Error due to invalid credential while generating Microsoft 365 reports in ADManager Plus

Error due to invalid credential while generating Microsoft 365 reports in ADManager Plus

Issue description       

Users of ADManager Plus may encounter this issue where they are unable to generate Microsoft 365 user login reports. This can hinder administrative tasks such as auditing, monitoring user activity, and meeting compliance requirements. The problem may manifest as an error message, blank report, or failure to retrieve data.

 

The issue may be accompanied by the error message invalid credentials when connecting to Microsoft 365.

Possible causes     

  1. Incorrect Microsoft 365 credentials: The credentials used to connect ADManager Plus to Microsoft 365 may be invalid or expired.

  2. Insufficient permissions: The account used for integration may lack the Global Reader and Security Reader permissions to generate reports.

  3. Network or connectivity issues: Problems with internet connectivity or firewall restrictions blocking API calls.

Prerequisites       

Before proceeding with the resolution, ensure the following:

  • Ensure you have an active Microsoft 365 admin account with the Global Reader and Security Reader permissions.

  • Ensure the server hosting ADManager Plus has stable internet access.

  • Confirm that firewall rules allow communication between ADManager Plus and Microsoft 365 APIs.

Resolution 

Step 1: Verify Microsoft 365 credentials  

  1. Log in to ADManager Plus as the default admin.

  2. Navigate to Directory/Application settings > Microsoft 365 > Credentials.

  3. Verify that the credentials used for Microsoft 365 integration are correct and up-to-date.

  4. If the credentials are incorrect or expired, update them and save the changes.

Step 2: Check client secret validity  

  1. Log in to the Microsoft Entra Admin Center.

  2. Navigate to Identity > Applications > App registrations.

  3. Select the application used by ADManager Plus.

  4. Under Certificates & secrets, check if the client secret is valid.

If expired, create a new client secret and update it in ADManager Plus.

Step 3: Confirm required PowerShell modules are installed  

  1. Open PowerShell as an administrator.

  2. Run the following command to check if the required modules are installed.

    • Get-InstalledModule

  3. If the modules are missing, install them using:

    • Install-Module AzureAD -Force

    • Install-Module MSOnline -Force

    • Install-Module ExchangeOnlineManagement -Force

  4. After installation, restart ADManager Plus and try running the report again.

Step 4: Check account permissions  

  1. Log in to the Microsoft 365 admin center.

  2. Navigate to Users > Active Users and select the account used for ADManager Plus integration. (This can be verified from the tenant configuration.)

  3. Ensure the account has the following roles:

  • Global Reader and Security Reader

  • Exchange Admin (if Exchange Online data is required)

  1. If permissions are insufficient, assign the necessary roles and retry generating the report.

Step 5: Exclude Service Account from MFA

a. Check sign-in logs for MFA enforcement  

  1. Sign in to the Microsoft Entra Admin Center.

  2. Navigate to Identity > Users.

  3. Search for and select the service account.

  4. Click on Sign-in logs in the left menu.

  5. Select a recent sign-in attempt (both successful and failed ones).

  6. For failed sign-ins, check the Conditional Access tab to see which policies were applied and whether MFA caused the failure.

  7. Identify the policy with a "Success" status that enforced MFA.

b. Modify the conditional access policy to exclude the service account  

  1. Go to Identity > Protection > Conditional Access.

  2. Find and select the policy that enforced MFA (identified in step 5 - section 1).

  3. Under Users, go to the Exclude section and add the service account.

  4. Save the changes.

c. Validate the exemption  

  1. Attempt to sign in with the service account.

  2. Verify that MFA is no longer prompted.

  3. Check the Sign-in logs again to confirm the exclusion was applied.

Step 6: Check Firewall restrictions  

  1. Ensure that your firewall is not blocking required Microsoft 365 domains.

  2. Refer to ManageEngine's firewall configuration guide for a list of domains that must be whitelisted.

  3. If necessary, allow access to these domains and restart ADManager Plus.

 Tips 

  • Regularly update Microsoft 365 credentials to prevent authentication failures.

  • Track client secret expiration and update it before expiry to avoid disruptions.

  • Use a dedicated service account with the required permissions instead of a personal account.

  • Keep PowerShell modules updated to ensure compatibility with Microsoft 365.

  • Verify that ADManager Plus has the necessary API permissions to retrieve Microsoft 365 data.

How to reach support      

If the issue persists, contact our support team here.


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products