Troubleshooting Tips


  • Atleast Microsoft .NET version 4 and PowerShell version 3.0 must be installed.

    • If you have installed the product in any machine that runs an OS version lower than Windows 8 (Windows 7 SP1, Windows 2008 R2 SP1 & Windows 2008 SP1), please make sure that you have Microsoft .NET version 4 and PowerShell version 3 installed in your system.

    1. To check if Microsoft .NET Framework is installed, open Command Prompt from Run. Enter the following command wmic product where "Name like 'Microsoft .Net%'" get Name, Version. Check the displayed version. If the version is below 4, install Microsoft .NET Framework 4 from here.

    2. To check if PowerShell is installed, type PowerShell from Run. If PowerShell is installed, check for its version number by running the command $PSVersionTable. If the version is below 3 or if PowerShell is not installed, install PowerShell V 3.0 from here.

    Note : For machines running Windows 8 and later, Microsoft .Net version 4 and PowerShell version 3.0 come pre-installed.

  • Windows Azure Active Directory Module and Microsoft Online Services Sign-In Assistant must be installed.

    • If Windows Azure Active Directory Module is not installed, you will not be able to generate any Azure reports such as users, groups, and license reports.

    Steps to download and install Windows Azure AD Module.

    1. Download and install the Microsoft Online Services Sign-In Assistant. To check if this module is installed, run service.msc and check if the service 'Microsoft Online Services Sign-in Assistant' is installed. if it is not installed, download the module here.

    2. Download and install the Windows Azure AD Module for Windows PowerShell. To check if this module is installed, open PowerShell and enter get-module -Name msonline. This will list the module if it is installed. If it is not installed, download the module here.

      3. Note: The latest version of Azure Active Directory Module for Windows might cause error due to lack of backward compatibility. To circumvent this, uninstall the latest version and install this version of Azure Active Directory Module for Windows.

    3. Refer this document for any help/information regarding installation of Azure AD module.

    4. After installing the module, please restart the application.

    5. After starting the application, refresh the tenant.
      • Click Tenant Settings found in the top right corner.
      • Under Actions,Click on Refresh icon of the tenant.
  • Azure module must be installed to perform this action. Please restart the product.

    • Azure module must be installed to perform this action. Please restart the product.

    Azure Active Directory module must be installed to generate reports and do management actions on Azure AD.

    1. Azure AD will be automatically installed when M365 Security Plus is configured.

    2. To check if this module is installed, open PowerShell and enter get-module -Name AzureAD. This will list the module if it is installed.

    3. Even though the module is not installed, please restart the product.


  • Internet Connection! Please check your internet connection.

    1. The product requires an active internet connection to interact and function as desired. Please make sure that your internet connection is active and stable.

    2. To allow the product to interact with Microsoft 365, add these ports and url’s to your firewall’s allowed to connect to the internet list. Failure to do so will result in certain features not working as intended.
  • Database backup failed.

    • PostgreSQL

    The backup fails due to one of the following reasons.

    1. The backup file size exceeds the available free space.
      • Free up some space in the product installation directory and try again.
    2. User Logon Account does not have Write permission for the backup folder
      • Provide the User Logon Account Write permission for <product_installation_directory>/Patch/backupDB folder.
    3. The database is down.
      • Bundled PostgreSQL users,
        • Navigate to <product _installation_directory>\bin folder
        • Start Command Prompt as an administrator
        • Execute the command startDB.bat to start the database.
      • External PostgreSQL users,
        • Open Run window using Winkey + R
        • Type services.msc
        • Locate PostgreSQL service based on version installed.
        • Right click and choose Start.
        • If the External PostgreSQL is not listed
          • Open Command Prompt
          • Navigate to <postgres_installation_directory>\bin
          • Execute pg_ctl -D "<postgres_installation_directory>\data" start
    4. Missing pg_dump.exe file in the <product _installation_directory>\pgsql\bin folder.
      • Download the file from this page based on the PostgreSQL version you are on. To find the PostgreSQL version. Run the below command in <product _installation_directory>\pgsql folder.
        • postgres -V

    If the problem still persists please contact support@m365managerplus.com.

