Users of ADManager Plus may encounter this issue where they are unable to generate Microsoft 365 user login reports. This can hinder administrative tasks such as auditing, monitoring user activity, and meeting compliance requirements. The problem may manifest as an error message, blank report, or failure to retrieve data.
The issue may be accompanied by the error message invalid credentials when connecting to Microsoft 365.
Incorrect Microsoft 365 credentials: The credentials used to connect ADManager Plus to Microsoft 365 may be invalid or expired.
Insufficient permissions: The account used for integration may lack the Global Reader and Security Reader permissions to generate reports.
Network or connectivity issues: Problems with internet connectivity or firewall restrictions blocking API calls.
Before proceeding with the resolution, ensure the following:
Ensure you have an active Microsoft 365 admin account with the Global Reader and Security Reader permissions.
Ensure the server hosting ADManager Plus has stable internet access.
Confirm that firewall rules allow communication between ADManager Plus and Microsoft 365 APIs.
Log in to ADManager Plus as the default admin.
Navigate to Directory/Application settings > Microsoft 365 > Credentials.
Verify that the credentials used for Microsoft 365 integration are correct and up-to-date.
If the credentials are incorrect or expired, update them and save the changes.
Log in to the Microsoft Entra Admin Center.
Navigate to Identity > Applications > App registrations.
Select the application used by ADManager Plus.
Under Certificates & secrets, check if the client secret is valid.
If expired, create a new client secret and update it in ADManager Plus.
Open PowerShell as an administrator.
Run the following command to check if the required modules are installed.
Get-InstalledModule
If the modules are missing, install them using:
Install-Module AzureAD -Force
Install-Module MSOnline -Force
Install-Module ExchangeOnlineManagement -Force
After installation, restart ADManager Plus and try running the report again.
Log in to the Microsoft 365 admin center.
Navigate to Users > Active Users and select the account used for ADManager Plus integration. (This can be verified from the tenant configuration.)
Ensure the account has the following roles:
Global Reader and Security Reader
Exchange Admin (if Exchange Online data is required)
If permissions are insufficient, assign the necessary roles and retry generating the report.
a. Check sign-in logs for MFA enforcement
Sign in to the Microsoft Entra Admin Center.
Navigate to Identity > Users.
Search for and select the service account.
Click on Sign-in logs in the left menu.
Select a recent sign-in attempt (both successful and failed ones).
For failed sign-ins, check the Conditional Access tab to see which policies were applied and whether MFA caused the failure.
Identify the policy with a "Success" status that enforced MFA.
b. Modify the conditional access policy to exclude the service account
Go to Identity > Protection > Conditional Access.
Find and select the policy that enforced MFA (identified in step 5 - section 1).
Under Users, go to the Exclude section and add the service account.
Save the changes.
c. Validate the exemption
Attempt to sign in with the service account.
Verify that MFA is no longer prompted.
Check the Sign-in logs again to confirm the exclusion was applied.
Ensure that your firewall is not blocking required Microsoft 365 domains.
Refer to ManageEngine's firewall configuration guide for a list of domains that must be whitelisted.
If necessary, allow access to these domains and restart ADManager Plus.
Regularly update Microsoft 365 credentials to prevent authentication failures.
Track client secret expiration and update it before expiry to avoid disruptions.
Use a dedicated service account with the required permissions instead of a personal account.
Keep PowerShell modules updated to ensure compatibility with Microsoft 365.
Verify that ADManager Plus has the necessary API permissions to retrieve Microsoft 365 data.
If the issue persists, contact our support team here.