Troubleshooting Tips

• Prerequisites
• Atleast Microsoft .NET version 4 and PowerShell version 3.0 must be installed.
• Windows Azure Active Directory Module v1 (MSOnline) and Microsoft Online Services Sign-In Assistant must be installed.
• Windows Azure AD v2 (AzureAD) module must be installed to perform this action.
• To generate general or audit reports on Skype for Business, Skype module must be installed.
• Unable to connect to Microsoft 365. Please check your internet connection.
• Azure AD module is incompatible with 32-bit version of the product.
• Skype module is incompatible with 32-bit version of the product.
• Report generation and tenant configuration
• Test connection to your Microsoft 365 environment.
• Please install the correct version of MSOnline module.
• Dashboard graphs empty
• Access Denied
• Invalid Account
• Password Expired
• Logon Failure
• Open Session Failure/ Connection Error
• Permission Denied
• Authentication Error
• Operation Stopped
• Unified Audit Log must be enabled to fetch data
• Incomplete Audit Reports
• Incomplete User Reports or Mailbox Reports
• The data for this report is currently being generated in the background.
• Please choose the correct Azure environment.
• Invalid service account password.
• Invalid Application Password.
• Missing Azure AD application.
• Missing Azure AD application scope or permission.
• Other Errors
• Management task execution
• In sufficient priviledge to perform the operation.
• Technician Login
• This Microsoft 365 account has been blocked
• You must change your Microsoft 365 account password before you can login
• Rest API authentication required
• An unexpected error occurred.
• Access Denied
• High Availability
• Unable to save the changes.
• Migration to Elasticsearch
• Data engine update failed due to insufficient storage.
• Product successfully updated. Data engine update failed due to insufficient storage.
• AD domain configuration
• When I add my domains manually, the domain controllers (DCs) are not resolved. Why?
• When I add a DC, I get an error that says "The Servers are not operational." What does that mean?
• When I add a DC, I get an error that says "Unable to get domain DNS / FLAT name." What does that mean? 

• Atleast Microsoft .NET version 4 and PowerShell version 3.0 must be installed.



If you have installed the product in any machine that runs an OS version lower than Windows 8 (Windows 7 SP1, Windows 2008 R2 SP1 & Windows 2008 SP1), please make sure that you have Microsoft .NET version 4 and PowerShell version 3 installed in your system.

1. To check if Microsoft .NET Framework is installed, open Command Prompt from Run. Enter the following command wmic product where "Name like 'Microsoft .Net%'" get Name, Version. Check the displayed version. If the version is below 4, install Microsoft .NET Framework 4 from here.

2. To check if PowerShell is installed, type PowerShell from Run. If PowerShell is installed, check for its version number by running the command $PSVersionTable. If the version is below 3 or if PowerShell is not installed, install PowerShell V 3.0 from here.

Note : For machines running Windows 8 and later, Microsoft .Net version 4 and PowerShell version 3.0 come pre-installed.



• Windows Azure Active Directory Module v1 (MSOnline) and Microsoft Online Services Sign-In Assistant must be installed.



If Windows Azure Active Directory Module v1 (MSOnline) is not installed, you will not be able to generate any Azure reports such as users, groups, and license reports. 

Prerequisite

1. Microsoft Online Services Sign-in Assistant is installed by default in the latest OS versions.

2. To check if this service is installed, run service.msc and check if the service 'Microsoft Online Services Sign-in Assistant' is installed. if it is not installed, download the module here.

Steps to install Windows Azure AD Module.

1. To check if this module is installed, open PowerShell and enter Get-Module -ListAvailable -Name MSOnline. This will list the module if it is installed. If it is not installed,

   • Open PowerShell as Administrator.
   • Install the MSOnline module with the below command:
     • Install-Module -Name MSOnline -Force

2. After installing the module, please restart the application.

3. After starting the application, refresh the tenant data.
   
   • Click Tenant Settings found in the top right corner.
   • Under Actions,Click on Refresh icon of the tenant.


• Windows Azure AD v2 (AzureAD) module must be installed to perform this action. 



Windows Azure AD v2 (AzureAD) module must be installed to generate reports and do management actions on Azure AD. Please follow the below mentioned steps with administrative rights:

1. If you had already installed PowerShellGet and nuget package provider, proceed to step (2).
• Install PowerShellGet using this link
• Install nuget package provider in PowerShell with the following command Install-PackageProvider -Name Nuget -MinimumVersion 2.8.5.201 -Force;
2. Now, use the below command to install Azure AD v2 (AzureAD) module Install-Module -Name AzureAD -Force
3. If the problem still persists, your firewall might be blocking it. Please contact m365managerplus-support@manageengine.com.


