Troubleshooting errors returned for individual tenants

Created by Leon leon.b@sync365.app, Modified on Fri, 16 Feb 2024 at 09:34 AM by Leon leon.b@sync365.app

If you have received an error related to either Office 365 or your PSA tool, this page contains some common errors and how to resolve them.


If the error is for a tenant that you do not look after or you do not have/want in the system, you can exclude the tenant from notifications: Exclude Tenants from notifications



TABLE OF CONTENTS


AADSTS700082: The refresh token has expired due to inactivity – Occurring to a single tenant

As the system automatically keeps your refresh token up to date, this is typically seen for a single one of your tenants rather than all of your tenants
We have typically seen this occur when the “remember mfa for X days” option is selected in a customer MFA settings (admin portal > Users > multi factor authentication)
NOTE: Microsoft’s recommendation is for this to disabled and MFA requirements configured via MFA.

Having this option enabled, creates an additional security risk and will also break the refresh token from accessing this customers Office 365 Tenant.
To resolve the issue, please disable this option, wait roughly 30 minutes

AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access

This error typically happens if you switch your delegated admin account from having MFA enabled or not enabled.

Alternatively this can happen if you roll out Conditional Access MFA and have not previously had it.

If this error is for license counts or a custom license for mailbox or Azure AD related items:

When this happens, you need to grant us access to your partner center again by going to Company > Delegated Admin > Click “Grant partner center consent”

AADSTS530034: A delegated administrator was blocked from accessing the tenant due to account risk

Or AADSTS530032: User blocked due to risk on home tenant

There are a couple of things that can cause this error.

  1. Your delegated admin has been listed as a risky user (Check this in your own tenant, not the customers)
    1. You can check this in: Azure active directory > Security > Risky users
    2. If your delegated admin account is in here. It can be blocked based on a tenants conditional access policies. Remove it from here by selecting the account and clicking "Dismiss user risk" and it should fix the issue.
      1. It can take up to 24 hours for Microsoft to replicate this
  2. Security defaults can add some security items that can cause a block. It is better to use conditional access policies rather than microsofts security defaults which was introduced for any tenants that do not have MFA policies setup.
    1. You can check this in the customer tenant: Azure active directory > Properties > Manage security defaults

Access Denied. You do not have permissions to call this cmdlet. for <tenant>

This typically occurs if you still have a tenant linked to your Partner Center, but have had admin rights removed so you cannot access the tenant.

You can contact MS Partner support to ask them to remove the tenant from your Partner Center list.
Direct CSP can also remove the relationship from their partner center.

This can also happen if the delegated admin link did not work correctly when it was accepted for the tenant.
If this is a tenant you should be able to manage, try using your Partner Delegated Admin link to accept the admin rights within that tenant again

AADSTS500571: The guest user account is disabled

This problem can occur if you are using one of your named users as the delegated admin account and they have a guest account in a client tenant. This can occur from a client sharing a sharepoint or onedrive link or adding you to a MS Teams team.

You can check if this is causing the problem by logging into azure for that client and looking for the delegated admin user being added as a guest. You can delete the user in their tenant if you need to.


We recommend creating a separate service account to use for your delegated admin so you do not run in to this issue.


AADSTS50177: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/<guid>/' does not exist in tenant '<Tenant Name' and cannot access the application '3efeacdc-560a-41a1-b337-e302923082ea'(Sync 365 License) in that tenant. 

This is a relatively new error. It appears to be an issue related to Microsofts migration to GDAP. We have not yet gotten a useful response on the cause or how to resolve this from Microsoft. It appears to be an issue with the link between the partner and the tenant.

Partners are opening tickets in the microsoft partner center to have Microsoft check on it in the mean time.


We will update this when we have more information.


This error will impact the following items from updating:

  • Usernames for the invoices
  • Bill by subscription ID
  • Custom licenses (except copy existing microsoft license)
  • Contact sync



We have found some errors while trying to update price of product/Billing profile has invalid product

This error will occur if a product in one of your billing profiles has a product that is either missing or marked as inactive in your PSA.

If you receive this error please update the product in the billing profile to be the correct product, or fix the product/service in your PSA



AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

This error will occur if one of the conditional access policies in the Tenant is blocking access.

You will need to fix up the Conditional Access policies in the client tenant so that we can connect to it.


You can read more about Microsoft's recommendations for Conditional access and GDAP here: GDAP frequently asked questions - Partner Center | Microsoft Learn 


Essentially you can try:

  • Make sure service provider users are not selected in external and guest users
  • Exclude external and guest users
  • You can also try excluding the service principal for the "Sync 365 License" application by selecting it in the service principals exclude section in the conditional access policy



The user <S365 partner center account> isn't assigned to any management roles. Please check online documentation for assigning Directory Roles to User.

You will receive this error if the user account has not been provided GDAP permissions to the tenant.

You can do the following to resolve this issue:

  • Log into the partner center and go to the customer list - https://partner.microsoft.com/en-us/dashboard/commerce2/customers/list
  • Open the customer and click the "admin relationships" tab. 
    • Ensure that there is Global Reader and application administrator permissions in the GDAP relationship (Global admin will also cover this)
  • Go into the relationship and look at what security group has the required permissions
  • In your own Azure AD(Entra) tenant ensure the account being used for partner access in Sync 365 is in the relevant GDAP security group.

Within about 30 minutes of the account being put in the correct group, it should resolve this error.


Unsupported token. Unable to initialize the authorization context.

You will receive this error when your GDAP relationship and permissions are not correct or do not have sufficient permissions.

Ensure your GDAP relationship has Application administrator and Global reader permissions assigned to the security group that the Sync 365 account is in.


User was not found

The relationship between this tenant and the partner has been dissolved from the client side. Check the partner relationship information and ensure that it is still active. This error also occurs when a GDAP relationship has expired or is not configured correctly. Fix up the GDAP relationship and ensure the security group with your Sync 365 service account has at least global reader and application administrator roles assigned



The user or administrator has not consented to use the application

This error will occur if the Sync 365 application has been deleted out of the customer tenant or has not been able to consent yet.

Consent will fail if application administrator permission is not in the GDAP relationship and assigned to the security group the sync 365 service account is in.

Sync 365 will automatically attempt to consent the application daily or when you click "refresh license counts" after selecting the added company and clicking the button.




Exception of type 'Providers.Common.V1.CoreException' was thrown.

This error will occur if Partner center account being used in Sync 365 does not have "Application Administrator" or higher permissions in the GDAP relationship.

Check the client GDAP relationship and ensure the Application Administrator and global reader permissions are assigned to the security group that your Sync 365 user account is in.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article