    MSSQL

    The backup fails due to one of the following reasons.

    1. The backup file size exceeds the available free space.
      • Free up some space in the product installation directory and MSSQL Installation directory and try again.
    2. User Logon Account does not have Write permission for the backup folder
      • Provide the User Logon Account Write permission for
        - <product_installation_directory>/Patch/backupDB folder.
        - <MSSQL_SERVER_installation_directory>/MSSQL/Backup folder.
    3. Database Version incompatibility.
      • M365 Security Plus and M365 Security Plus supports MSSQL 2008 and above. Please migrate to a compatible database version.
    4. The database is down.
      • To start your database,
        • Ensure that the TCP/IP port is set to static in the SQL Server Configuration Manager.
        • Ensure that the SQL Server Browser is Enabled and Running.
        • Restart the MSSQL Server.

    If the problem still persists please contact support@m365managerplus.com.


  • Untrusted certificate provider

    • This error occurs when certificate based authentication is used in firewall, and the product's JRE does not trust the certificate. To rectify this condition, the certificates must be added to the JRE's trusted certificate store. To add the certificate to the trust store,

    • Navigate to <product_installation_directory>/jre/bin.
    • Open command prompt as an administrator.
    • Run the following command
      • keytool.exe -import -trustcacerts -alias "certAlias" -file "certPath" -keystore ..\lib\security\cacerts
      • certAlias - A name of your choice.
      • certPath - Path of the certificate.
    • You will be prompted for a password. The default password is changeit. Provide the password and hit Enter.
    • Restart the product.

  • Elasticsearch has been switched to read-only mode due to low disk space (<1 GB). Please free up some space.

    • Elasticsearch is a distributed search engine which helps to analyze huge volumes of data in near real-time. Unlike conventional techniques, Elasticsearch fetches data real quick which results in reduced report generation time, quicker threat detection, and a lot more. In M365 Security Plus we use Elasticsearch in the following modules,

    • Reports
    • Audit
    • Alert
    • Content search

    Recommended:

    It is advised to have at least 1 GB free hard disk space for Elasticsearch to function effectively. If the disk space runs low, Elasticsearch will be switched to read-only mode, during which the data collected from native will not be stored in the engine. To enable Write for Elasticsearch,

    1. Free up space in hard disk to maintain the recommended threshold.
    2. Restart the product.

  • Tenant configuration errors

    • You will see one of the following conditions if tenant configuration is incomplete.

  • REST API Access column in Tenant Settings shows 'Enable Now'

    • Cause

    • The above error will be shown if you have not granted all the permissions required by M365 Security Plus while configuring the tenant.

    Solution

    • Follow the steps in this document to enable REST API access with the required permissions.
  • REST API Access column in Tenant Settings shows 'Update Permissions'

    • Cause

    • The above error will be shown if M365 Security Plus needs a few additional permissions for the newly added features to work.

    Solution

    • Follow the steps in this document to grant the required permissions for REST API access.
  • 1. Service Account column in Tenant Settings shows 'Configure'.
    2. Status column in Tenant Settings shows 'Failed to create a service account' or 'Service account is not configured'.

    • Cause

    • One of the above errors will be shown if the service account creation could not be completed.

    Solution

    • Follow the steps below to resolve this issue.
      • Create an Microsoft 365 service account with following roles: Exchange Admin, Global Reader, Privileged Authentication Admin, Privileged Role Admin, Teams Service Admin, and User Admin.
      • In M365 Security Plus, click on the Configure option under the Service Account column.
      • Provide the credentials of the service account you had created.
      • Click on Update.
  • Status column in Tenant Settings shows 'Service Account password has expired'.

    • Cause

    • The above error will be shown if the service account password has expired.

    Solution

    • Reset the service account password from its user profile in the Microsoft 365 admin center, and update the new password for the service account in the configured tenant.
  • Status column in Tenant Settings shows 'Azure AD Secret Key is invalid'.

    • Cause

    • The above error will be shown if the Application Secret Key is invalid or has expired.

    Solution

    • Check this document to know how to get your Azure AD Application Secret Key.

