Troubleshooting Tips

Prerequisites

• At least Microsoft .NET version 4.8 and PowerShell version 5.1 must be installed.
• MSOnline PowerShell module must be installed.
• Unable to connect to Microsoft 365. Please check your internet connection.
• Untrusted certificate provider.

Management operations

• Insufficient privilege to perform the operation.
• Microsoft 365 user creation - Rest API Error - 403 Forbidden.

Report generation and tenant configuration

• To test the connectivity to Microsoft 365.
• Open Session Failure/ Connection Error.
• Permission Denied.
• Operation Stopped.

Prerequisites

At least Microsoft .NET version 4.8 and PowerShell version 5.1 must be installed.

Microsoft .NET version 4.8 comes preinstalled with the Windows 10 May 2019 Update (Version 1903) or Windows Server 2022. If you have installed the product in a system running below these versions, make sure that you have Microsoft .NET version 4.8 and PowerShell version 5.1 installed.

Installing Microsoft .NET version 4.8 and PowerShell version 5.1

Microsoft .NET Framework

1. To check if Microsoft .NET Framework is installed, open Command Prompt from Run. Enter the following command:

   reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version

2. Check the displayed version. If the version is below 4.8, install Microsoft .NET Framework version 4.8 from here.

PowerShell

1. To check if PowerShell is installed, type PowerShell from Run. If PowerShell is installed, check for its version number by running the following command in PowerShell:

   $PSVersionTable

2. If the version is below 5.1 or if PowerShell is not installed, install PowerShell version 5.1 from here.

MSOnline PowerShell module must be installed.

If the MSOnline PowerShell module is not installed, you will not be able to run certain actions like the MFA settings management action and editing properties of objects using management templates.

Steps to download and install the Windows Azure Active Directory Module:

1. To check if this module is installed, open PowerShell and enter the following cmdlet:

   Get-Module -ListAvailable -Name MSOnline.

   This will list the module if it is installed.

2. If the version of the module installed is other than 1. 1. 183. 81, uninstall the MSOnline module by opening PowerShell as an administrator and entering the following cmdlet:

   Uninstall-Module MSOnline

3. To install the module, open PowerShell as an administrator and enter the following cmdlet:

   Install-Module -Name MSOnline -RequiredVersion 1.1.183.81 -Force

Azure module must be installed to perform this action. Please restart the product.

Azure Active Directory module must be installed to generate reports and do management actions on Azure AD.

1. Azure AD will be automatically installed when O365 Manager Plus is configured.
2. To check if this module is installed, open PowerShell and enter get-module -Name AzureAD. This will list the module if it is installed.
3. Even though the module is not installed, please restart the product.

Unable to connect to Microsoft 365. Please check your internet connection.

1. The product requires an active internet connection to connect to Microsoft 365 and perform the desired operations. Please ensure that your internet connection is active and stable.
2. To allow the product to interact with Microsoft 365, add the ports and URLs mentioned in this article to your firewall allow connection to the internet. Failure to do so will result in certain features not working as intended.

Untrusted certificate provider

This error occurs when certificate based authentication is used in firewall, and the product's JRE does not trust the certificate. To fix this, add the certificates to the JRE's trusted certificate store using these steps,

• Navigate to <product_installation_directory>/jre/bin.
• Open command prompt as an administrator.
• Execute this command:
  keytool.exe -import -trustcacerts -alias "certAlias" -file "certPath" -keystore
  ..\lib\security\cacerts
  In the command,
  - certAlias - A name of your choice
  - certPath - Path of the certificate.
• You will be prompted for a password. The default password is changeit. Provide the password and hit Enter.
• Restart the Product.

Management operations

Insufficient privilege to perform the operation

When REST API is enabled in the product, directory roles are required for the Azure application to perform privileged operations like reset password, block/unblock users, delete user, restore user, and hard delete user. For this purpose,

• Help desk administrator role can be assigned to update changes for non-administrators and other help desk administrators.
• Privileged authentication administrator or Global administrator role can be assigned to update changes for all users - administrators and non-administrators.