• Azure AD module is incompatible with 32-bit version of the product.



You must be using 32 bit version of M365 Manager Plus. Windows Azure Active Directory Module v2 (AzureAD) must be installed to manage and generate reports on Azure Active Directory, which is not available in 32 bit version.

Hence follow the below mentioned steps, 

1. Download and install M365 Manager Plus (64-bit)

2. To install Azure Active Directory Module v2 (Azure AD):

• Install PowerShellGet using this link
• Install nuget package provide in PowerShell with the following command Install-PackageProvider -Name Nuget -MinimumVersion 2.8.5.201 -Force;
• Now, use the below command to install Azure AD v2 (AzureAD) module Install-Module -Name AzureAD -Force
• If the problem still persists, your firewall might be blocking it. Please contact m365managerplus-support@manageengine.com.


• Skype module must be installed.



If Skype module is not installed, you will not be able to view any general or audit reports on Skype for Business.

Steps to download and install SkypeOnlineConnector Module.

1. To check if the module is installed, open PowerShell and enter Get-module -ListAvailable -Name SkypeOnlineConnector. This will list Skype Online Connector,  if Skype module is installed. If it is not installed, download the module here.

2. Install the module.

3. After installing the module, please restart the application.



• Skype module is incompatible with 32-bit version of the product.



You must be using 32 bit version of M365 Manager Plus. Skype Online Connector must be installed to manage and generate reports on Skype, which is not available in 32 bit version.

Hence follow the below mentioned steps, 

1. Download and install M365 Manager Plus (64-bit)

2. Download and install Skype Online Connector Module



• Internet Connection! Please check your internet connection.



1. The product requires an active internet connection to interact and function as desired. Please make sure that your internet connection is active and stable.

2. To allow the product to interact with Microsoft 365, add these ports and url’s to your firewall’s allowed to connect to the internet list. Failure to do so will result in certain features not working as intended.


• To test the connectivity of your Microsoft 365



1. To test the connectivity of your Microsoft 365 environment using PowerShell, follow the steps listed here.



• Dashboard graph empty



1. Make sure that the report corresponding to the graph can be generated without any issue for the specified number of days.

2. If the report cannot be generated, follow the troubeshooting tips listed based on the cause of error.

3. If the report can be generated but the graph in the dashboard does not mirror the values, contact m365managerplus-support@manageengine.com .



• Access Denied



1. Make sure that you have entered the correct user name and password.

2. Check if the user account is blocked. To check if an account is blocked, follow the steps listed here.

3. Run the Office365Troubleshoot.ps1 script file

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run the below script:
  <install-dir>/bin/Office365Troubleshoot.ps1

Note: <install-dir> here refers to the directory in which you have installed the M365 Manager Plus application.

• Enter the username and password of the Microsoft 365 global admin with which the account was configured.
• If Is Global Admin Account returns a value False, make the user a global admin by following the steps listed here.
• If Exchange session returns a value Error Occurred, the problem is with the configured account.
  
  • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Manager Plus by following the steps listed here.
  • If the problem occurs at any other stage, please contact m365managerplus-support@manageengine.com with a screenshot of the error.


• Invalid account



1. Make sure that you have entered the correct user name and password.

2. Run the Office365Troubleshoot.ps1 script file

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run the below script:
  <install-dir>/bin/Office365Troubleshoot.ps1

Note: <install-dir> here refers to the directory in which you have installed the M365 Manager Plus application.

• Enter the username and password of the Microsoft 365 global admin with which the account was configured.
• If Is Global Admin Account returns a value False, make the user a global admin by following the steps listed here, or try using a dedicated service account by following the steps listed here.


• Password Expired



1. Please check if you can log in to the Microsoft 365 portal with the user account.

2. Reset the account password and try again.



• Logon failure



1. Please check if you can log in to the Microsoft 365 portal with the user tenant.

2. Check if the user account is blocked. To check if an tenant is blocked, follow the steps listed here.



• Open Session failure/ Connection Error



1. The error occurs when a PSSession can not be opened successfully.

2. Run the Office365Troubleshoot.ps1 script file

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run the below script:
  <install-dir>/bin/Office365Troubleshoot.ps1

Note: <install-dir> here refers to the directory in which you have installed the M365 Manager Plus application.