  • To test the connectivity of your Microsoft 365

    1. To test the connectivity of your Microsoft 365 environment using PowerShell, follow the steps listed here.


  • Dashboard graph empty

    1. Make sure that the report corresponding to the graph can be generated without any issue for the specified number of days.

    2. If the report cannot be generated, follow the troubeshooting tips listed based on the cause of error.

    3. If the report can be generated but the graph in the dashboard does not mirror the values, contact m365securityplus-support@manageengine.com .


  • Access Denied

    1. Make sure that you have entered the correct user name and password.

    2. Check if the user account is blocked. To check if an account is blocked, follow the steps listed here.

    3. Run the M365SecurityPlusTroubleshoot.ps1 script file

      • Open PowerShell as the administrator.
      • Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
      • Run the below script:
        <install-dir>/bin/Microsoft365Troubleshoot.ps1

        • Note: <install-dir> here refers to the directory in which you have installed the M365 Security Plus application.

      • Enter the username and password of the configured Microsoft 365 account.
      • If Exchange session returns a value Error Occurred, the problem is with the configured account.
        • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Security Plus by following the steps listed here.
        • If the problem occurs at any other stage, please contact m365securityplus-support@manageengine.com with a screenshot of the error.

  • Invalid account

    1. Make sure that you have entered the correct user name and password.

    2. Run the M365SecurityPlusTroubleshoot.ps1 script file

      • Open PowerShell as the administrator.
      • Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
      • Run the below script:
        <install-dir>/bin/Microsoft365Troubleshoot.ps1

        • Note: <install-dir> here refers to the directory in which you have installed the M365 Security Plus application.

      • Enter the username and password of the configured Microsoft 365 account.

  • Password Expired

    1. Please check if you can log in to the Microsoft 365 portal with the user account.

    2. Reset the account password and try again.


  • Logon failure

    1. Please check if you can log in to the Microsoft 365 portal with the user tenant.

    2. Check if the user account is blocked. To check if an tenant is blocked, follow the steps listed here.


  • Open Session failure/ Connection Error

    1. The error occurs when a PSSession can not be opened successfully.

    2. Run the M365SecurityPlusTroubleshoot.ps1 script file

      • Open PowerShell as the administrator.
      • Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
      • Run the below script:
        <install-dir>/bin/M365SecurityPlusTroubleshoot.ps1

        • Note: <install-dir> here refers to the directory in which you have installed the M365 Security Plus application.

      • Enter the username and password of the configured Microsoft 365 account.
      • If Exchange session returns a value Error Occurred, the problem is with the configured account.
        • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Security Plus by following the steps listed here.
        • If the problem occurs at any other stage, the error may be temporary and try again after some time. If the issue persists, please contact m365securityplus-support@manageengine.com .

  • Permission denied

    1. Run the M365SecurityPlusTroubleshoot.ps1 script file

    2. Open PowerShell as the administrator.
    3. Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
    4. Run the below script:
      <install-dir>/bin/M365SecurityPlus

      5. Note: <install-dir> here refers to the directory in which you have installed the M365 Security Plus application.

    5. Enter the username and password of the configured Microsoft 365 account.
    6. If Exchange session returns a value Error Occurred, the problem is with the configured account.
      • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Security Plus by following the steps listed here.
      • If the problem occurs at any other stage, please contact m365securityplus-support@manageengine.com with a screenshot of the error.

  • Authentication Error

    1. Make sure that you have entered the correct user name and password.

    2. The Microsoft 365 authentication system may be not functioning properly. Please try again after some time.


  • Operation Stopped

    1. MSOnline module might have some compatibility issues.
      • To check your module version run the below script:
        (Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion
      • If the version is higher than the suggested version, uninstall the module and install the compatible module using the below command
        1. Open PowerShell as Administrator.
        2. Install the MSOnline module with the below command:
          • Install-Module -Name MSOnline -Force
      • If the version matches, try reinstalling the module.
    2. Microsoft Online Services Sign-in Assistant may not be ready yet. To restart the service:
      • Type services.msc in Run and hit enter.
      • Find Microsoft Online Services Sign-in Assistant, right click and select restart.
    3. This error may arise due to credentials without proper permission when the product is installed as a service. To resolve this, try using Domain User account as a Service Logon account. To do this:
      • Type services.msc in Run and hit enter.
      • Right click ManageEngine M365 Security Plus and select Properties.
      • Select Log On tab.
      • Select This Account and type the valid credentials.
      • Click OK.
    4. Your tenant might not be available in default Azure environment :

      • Click Tenant Settings option found at the top right corner.

