If you have received an error related to either Office 365 or your PSA tool, this page contains some common errors and how to resolve them.

If the error is for a tenant that you do not look after or you do not have/want in the system, you can exclude the tenant from notifications: Exclude Tenants from notifications

TABLE OF CONTENTS

• AADSTS530004: AcceptCompliantDevice setting isn't configured for this organization
• AADSTS700003: Device object was not found in the tenant
• Unsupported token. Unable to initialize the authorization context. OR Forbidden - Access is denied
• AADSTS700082: The refresh token has expired due to inactivity – Occurring to a single tenant
• AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access
• AADSTS530034: A delegated administrator was blocked from accessing the tenant due to account riskOr AADSTS530032: User blocked due to risk on home tenant
• Access Denied. You do not have permissions to call this cmdlet. for
• AADSTS500571: The guest user account is disabled
• AADSTS50177: User account '{EmailHidden}' from identity provider '' does not exist in tenant '' and cannot access the application '3efeacdc-560a-41a1-b337-e302923082ea'(Sync 365 License) in that tenant. 
• We have found some errors while trying to update price of product/Billing profile has invalid product
• AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
• The user isn't assigned to any management roles. Please check online documentation for assigning Directory Roles to User.
• Access Denied. Caller should have a valid entra role.
• User was not found
• The user or administrator has not consented to use the application
• Exception of type 'Providers.Common.V1.CoreException' was thrown.
• AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
• You do not have security permission to perform this action.
• AADSTS135011: Device used during the authentication is disabled

AADSTS530004: AcceptCompliantDevice setting isn't configured for this organization

This error occurs from a conditional access policy that is configured to allow only compliant devices.

You can confirm the policy that is blocking this by:

• Logging into the customer's Azure portal
• Opening Microsoft Entra ID (Azure AD)
• Clicking on Users
• Clicking on Sign in logs
  • Look for the sign in log for "<Your company name> Technician" (This is what shows when accessed via your partner connection
  • Find the failed sign in and look at the details. This should show you the corresponding policy that causes the problem

Resolution: To resolve this issue, you can exclude the service provider account from the Conditional Access Policy. You can see our recommendations her: Conditional Access Policies

• Edit the conditional access policy
• Add an exclusion and select "Service provider users" 
  • All: will exclude all service providers that have a relationship with the tenant
  • Select: allows you to specify the tenant ID's of service providers to allow.
    • If you use this, ensure your tenant ID is entered in to exclude it
• Save the policy and things should work again.

AADSTS700003: Device object was not found in the tenant

This error can happen if the Azure AD Device that your Delegated Admin account was linked to, has been deleted from your directory.

Resolution: To resolve this, grant partner center consent again with your admin account

1. Log into Sync 365
2. Go to Company > Delegated admin tab
3. Take note of the account currently in use on this page (DO NOT DELETE IT).
4. Click add > Grant partner center consent
   1. Log in with the delegated admin account that is being used in Sync 365
      1. Make sure you are prompted for MFA during this process or it will be blocked by MS Partner Center
   2. This will refresh the token and resolve the issue

Unsupported token. Unable to initialize the authorization context. OR Forbidden - Access is denied

You will receive this error when your partner relationship does not have the required permissions to connect to the tenant.

Resolution: Check your partner relationship and resolve permission issues.

Ensure your GDAP relationship has Application administrator and Global reader permissions assigned to the security group that the Sync 365 account is in.

You can see detailed instructions here: Checking your GDAP relationship

AADSTS700082: The refresh token has expired due to inactivity – Occurring to a single tenant

This usually happens when “remember mfa for X days” option is selected in a customer MFA settings (admin portal > Users > multi factor authentication)
NOTE: Microsoft’s recommendation is for this to disabled and MFA requirements configured via MFA.

Having this option enabled, creates an additional security risk and will also break the refresh token from accessing this customers Office 365 Tenant.

Resolution: To resolve the issue, please disable this option, wait roughly 30 minutes and it should be resolved.

You can disable the option by:

1. Opening the customers Microsoft 365 Admin
2. Clicking on Users
3. Clicking "Multi Factor Authentication" button across the top row
4. Disable the option for "Remember MFA for X days"

AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access

This error typically happens if you switch your delegated admin account from having MFA enabled or not enabled.

Alternatively this can happen if you roll out Conditional Access MFA and have not previously had it.

If this error is for license counts or a custom license for mailbox or Azure AD related items:

Resolution: To resolve this, grant partner center consent again with your admin account

1. Log into Sync 365
2. Go to Company > Delegated admin tab
3. Take note of the account currently in use on this page (DO NOT DELETE IT).
4. Click add > Grant partner center consent
   1. Log in with the delegated admin account that is being used in Sync 365
      1. Make sure you are prompted for MFA during this process or it will be blocked by MS Partner Center
   2. This will refresh the token and resolve the issue

AADSTS530034: A delegated administrator was blocked from accessing the tenant due to account risk
Or AADSTS530032: User blocked due to risk on home tenant

There are a couple of things that can cause this error.

1. Your delegated admin has been listed as a risky user (Check this in your own tenant, not the customers)
   1. You can check this in: Azure active directory > Security > Risky users
   2. If your delegated admin account is in here. It can be blocked based on a tenants conditional access policies. Remove it from here by selecting the account and clicking "Dismiss user risk" and it should fix the issue.
      1. It can take up to 24 hours for Microsoft to replicate this
2. Security defaults can add some security items that can cause a block. It is better to use conditional access policies rather than microsofts security defaults which was introduced for any tenants that do not have MFA policies setup.
   1. You can check this in the customer tenant: Azure active directory > Properties > Manage security defaults

Access Denied. You do not have permissions to call this cmdlet. for <tenant>

This typically occurs if you still have a tenant linked to your Partner Center, but have had admin rights removed so you cannot access the tenant.