• Enter the username and password of the Microsoft 365 global admin with which the tenant was configured
• If Is Global Admin Account returns a value False, make the user a global admin by following the steps listed here.
• If Exchange session returns a value Error Occurred, the problem is with the configured account.
  
  • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Manager Plus by following the steps listed here.
  • If the problem occurs at any other stage, the error may be temporary and try again after some time. If the issue persists, please contact m365managerplus-support@manageengine.com .


• Permission denied



1. Run the Office365Troubleshoot.ps1 script file

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run the below script:
  <install-dir>/bin/Office365Troubleshoot.ps1

Note: <install-dir> here refers to the directory in which you have installed the M365 Manager Plus application.

• Enter the username and password of the Microsoft 365 global admin with which the account was configured.
• If Is Global Admin Account returns a value False, make the user a global admin by following the steps listed here.
• If Exchange session returns a value Error Occurred, the problem is with the configured account.
  
  • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Manager Plus by following the steps listed here.
  • If the problem occurs at any other stage, please contact m365managerplus-support@manageengine.com with a screenshot of the error.


• Authentication Error



1. Make sure that you have entered the correct user name and password.

2. The Microsoft 365 authentication system may be not functioning properly. Please try again after some time.



• Operation Stopped


1. MSOnline module might have some compatibility issues.
   • To check your module version run the below script:
     (Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion
   • If the version is higher than the suggested version, uninstall the module and install the compatible module using the below command
     1. Open PowerShell as Administrator.
     2. Install the MSOnline module with the below command:
        • Install-Module -Name MSOnline -Force
   • If the version matches, try reinstalling the module.
2. Microsoft Online Services Sign-in Assistant may not be ready yet. To restart the service:
   • Type services.msc in Run and hit enter.
   • Find Microsoft Online Services Sign-in Assistant, right click and select restart.
3. This error may arise due to credentials without proper permission when the product is installed as a service. To resolve this, try using Domain User account as a Service Logon account. To do this:
   • Type services.msc in Run and hit enter.
   • Right click ManageEngine Office365 Manager Plus and select Properties.
   • Select Log On tab.
   • Select This Account and type the valid credentials.
   • Click OK.
4. Your tenant might not be available in default Azure environment :

   • Click Tenant Settings option found at the top right corner.

   • Choose the correct Azure cloud environment from Azure Environment drop-down.

5. If the problem still persists, run the Office365Troubleshoot.ps1 script file a
   • Open PowerShell as the administrator
   • Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
Run the below script: <installdir>/bin/Office365Troubleshoot.ps1

Note: <install-dir> here refers to the directory in which you have installed the M365 Manager Plus application.

• Enter the username and password of the Microsoft 365 global admin account.
• Contact m365managerplus-support@manageengine.com with the screenshot of the error message you get.
• Certificate used in REST API Application has been expired or not registered or removed from portal
• Case 1: If the certificate's validity period does not match with live (your local time zone), you might receive this error from Microsoft and you won't be able to use the certificate.
• Case 2: If the certificate has been recently uploaded in the Azure portal, you might receive this error while trying to update the same in the product. In this case, try again after a few minutes to check if the issue has been resolved.

If your certificate has expired or not registered or removed from portal, add a new one using the following steps.

1. Log in to Azure portal using the Global Administrator account credentials.
2. Select Azure Active Directory from the left pane.
3. Select App registrations.
4. Search for the application using the Client ID.
5. Click Certificates & secrets from the left pane.
6. Go to Certificates and click Upload certificate. Upload your application certificate that is a .cer file.
7. Now click Tenant Settings in M365 Manager Plus and click the Edit icon for your respective tenant.
8. In the Modify Microsoft 365 Tenant popup, click the Edit icon for Application Details.
9. Under Application Secret and Certificate, add the Application Security ID and upload the Application Certificate that is a .pfx file.
10. If the user has an SSL certificate, the same can be used here. Otherwise, click here for the steps to create a self-signed certificate
11. Click Update.
12. Now, follow the Steps to modify a Microsoft 365 tenant to update the certificate

Note:If the issue still persists, please contact support@exchangereporterplus.com.



• Unified Audit Log must be enabled to fetch data



The following reports require Unified Audit Log to be enabled:

• Azure Admin Activity
• SharePoint Admin Activity
• All OneDrive activity reports 

 

To enable collection of Unified Audit Log data, follow either of these two steps.

1. Enable collection of unified audit log data through Microsoft Microsoft 365 portal.
• Login to Microsoft 365 Portal and navigate to Security & Compliance Center tab.
• Click Search and investigation menu from the tab in the left and click Audit log search.
• In the window that appears, click on Start recording user and admin activity.
• In the pop-up that appears, click Turn On.