      • Choose the correct Azure cloud environment from Azure Environment drop-down.

    5. If the problem still persists, run the M365SecurityPlusTroubleshoot.ps1 script file a
      • Open PowerShell as the administrator
      • Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
      6. Run the below script: <installdir>/bin/M365SecurityPlusTroubleshoot.ps1

      Note: <install-dir> here refers to the directory in which you have installed the M365 Security Plus application.


  • Unified Audit Log must be enabled to fetch data

    • The following reports require Unified Audit Log to be enabled:

    • Azure Admin Activity
    • SharePoint Admin Activity
    • All OneDrive activity reports 

     

    To enable collection of Unified Audit Log data, follow either of these two steps.

    1. Enable collection of unified audit log data through Microsoft Microsoft 365 portal.
      • Login to Microsoft 365 Portal and navigate to Security & Compliance Center tab.
      • Click Search and investigation menu from the tab in the left and click Audit log search.
      • In the window that appears, click on Start recording user and admin activity.
      • In the pop-up that appears, click Turn On.

    2. Enable collection of unified audit log data through PowerShell
      • Run the following cmdlets in PowerShell.
      • $UserCredential = Get-Credential;$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection;Import-PSSession $Session -CommandName Set-AdminAuditLogConfig
      • Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled:$True
      • Remove-PSSession $Session

  • Incomplete Audit Reports

    • To generate audit reports for all operations, follow the steps listed below.

    • Open PowerShell as the administrator.
    • Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
    • Run the below script:
      <install-dir>/bin/M365SecurityPlusTroubleshoot.ps1

      • Note: <install-dir> here refers to the directory in which you have installed the M365 Security Plus application.

    • If Exchange session returns a value Error Occurred, please contact m365securityplus-support@manageengine.com to resolve this issue.
    • If the Exchange session returns a success value, follow the steps listed below:
      • Run the script provided below to enable auditing for the connected Microsoft 365 tenant.
        Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
      • Proceed with enabling auditing for the individual mailboxes.
        • Enabling complete auditing for all mailboxes
        • Enabling complete auditing for particular mailboxes
        • Enabling auditing for select operations for all mailboxes

          • To enable complete auditing for all mailboxes

          Get-Mailbox -ResultSize unlimited |Set-Mailbox -AuditEnabled $true -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems

          To enable complete auditing for particular mailboxes

          Set-Mailbox -Identity abc@microsoft.com -AuditEnabled $true -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems

          To enable auditing for select operations for all mailboxes

          Get-Mailbox -ResultSize unlimited |Set-Mailbox -AuditEnabled $true -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems
          Identify the operations that you want to be audited from the underlined section and exclude the rest from the script.


  • Incomplete User Reports or Mailbox Reports

    • If any of the generated reports under users or mailboxes section do not contain information for certain individuals, then follow the steps listed below.

    • Check if the user’s information is displayed in the All Users report or Mailbox Users report.
    • If the user’s information is displayed there, the reason for the partial data in the report is that the specific user is not managed by M365 Security Plus.

    To rectify this, purchase more licenses or reassign licenses to accommodate the user by following the steps listed below:

    • In M365 Security Plus, select the Tenant Settings option found at the top right corner.
    • Click Manage Licenses link at the right-corner of the window.
    • Click the Total Number of Users in the Managed Users column. This will open a pop-up.
    • Click icon to search for the specified user
    • Select the check box against the particular user
    • Click OK to save the selection.

  • The data for this report is currently being generated in the background.

    • This message indicates that,

    1. The data for this report is currently being generated in the background for some other report opted by you.

    2. Or the data is already being generated in the background by some other user.

    Note:

    If the data generation was successful in either of the above mentioned cases, it will be updated automatically. Hence try switching to any other report and check the required report at a later time.


  • Please choose the correct Azure environment.

