Microsoft 365 audit sync errors

This document provides a list of common error messages that can occur when collecting SharePoint Online audits, along with their respective solutions. Click on an error message to navigate to its solution.

Below is the list of errors while fetching SharePoint Online audit data:

• The permission set () sent in the request does not include the expected permission.
• CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, ST=California, C=US
• Connecting to remote server outlook.office365.com failed with the following error message: Access is denied.
• Connecting to remote server outlook.office365.com failed with the following error message: The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration.
• Search-UnifiedAuditLog: The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Verify the spelling and if a path was included, confirm it is correct, and try running the command again.
• The term Connect-ExchangeOnline is not recognized as a name of a cmdlet.
• Could not find or load assembly (libraries).
• ExchangeOnlineManagement.psm1 cannot be loaded because running scripts is disabled on this system.

If your error message is not listed above, please reach out to support@sharepointmanagerplus.com

Error: The permission set () sent in the request does not include the expected permission

Figure 1: Missing permissions error in SharePoint Manager Plus.

Cause: The Azure application doesn't have the required API permissions to fetch the audit data.

Solution:

1. Navigate to Admin tab > Microsoft 365 and copy the Client ID under the Azure Application column for your respective tenant.



Figure 2: Getting the client ID.

2. Open the Microsoft Entra admin center portal and navigate to Microsoft Entra ID > App Registrations > All applications.
3. Search using the copied Client ID and open the corresponding application.
4. Open API permissions and click Add a permission.
5. In the pop-up, navigate to Office 365 Management APIs > Application permissions.
6. Select ActivityFeed.Read and click Add permissions.
7. Click Grant admin consent for <Your Company> and give confirmation.



Figure 3: Granting admin consent for the application in the Entra admin center

Error:

Note: The CN value (e.g., "Zscaler Root CA") may vary depending on the certificate in use.

Figure 4: Untrusted certificate error in SharePoint Manager Plus.

Cause: This error occurs when the certificate used for authentication, firewall, or proxy is not trusted by the product's Java Runtime Environment (JRE).

Solution: To rectify this error, the certificates must be added to the JRE's trusted certificate store.

To identify the certificate to import to the keystore:

1. Note the CN value displayed in the error message.
2. Open the Certificate Management tool by running certmgr.msc from the Run dialog, or by searching for Manage User Certificates in the search bar.



Figure 5: Certificate management console.

3. Navigate to Trusted Root Certification Authorities in the left-pane, and click Certificates. A list of trusted certificates will be displayed.



Figure 6: List of trusted certificates.

4. From the list of certificates, identify the CN noted in Step 1, in the Issued By column.



Figure 7: List of issued certificates and their corresponding issuing authorities.

5. Once identified, click on the certificate to export it.
6. A pop-up will open as shown below:



Figure 8: Certificate details window.

7. Navigate to the Details tab.
8. Click Copy to File. A Certificate Export Wizard will open. Click Next.



Figure 9: Certificate export wizard.

9. Select the certificate format DER encoded binary X.509 (.CER), and click Next.
10. Specify the file name and path to export (for example: D:\Trusted Root.cer), and click Next.
11. Click Finish. The certificate will be exported to the specified path.

To add the certificate to the trust store:

1. Navigate to <product_installation_directory>/jre/bin.
2. Open Command Prompt as an administrator.
3. Run the following command:

   keytool.exe -import -trustcacerts -alias "certAlias" -file "certPath" -keystore ..\lib\security\cacerts

   • Where certAlias is a name of your choice and certPath is path where the certificate is stored.
4. You will be prompted for a password. The default password is changeit. Provide the password and press Enter.
5. Restart the product.

Errors:

• Connecting to remote server outlook.office365.com failed with the following error message: Access is denied.
• Connecting to remote server outlook.office365.com failed with the following error message: The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration.
• Search-UnifiedAuditLog: The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Verify the spelling and if a path was included, confirm it is correct, and try running the command again.
• The term Connect-ExchangeOnline is not recognized as a name of a cmdlet.
• Could not find or load assembly (libraries).
• ExchangeOnlineManagement.psm1 cannot be loaded because running scripts is disabled on this system.

Cause:

The product is trying to fetch SharePoint Online audit data using the Search-UnifiedAuditLog PowerShell cmdlet. This cmdlet requires Exchange Online module dependency and has resulted in data inconsistencies for certain users.

Solution:

From build 4501 and above, you can choose to use the Office 365 Management Activity API. Update to the latest build using the service pack and follow the steps given in this document to use the Management API to fetch SharePoint Online data.