2. Enable collection of unified audit log data through PowerShell
• Run the following cmdlets in PowerShell.
$UserCredential = Get-Credential;$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection;Import-PSSession $Session -CommandName Set-AdminAuditLogConfig
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled:$True
Remove-PSSession $Session


• Incomplete Audit Reports



To generate audit reports for all operations, follow the steps listed below.

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run the below script:
  <install-dir>/bin/Office365Troubleshoot.ps1

Note: <install-dir> here refers to the directory in which you have installed the M365 Manager Plus application.

• If Exchange session returns a value Error Occurred, please contact m365managerplus-support@manageengine.com to resolve this issue.
• If the Exchange session returns a success value, follow the steps listed below:
• Run the script provided below to enable auditing for the connected Microsoft 365 tenant.
  Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
• Proceed with enabling auditing for the individual mailboxes.
• Enabling complete auditing for all mailboxes
• Enabling complete auditing for particular mailboxes
• Enabling auditing for select operations for all mailboxes

To enable complete auditing for all mailboxes



Get-Mailbox -ResultSize unlimited |Set-Mailbox -AuditEnabled $true -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems


To enable complete auditing for particular mailboxes



Set-Mailbox -Identity abc@microsoft.com -AuditEnabled $true -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems


To enable auditing for select operations for all mailboxes



Get-Mailbox -ResultSize unlimited |Set-Mailbox -AuditEnabled $true -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditDelegate Create, FolderBind, SendAs, SendOnBehalf, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems


Identify the operations that you want to be audited from the underlined section and exclude the rest from the script.




• Incomplete User Reports or Mailbox Reports



If any of the generated reports under users or mailboxes section do not contain information for certain individuals, then follow the steps listed below.

• Check if the user’s information is displayed in the All Users report or Mailbox Users report.
• If the user’s information is displayed there, the reason for the partial data in the report is that the specific user is not managed by M365 Manager Plus.

To rectify this, purchase more licenses or reassign licenses to accommodate the user by following the steps listed below:

• In M365 Manager Plus, select the Tenant Settings option found at the top right corner.
• Click Manage Licenses link at the right-corner of the window.
• Click the Total Number of Users in the Managed Users column. This will open a pop-up.
• Click icon to search for the specified user
• Select the check box against the particular user
• Click OK to save the selection.


• This Microsoft 365 account has been blocked



1. This account has been blocked by the administrator.

2. Contact your administrator to login to M365 Manager Plus.



• The data for this report is currently being generated in the background.



This message indicates that,

1. The data for this report is currently being generated in the background for some other report opted by you.

2. Or the data is already being generated in the background by some other user.

Note:

If the data generation was successful in either of the above mentioned cases, it will be updated automatically. Hence try switching to any other report and check the required report at a later time.



• Please choose the correct Azure environment.



• Click Tenant Settings option found at the top right corner.

• Choose the correct Azure cloud environment from Azure Environment drop-down.

• Invalid service account password.



Cause

• This error will be shown if the service account password entered is incorrect or has expired.
• Also, if the service account was configured earlier, using the application password.

Solution

• Create a new password in the Microsoft 365 portal and update it in the product.
• If MFA has not been enabled, reset the service account password in the Microsoft 365 portal and update the password in the product.
• If MFA has been enabled, bypass MFA for the service account. Follow the steps listed here to bypass MFA.
• Invalid Application Password.



Cause

• This error message is shown if the application password entered has been deleted or expired.

Solution

• Create a new application password and update the same in the product's tenant settings.
• Missing Azure AD application.



Cause

• This error message is shown if the Azure AD application is deleted.

Solution

• Configure a new application in the Azure portal. Follow the steps listed here to configure your application, manually.
• Missing Azure AD application scope or permission.


• Update the necessary permissions in the application.


• Other Errors



1. Run the Office365Troubleshoot.ps1 script file

• Open PowerShell as the administrator.
• Run the command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope process.
• Run the below script:
  <install-dir>/bin/Office365Troubleshoot.ps1

Note: <install-dir> here refers to the directory in which you have installed the M365 Manager Plus application.

• Enter the username and password of the Microsoft 365 global admin with which the account was configured.
• If Is Global Admin Account returns a value False, make the user a global admin by following the steps listed here.
• If Exchange session returns a value Error Occurred, the problem is with the configured account.
  
