Error: Unable to generate Microsoft 365 user logon reports in ADManager Plus
Issue description
Auditing user logins: Tracking when and where users access Microsoft 365 resources.
Security monitoring: Identifying unusual login activities that may indicate security threats.
Compliance reporting: Ensuring login data is documented for regulatory requirements.
While generating these reports, users may encounter the following error:
Unable to generate Microsoft 365 user logon reports in ADManager Plus.
This issue may lead to blank reports, data retrieval failures, or error messages, hindering administrative tasks such as auditing and monitoring.
Possible causes
Incorrect Microsoft 365 credentials: The credentials used to connect ADManager Plus to Microsoft 365 may be invalid or expired. Additionally, MFA might be enabled for the service account, preventing authentication.
Insufficient permissions: The account used for integration may lack the Global Reader and Security Reader permissions to generate reports.
Network or connectivity issues: Problems with internet connectivity or firewall restrictions blocking API calls.
Prerequisites
Before proceeding with the resolution:
Ensure you have an active Microsoft 365 admin account with the Global Reader and Security Reader permissions.
Ensure the server hosting ADManager Plus has stable internet access.
Confirm that firewall rules allow communication between ADManager Plus and Microsoft 365 APIs.
Resolution
Step 1: Verify Microsoft 365 configuration
Log in to ADManager Plus as an admin.
Navigate to Directory/Application settings > Microsoft 365.
Verify the configuration status.
If the credentials are incorrect or expired, update them and save the changes.
If the service has MFA, you can either exclude the service account from MFA or set up a Conditional Access policy.
Steps to exclude the service account from MFA
Check sign-in logs for MFA enforcement
Sign in to the Microsoft Entra Admin Center.
Navigate to Identity > Users.
Search for and select the service account.
Click Sign-in logs in the left menu.
Select a recent sign-in attempt (both successful and failed ones).
For failed sign-ins, check the Conditional Access tab to see which policies were applied and whether MFA caused the failure.
Identify the policy with a Success status that enforced MFA.
b. Modify the Conditional Access policy to exclude the service account
- Go to Identity > Protection > Conditional Access.
- Find and select the policy that enforced MFA (identified in Step 1).
Under Users, go to the Exclude section and add the service account.
Save the changes.
c. Validate the exclusion
Attempt to sign in with the service account.
Verify that MFA is no longer prompted.
Check the Sign-in logs again to confirm the exclusion was applied.
Step 2: Confirm required PowerShell modules are installed
Open PowerShell as an administrator.
Run the following command to check if the required modules are installed.
Get-InstalledModule
If the modules are missing, install them using:
Install-Module AzureAD -Force
Install-Module MSOnline -Force
Install-Module ExchangeOnlineManagement -Force
After installation, restart ADManager Plus and try running the report again.
Step 3: Check account permissions
Log in to the Microsoft 365 admin center.
Navigate to Users > Active Users and select the account used for ADManager Plus integration. This can be verified from the tenant configuration.
Ensure the account has the following roles:
Global Reader and Security Reader
Exchange Admin (if Exchange Online data is required)
If permissions are insufficient, assign the necessary roles and retry generating the report.
Step 4: Check Firewall restrictions
Ensure that your firewall is not blocking required Microsoft 365 domains.
Refer to ManageEngine's firewall configuration guide for a list of domains that must be allowed.
If necessary, allow access to these domains and restart ADManager Plus.
Tips
Track client secret expiration and update it before expiry to avoid disruptions.
Use a dedicated service account with the required permissions instead of a personal account.
Keep PowerShell modules updated to ensure compatibility with Microsoft 365.
Verify that ADManager Plus has the necessary API permissions to retrieve Microsoft 365 data.
Related topics and articles
How to reach support
New to ADSelfService Plus?
Related Articles
Error due to invalid credential while generating Microsoft 365 reports in ADManager Plus
Issue description Users of ADManager Plus may encounter this issue where they are unable to generate Microsoft 365 user login reports. This can hinder administrative tasks such as auditing, monitoring user activity, and meeting compliance ...Microsoft 365 license management using ADManager Plus
This article will explain how you can assign and revoke Microsoft 365 licenses using ADManager Plus. With ADManager Plus, you can: Assign Microsoft 365 licenses while creating users. Modify Microsoft 365 licenses for existing users. Remove Microsoft ...Unable to generate any data in the scheduled reports using ADManager Plus
Issue description Scheduled reports in ADManager Plus are essential for automating the delivery of critical information related to Active Directory (AD) objects, such as user accounts, group memberships, and compliance status. They ensure that ...Logon Restriction error in ADManager Plus
Issue description When newly created technicians attempt to log in to ADManager Plus, they encounter the following error message: As logon restrictions are enforced, you can login using only the built-in accounts. Please contact your administrator ...Unable to start ADManager Plus
Issue description ADManager Plus may sometimes fail to start, either displaying an error message while initiating as a console or stopping unexpectedly during the startup process. This issue can disrupt administrative tasks and delay critical ...