Authorization Error – Unsupported Token or Access Forbidden
Error: Authorization Error – Unsupported Token or Access Forbidden
When the error is for a specific tenant:
This error means that your Sync 365 account does not have the required permissions to connect to the customer tenant.
Cause: Your GDAP relationship may be missing the appropriate roles, or your account is not in the correct security group tied to the relationship.
Resolution
Check and resolve your partner relationship configuration:
- Ensure the GDAP relationship exists for the customer tenant
- Confirm that the security group used in the GDAP relationship includes your Sync 365 delegated admin account
- Make sure the security group has the following roles:
- Application Administrator
- Global Reader
Step-by-step instructions here: Checking your GDAP relationship
When the error is for Partner Center Tenant Update:
This can be caused if the delegated admin user does not have access to the Microsoft Partner Center, or during the grant partner center consent, MFA was not prompted.
When MFA is not prompted in this process the Partner Center will refuse the connection.
Resolution
Ensure MFA is enabled and enforced on the account, then:
From your Sync 365 dashboard, navigate to the Customers tab.
Click the Delegated Admin tab.
- Click on Add> “Grant Partner Center Consent”
You will be prompted to log in to Office 365 using the Partner Center account created in Step 1.
You may need a Global Admin to approve the app if restricted in your environment.
Ensure you are prompted for MFA during this process, otherwise Microsoft will block the connection.
- Select "Consent on behalf of your organization"
- Click on “Accept” to grant consent.
Related Articles
Master Index Page for Troubleshooting Microsoft 365 Errors
Troubleshooting Microsoft 365 Errors If you've received an error in Sync 365 related to authentication, consent, token refresh, or license sync, use the links below to find the exact resolution. Authentication& MFA Errors AADSTS50078 – MFA expired ...AADSTS53003 – Access Blocked by Conditional Access Policy
Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance. This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or ...AADSTS700082 – Refresh Token Expired Due to Inactivity
Error: AADSTS700082 – The refresh token has expired due to inactivity This typically occurs when the customer tenant has an MFA setting that allows "remember MFA for X days", which breaks token refresh after extended inactivity. Cause: The “remember ...Access Denied – Caller Lacks Valid Entra Role
Error: Access Denied – Caller should have a valid Entra role This error means the account making the request is not assigned any valid role in Microsoft Entra ID (formerly Azure AD) within the customer tenant — often due to GDAP misconfiguration. ...The account does not have access to partner center
Error: The account does not have access to partner center This can come up while trying to grant partner center consent. There are a couple reasons this can happen. When prompted to grant consent, ensure you tick the box to grant permissions for the ...