  • If the problem occurs when you try to configure an Microsoft 365 tenant, try using a dedicated service account to configure M365 Manager Plus by following the steps listed here.
  • If the problem occurs at any other stage, please contact m365managerplus-support@manageengine.com with a screenshot of the error.


• In sufficient priviledge to perform the operation



1. When rest api is enabled in the product, directory roles are required for the azure application to perform priviledged operations like 'Reset password', 'Block / Unblock users', 'Change authentication information', 'Delete user', 'Restore user' and 'Hard delete user'.

   • Help desk administrator role can be assigned to update changes for non-administrators and other help desk administrators.

   • Priviledged authentication administrator or Global administrator role can be assigned to update changes for all users (administrators and non-administrators).

2. Contact your administrator to login to M365 Manager Plus.



• This Microsoft 365 account has been blocked



1. This account has been blocked by the administrator.

2. Contact your administrator to login to M365 Manager Plus.



• You must change your Microsoft 365 account password before you can login



1. An Administrator has changed the password to your Microsoft 365 account.

2. Login to Microsoft 365 Portal and reset your password to login to ManageEngine M365 Manager Plus



• Rest API authentication required



1. Rest API based authentication must be enabled for MFA-enabled / Federated Help Desk Technician accounts.

2. Once enabled, users with MFA-enabled / Federated Accounts will be redirected to Microsoft 365 portal for authentication to access M365 Manager Plus.

3. Click here to enable Rest API based authentication



• An unexpected error occurred



1. The error occurs when a PSSession can not be opened successfully.

2. Make sure that you have entered the correct user name and password.

3. If the problem still persists, contact your administrator.



• Access Denied



1. Make sure that you have entered the correct user name and password.

2. If the problem still persists, contact your administrator.



• Unable to save the changes. Please try again later.



1. Make sure that the product is running in the standby server.

2. Ensure that firewall is disabled for the port in which the product is installed.



• Data engine update failed due to insufficient storage.



1. The storage space of the drive in which the product is installed is insufficient to complete the migration. When you increase the storage space and restart the product, the migration will restart automatically.

• Product successfully updated. Data engine update failed due to insufficient storage.



1. The storage space of the drive in which the product is installed is insufficient to complete the migration. When you increase the storage space and restart the product, the migration will restart automatically.



• Please install the correct version of MSOnline module.



App Password is required to configure MFA-enabled accounts in Tenant Settings, which is not supported by the latest MSOL version. Please contact m365managerplus-support@manageengine.com.

• Steps to check whether a user account is blocked from logging in:

• Log in to Microsoft 365 portal .
• Navigate to Users --> Active Users.
• In the filters drop-down box, select Sign-in Blocked.
• Check if the user account is blocked from logging in.




• Steps to make a user a global admin:

When the account is configured with a user who is not a global admin, the user tenant might not have permission to view all the details and will result in reports being generated with partial data.

• Log in to Microsoft 365 portal .
• Navigate to Users --> Active Users.
• Select the user and click Edit in the Roles field.
• Select Global Administrator, enter an alternative email address and click Save.
• Refresh the user account in the M365 Manager Plus application.
  
  • Click Tenant Settings found in the top right corner
  • Click on icon present under the actions tab of the corresponding user tenant.



• Steps to create a dedicated service account:

• Log in to the Microsoft 365 portal .
• Navigate to Users --> Active Users --> Add a User.
• Create a new user by filling the mandatory fields display name and user name.
• In the password section, select Let me create the password and enter a password for the user account.
• Uncheck the Make this user change their password when they first sign in.
• In the roles section, select Global Administrator.
• In the product licenses section, select Create user without product license.
• Click Save.
• Use this account to configure your Microsoft 365 tenant in M365 Manager Plus.

If the problem persists, contact m365managerplus-support@manageengine.com .



• When I add my domains manually, the domain controllers (DCs) are not resolved. Why?



1. This problem occurs when the DNS associated with the machine running M365 Manager Plus does not contain the necessary information. You need to add the DCs manually.



• When I add a DC, I get an error that says "The Servers are not operational." What does that mean?



This error could be due to any of the following reasons:

• The DC is down.
• The product server is not available.
• A firewall has been enabled, and port 389 is closed.
• The network is busy.


• When I add a DC, I get an error that says "Unable to get domain DNS / FLAT name." What does that mean?



This error could be due to any of the following reasons:

• The specified username or password is invalid.
• An anonymous login (where no username and password are provided) was performed.
• The IP address of the DC is specified instead of its name.


Copyright © 2016, ZOHO Corp. All Rights Reserved. ManageEngine