Resolution: 

Indirect CSP: You can contact MS Partner support to ask them to remove the tenant from your Partner Center list.
Direct CSP can also remove the relationship from their partner center.

This can also happen if the delegated admin link did not work correctly when it was accepted for the tenant.
If this is a tenant you should be able to manage, check on your GDAP relationship and resolve any issues with it: Checking your GDAP relationship 

AADSTS500571: The guest user account is disabled

This problem can occur if you are using one of your named users as the delegated admin account and they have a guest account in a client tenant. This can occur from a client sharing a sharepoint or onedrive link or adding you to a MS Teams team.

You can check if this is causing the problem by logging into azure for that client and looking for the delegated admin user being added as a guest. You can delete the user in their tenant if you need to.

Resolution: We recommend creating a separate service account to use for your delegated admin so you do not run in to this issue. There is some information available here on using a specific service account instead of a named user: 3 - Configure Microsoft 365 partner admin account

AADSTS50177: User account '{EmailHidden}' from identity provider '' does not exist in tenant '<Tenant Name>' and cannot access the application '3efeacdc-560a-41a1-b337-e302923082ea'(Sync 365 License) in that tenant. 

This will usually occur when there is a problem with the GDAP relationship or it is missing.

Resolution: Check and resolve any issues with your GDAP relationship: Checking your GDAP relationship 

We have found some errors while trying to update price of product/Billing profile has invalid product

This error will occur if a product in one of your billing profiles has a product that is either missing or marked as inactive in your PSA.

Resolution: Either update your Sync 365 billing profile to point to the new/correct product or service, or re-activate the product/service in your PSA

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

This error will occur if one of the conditional access policies in the Tenant is blocking access.

Resolution: You will need to fix up the Conditional Access policies in the client tenant so that we can connect to it. You can see our recommendations here: Conditional Access Policies

You can read more about Microsoft's recommendations for Conditional access and GDAP here: GDAP frequently asked questions - Partner Center | Microsoft Learn 

Essentially you can try:

• Make sure service provider users are not selected in external and guest users
• Exclude the Service provider
• You can also try excluding the service principal for the "Sync 365 License" application by selecting it in the service principals exclude section in the conditional access policy

The user <S365 partner center account> isn't assigned to any management roles. Please check online documentation for assigning Directory Roles to User.

You will receive this error if the user account has not been provided GDAP permissions to the tenant.

Resolution: Fix up your GDAP relationship and permissions: Checking your GDAP relationship

Within about 30 minutes of the account being put in the correct group, it should resolve this error.

Access Denied. Caller should have a valid entra role.

You will receive this error if the user account has not been provided GDAP permissions to the tenant.

Resolution: Fix up your GDAP relationship and permissions: Checking your GDAP relationship

Within about 30 minutes of the account being put in the correct group, it should resolve this error.

User was not found

The relationship between this tenant and the partner has been dissolved from the client side. Check the partner relationship information and ensure that it is still active. This error also occurs when a GDAP relationship has expired or is not configured correctly. 

Resolution: Fix up your GDAP relationship and permissions: Checking your GDAP relationship

The user or administrator has not consented to use the application

This error will occur if the Sync 365 application has been deleted out of the customer tenant or has not been able to consent yet.

Consent will fail if application administrator permission is not in the GDAP relationship and assigned to the security group the sync 365 service account is in.

Sync 365 will automatically attempt to consent the application daily or when you click "refresh license counts" after selecting the added company and clicking the button.

Resolution: Make sure the Application Administrator permission is in the GDAP relationship: Checking your GDAP relationship. If the problem continues, contact [email protected] 

Exception of type 'Providers.Common.V1.CoreException' was thrown.

This error will occur if Partner center account being used in Sync 365 does not have "Application Administrator" or higher permissions in the GDAP relationship.

Resolution: Fix up your GDAP relationship and permissions: Checking your GDAP relationship

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access

This typically occurs if MFA has been revoked or a password has been changed. 

Resolution: The first thing to try here is to grant partner center consent again.

1. Log into Sync 365
2. Go to Company > Delegated admin tab
3. Take note of the account currently in use on this page (DO NOT DELETE IT).
4. Click add > Grant partner center consent
   1. Log in with the delegated admin account that is being used in Sync 365
      1. Make sure you are prompted for MFA during this process or it will be blocked by MS Partner Center
   2. This will refresh the token and resolve the issue

You do not have security permission to perform this action.

This is an error from Connectwise PSA. It will occur if the API does not have the correct permissions.

Resolution: 

This commonly happens if Agreement API permissions are restricted to a certain agreement type, and there is a parent agreement in use where the type has not been allowed in the API permissions.

Confirm that the API permissions are correct for the API user: Connectwise API Configuration

AADSTS135011: Device used during the authentication is disabled

This error is related to a device in your partner tenant.

This error occurs when the device that was used to authenticate the MS Partner/Delegated admin account gets disabled or deleted in Azure Active Directory (Microsoft Entra ID).

Resolution: Grant partner center consent

1. Log into Sync 365
2. Go to Company > Delegated admin tab
3. Take note of the account currently in use on this page (DO NOT DELETE IT).
4. Click add > Grant partner center consent
   1. Log in with the delegated admin account that is being used in Sync 365
      1. Make sure you are prompted for MFA during this process or it will be blocked by MS Partner Center
   2. This will refresh the token and resolve the issue