Contact your administrator for assistance.

Microsoft 365 user creation - Rest API Error - 403 Forbidden

This error usually occurs due to a lack of permissions for the user creation graph API. Refer to this link to learn about the required permissions.

1. Log in to the Azure AD portal using the credentials of the account for which the REST API is to be enabled.
2. Navigate to Azure Active Directory > App registrations, and select the desired application name from the list shown.
3. Select API permissions from the left pane and click the Grant admin consent for <your_company_name> option listed under the Grant consent section. Grant the necessary permissions as required.

Report generation and tenant configuration

To test the connectivity to Microsoft 365

1. To test the connectivity of your Office 365 environment using PowerShell, follow the steps listed here.

Open Session Failure/Connection Error

This error occurs when a PSSession could be opened successfully. To fix this, execute the Office365Troubleshoot.ps1 script file by following these steps.

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run this script:
  <install-dir>/bin/Office365Troubleshoot.ps1

  Note: <install-dir> here refers to the directory in which you have installed ADManager Plus.

• Enter the username and password of the Microsoft 365 global admin with which the tenant was configured.
• If Is Global Admin Account returns a value False, make the user a global admin.
• If Exchange session returns a value Error Occurred, the problem is with the configured account.
1. If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure ADManager Plus by following these steps.
2. If the problem occurs at any other stage, the error may be temporary and try again after some time. If the issue persists, please contact support@admanagerplus.com.

Permission Denied

Follow these steps to fix this.

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run this script: <install-dir>/bin/Office365Troubleshoot.ps1

  Note: <install-dir> here refers to the directory in which you have installed ADManager Plus.

• Enter the username and password of the Microsoft 365 global admin with which the tenant was configured.
• If Is Global Admin Account returns a value False, make the user a global admin.
• If Exchange session returns a value Error Occurred, the problem is with the configured account.
1. If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure ADManager Plus by following these steps.

Operation Stopped

Some possible reasons and the steps to fix them.

1. MSOnline module might have some compatibility issues.
• To check your module version run this script:
  (Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion
• If the version is higher than the suggested version, uninstall the module and install the compatible module using the below command
1. Open PowerShell as Administrator.
2. Install the MSOnline module using this command:
• Install-Module -Name MSOnline -Force
• If the version matches, try reinstalling the module.
2. Microsoft Online Services Sign-in Assistant may not be ready yet. To restart the service:
• Type services.msc in Run and hit enter.
• Find Microsoft Online Services Sign-in Assistant, right click and select restart.
3. This error may arise due to credentials without sufficient permissions when the product is installed as a service. To resolve this, try using Domain User account as a Service Logon account. To do this:
• Type services.msc in Run and hit enter.
• Right click ManageEngine ADManager Plus and select Properties.
• Select Log On tab.
• Select This Account and type the valid credentials.
• Click OK.
4. If the problem still persists, run the Office365Troubleshoot.ps1 script file a
• Open PowerShell as the administrator
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run this script: <install-dir>/bin/Office365Troubleshoot.ps1
Note: <install-dir> refers to the directory in which you have installed ADManager Plus .
1. Enter the username and password of the Microsoft 365 global admin account.
2. Contact support@admanagerplus.com with the screenshot of the error message you get.

Steps to create a dedicated service account

• Log in to the Microsoft 365 portal.
• Navigate to Users → Active Users → Add a User.
• Create a new user by filling the mandatory fields display name and user name.
• In the password section, select Let me create the password and enter a password for the user account.
• Uncheck the Make this user change their password when they first sign in.
• In the product licenses section, select Create user without product license.
• Click Save.
• Use this account to configure your Microsoft 365 tenant in ADManager Plus.

If the problem persists, contact support@admanagerplus.com.