using the form: [ROC] M365: Configure GDAP Relationships unpacked in the Crate, set up a new specific GDAP relationship for Rewst between you and your client. It will send you an email per CSP customer, with and approval link and then another link back to rewst to set everything up. It ensure consistency across your orgs.

Then check that it has been configured correctly. The 12 GDAP roles would need to be in the admin relationships that are failing.

Make sure that the account you are using is a member of ADMINAGENTS and GLOBALADMIN while you sort the permissions. Once done, GA can be removed if desired.

Lastly, check your clients' conditional access policies.

This issue presents itself when you click the Refresh Options button in the integration page. To resolve this, add the Rewst Service account to AdminAgents at the top MSP parent level organization. After this action has been taken, the client must re-authorize the integration to fix.

The error can be caused by multiple reasons and presents itself when consenting a child organization:

1. User has not authorized the app

2. User is a guest user in the tenant

3. Conditional Access policy is blocking access

4. User is not added to the correct group

You must ensure that you have setup your clients’ policies as per our guidance on conditional access.

This error is an indication that you have either either not approved the created relationship or not added the required GDAP roles to it. Partner GDAP setup was not completed. You'll need to terminate the setup, and create a new one.

Ensure that he secret being sent in the request is the client secret value, not the client secret ID.

The other error that may be related to this when consenting is There was an error configuring delegated admin. Here, the integration is trying to use old CSP App Registration. Uninstall and reinstall the entire Microsoft Cloud Integration Bundle. Note that only uninstalling and reinstalling Azure/CSP alone will not work. If you keep getting errors during reinstallation, remove the Rewst MS Cloud Connector Enterprise Application and then authorize. During the process, you may see the below error. You should be fine to proceed despite the error message.

Device Object was not found in tenant means that during authentication you used an approved device, and that device is no longer available.

The best way to fix is to rerun the authentication setup. When a dialog appears to log in, don't click on the account that's already logged in, even if it's the service account. Instead, click sign in with a different account. Then, log on with the service account

If this doesn't fix your issue, manually delete the enterprise application, then re-authorize. You may need to manually consent the app in Intune, then re-authorize again.

The first step in troubleshooting is to attempt reauthentication.

1. Navigate to the Microsoft Cloud Integration Bundle settings in Rewst.

2. Click Reauthenticate and follow the prompts to complete the process.

3. If authentication is successful, your integration should resume normal operation.

If reauthentication fails, proceed to the next step. Tthe issue may be related to the service account credentials.

1. Reset the service account password in Microsoft.

2. Update the credentials in Rewst.

3. Update the credentials in Rewst.

4. Attempt to reauthenticate again.

5. If this works ensure you click the re-concent button.

If the issue persists, completely uninstall and reinstall the Microsoft Cloud Bundle Integration.

Ensure that the CA Policies exclusions have been set. If the Service Account is not added you will see this error

Remove Microsoft Cloud integration from the child organization only.

Confirm that the company uses and has Azure Storage enabled.

See our documentation on Owned App Registration.

Here, a client has Duo as an External Authentication method that may be re-directing MFA. Configure a service provider exclusion for the problem tenant.

For MSP or parent organization

• Verify that the dedicated account used for Microsoft Cloud Bundle authorization has Exchange Administrator or Global Administrator role assigned.

For child organization

• If the tenant is a child org:

  • Ask the customer to confirm in their GDAP Relationship that they have Exchange Administrator role assigned.

  • If authentication is handled through the Microsoft Cloud Bundle, confirm that the linked service account has the Exchange Administrator role assigned.