    • Click Tenant Settings option found at the top right corner.

    • Choose the correct Azure cloud environment from Azure Environment drop-down.


  • Enable access to the respective Azure AD Application

    • M365 Security Plus uses applications in Azure AD to fetch data for report generation and other tasks. When the administrator disables access to these applications, report generation will fail. In such a scenario users will face this error.

    To resolve this error, application access must be enabled for all the users.

    Note: Only an administrator or a user with appropriate permission can enable access.

    To enable application access,

    1. Login to portal.azure.com
    2. From the left pane choose Enterprise Applications.
    3. From the Application type drop-down, choose All Applications.
    4. Search and select the Universal Store Service APIs and Web Application.
    5. Select Properties from the left pane.
    6. Toggle the Enable users to sign-in? option to Yes.

  • Other Errors

    1. Run the M365SecurityPlusTroubleshoot.ps1 script file

      • Open PowerShell as the administrator.
      • Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
      • Run the below script:
        <install-dir>/bin/M365SecurityPlusTroubleshoot.ps1

        • Note: <install-dir> here refers to the directory in which you have installed the M365 Security Plus application.

      • Enter the username and password of the configured Microsoft 365 account.
      • If Exchange session returns a value Error Occurred, the problem is with the configured account.
        • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Security Plus by following the steps listed here.
        • If the problem occurs at any other stage, please contact m365securityplus-support@manageengine.com with a screenshot of the error.

  • Data generation failed. Update REST API permissions in Tenant Settings.

    • Cause

    • This error occurs when the product fails to fetch data from Azure AD due to insufficient REST API permissions.

    Solution: Update REST API permissions with the following steps.

    • Go to Tenant Settings at the top-right corner of the product's home page.
    • Click on Update Permissions in the Rest API Access column for the required tenant.
    • You will now be redirected to Microsoft 365 login. Enter the credentials of a Global Administrator account.
    • Click on Accept to grant Read Service Health permissions and to update the REST API permissions successfully.

  • This Microsoft 365 account has been blocked

    1. This account has been blocked by the administrator.

    2. Contact your administrator to login to M365 Security Plus.


  • You must change your Microsoft 365 account password before you can login

    1. An Administrator has changed the password to your Microsoft 365 account.

    2. Login to Microsoft 365 Portal and reset your password to login to ManageEngine M365 Security Plus


  • Rest API authentication required

    1. Rest API based authentication must be enabled for MFA-enabled / Federated Help Desk Technician accounts.

    2. Once enabled, users with MFA-enabled / Federated Accounts will be redirected to Microsoft 365 portal for authentication to access M365 Security Plus.

    3. Click here to enable Rest API based authentication


  • An unexpected error occurred

    1. The error occurs when a PSSession can not be opened successfully.

    2. Make sure that you have entered the correct user name and password.

    3. If the problem still persists, contact your administrator.


  • Access Denied

    1. Make sure that you have entered the correct user name and password.

    2. If the problem still persists, contact your administrator.


  • Unable to save the changes. Please try again later.

    1. Make sure that the product is running in the standby server.

    2. Ensure that firewall is disabled for the port in which the product is installed.


  • Please install the correct version of MSOnline module.

      • App Password is required to configure MFA-enabled accounts in Tenant Settings, which is not supported by the latest MSOL version. Please contact m365securityplus-support@manageengine.com.

  • Steps to check whether a user account is blocked from logging in:
    • Log in to Microsoft 365 portal .
    • Navigate to Users --> Active Users.
    • In the filters drop-down box, select Sign-in Blocked.
    • Check if the user account is blocked from logging in.


  • Steps to create a dedicated service account:
    • Log in to the Microsoft 365 portal .
    • Navigate to Users --> Active Users --> Add a User.
    • Create a new user by filling the mandatory fields display name and user name.
    • In the password section, select Let me create the password and enter a password for the user account.
    • Uncheck the Make this user change their password when they first sign in.
    • In the product licenses section, select Create user without product license.
    • Click Save.
    • Use this account to configure your Microsoft 365 tenant in M365 Security Plus.

    If the problem persists, contact m365securityplus-support@manageengine.com .


Get download link