Auditing user logins: Tracking when and where users access Microsoft 365 resources.
Security monitoring: Identifying unusual login activities that may indicate security threats.
Compliance reporting: Ensuring login data is documented for regulatory requirements.
While generating these reports, users may encounter the following error:
Unable to generate Microsoft 365 user logon reports in ADManager Plus.
This issue may lead to blank reports, data retrieval failures, or error messages, hindering administrative tasks such as auditing and monitoring.
Incorrect Microsoft 365 credentials: The credentials used to connect ADManager Plus to Microsoft 365 may be invalid or expired. Additionally, MFA might be enabled for the service account, preventing authentication.
Insufficient permissions: The account used for integration may lack the Global Reader and Security Reader permissions to generate reports.
Network or connectivity issues: Problems with internet connectivity or firewall restrictions blocking API calls.
Before proceeding with the resolution:
Ensure you have an active Microsoft 365 admin account with the Global Reader and Security Reader permissions.
Ensure the server hosting ADManager Plus has stable internet access.
Confirm that firewall rules allow communication between ADManager Plus and Microsoft 365 APIs.
Log in to ADManager Plus as an admin.
Navigate to Directory/Application settings > Microsoft 365.
Verify the configuration status.
If the credentials are incorrect or expired, update them and save the changes.
If the service has MFA, you can either exclude the service account from MFA or set up a Conditional Access policy.
Steps to exclude the service account from MFA
Sign in to the Microsoft Entra Admin Center.
Navigate to Identity > Users.
Search for and select the service account.
Click Sign-in logs in the left menu.
Select a recent sign-in attempt (both successful and failed ones).
For failed sign-ins, check the Conditional Access tab to see which policies were applied and whether MFA caused the failure.
Identify the policy with a Success status that enforced MFA.
Under Users, go to the Exclude section and add the service account.
Save the changes.
Attempt to sign in with the service account.
Verify that MFA is no longer prompted.
Check the Sign-in logs again to confirm the exclusion was applied.
Open PowerShell as an administrator.
Run the following command to check if the required modules are installed.
Get-InstalledModule
If the modules are missing, install them using:
Install-Module AzureAD -Force
Install-Module MSOnline -Force
Install-Module ExchangeOnlineManagement -Force
After installation, restart ADManager Plus and try running the report again.
Log in to the Microsoft 365 admin center.
Navigate to Users > Active Users and select the account used for ADManager Plus integration. This can be verified from the tenant configuration.
Ensure the account has the following roles:
Global Reader and Security Reader
Exchange Admin (if Exchange Online data is required)
If permissions are insufficient, assign the necessary roles and retry generating the report.
Ensure that your firewall is not blocking required Microsoft 365 domains.
Refer to ManageEngine's firewall configuration guide for a list of domains that must be allowed.
If necessary, allow access to these domains and restart ADManager Plus.
Track client secret expiration and update it before expiry to avoid disruptions.
Use a dedicated service account with the required permissions instead of a personal account.
Keep PowerShell modules updated to ensure compatibility with Microsoft 365.
Verify that ADManager Plus has the necessary API permissions to retrieve Microsoft 365 data.