Topic
This article explains some common errors and troubleshooting steps for NinjaOne SaaS Backup.
Environment
NinjaOne SaaS Backup
Description
NinjaOne SaaS Backup is
- Troubleshooting Authentication Issues
- Token Expiration
- Error (MailboxNotEnabledForRESTAPI)
- Email Notification Stating "We Encountered an Issue" While Backing Up These Mailboxes Caused by Not Enough Space on the Mail-Server Side
- Authentication Errors in Groups and Teams When the Backup Admin Credential is Already Verified
- Error "No Data Available" Displayed on the Restore Page
Troubleshooting Authentication Issues
When facing authentication issues within NinjaOne, there can be a number of causes. This guide can help you troubleshoot problems and resolve some of the more common causes.
The first thing to determine, before we can properly investigate an issue, is what kind of problem you are having. The main question to ask yourself here is whether you are having problems connecting to your environment or if the issue is connecting to a specific user (or subset of users). The best way to check this is to take a look at all your backups and see if some of them are successful or if they are all failing.
Issues With Specific Users
If you are seeing an authentication or connection error with a single user, or a small subset of users, then the issue typically has something to do with that specific user. In cases like this, sign in to your environment as an administrator and check the following:
- Confirm that the user exists and that the address for the user matches what you see within NinjaOne.
- Confirm that the user is active and not deactivated or blocked within the environment.
- Check the licensing for the user in order to ensure they have a license that allows them a mailbox. If backing up OneDrive for a user, ensure that the applied license includes that as well.
- Make sure that the user's mailbox (and OneDrive if applicable) is activated and able to be accessed by the user.
If you do not find any issues with the user themselves, check the environment connections described in the next section. While not common, problems with our connection to the environment may be resulting in issues with just a few mailboxes.
Issues With Environment Connection
If you are seeing errors with all of your users, or if the error occurs during the setup of your organization, then the issue is not likely to be related to an individual user. It could be that the organization has revoked or not correctly activated some permissions, or that there is some security setting within your tenant that is blocking us. Take the following steps to troubleshoot these types of issues:
- Check the NinjaOne End-User Portal to see if there is an option available to re-authenticate. You can access the end-user portal by either logging into your organization directly or by using the Login as Client option from the partner portal.
- Log in to the end-user portal for your organization and navigate to the Account Settings page.
- The credentials tab within Account Settings will show you the status of our connection to your environment. If there are errors here, you should see an option to re-authenticate.
- Check within Microsoft Entra ID to see if you have any conditional access policies in place that might be interfering with NinjaOne's ability to connect to your environment. Likewise, check to see if you have any connection filtering in place with which you will need to allowlist the NinjaOne IP addresses.
- If using the Global Admin connection method, ensure that the backup admin account that was created still exists and has not been deactivated.
If you aren't able to identify and resolve the issue with the above steps, create a ticket with our support team. You can do this via the Submit a request button on this page if you have signed in, or by sending an email to NinjaOne support. Our support team will assist with determining what is causing your issue and will help identify the steps needed to resolve it. When reaching out to us, providing screenshots showing what you have checked will help speed up the investigation process.
Token Expiration
For those organizations where you see frequent device authorization errors, check whether multi-factor authentication (MFA) settings have been activated, such as Remember multi-factor authentication on trusted devices, or conditional policy on Microsoft Entra ID and Microsoft 365 (M365). The configured Policy or MFA Setting can cause the device token to expire, causing a credential error.
Settings can be checked by navigating to Azure Portal → Users → Per-user MFA → Service Settings Tab.
You can check here to see if you have activated a Password expiration policy on the tenant.
- Visit URL https://admin.microsoft.com/AdminPortal/Home?#/Settings/SecurityPrivacy.
- Check to see if the password expires after x number of days.
In the case that there is at least one global administrator with a Microsoft Entra ID Premium License, conditional access can be created to configure the token expiry; otherwise, it follows the default configuration (90 Days) as explained by Microsoft (Configurable token lifetimes - Microsoft Entra ).
"AADSTS50173: The provided grant has expired due to it being revoked; a fresh auth token is needed. The user might have changed or reset their password."
This error is due to a backup admin change or a backup admin password change. If any AD Policy forces the expiration or renewal of the backup admin or backup admin password during a specific interval, ask your client to exclude the Backup Admin from the policy.
| Error Code | Reason | Resolution |
|---|---|---|
| AADSTS700082 | The refresh token is expired due to inactivity. The default period is 14 days, and we have a cron to renew the refresh token every 7 days. However, some tenants have a custom inactive period of less than 7 days. Another reason may be an issue on our side not renewing the refresh token due to an error in the cron. | This is mainly on our side. We need to check our crons; we don't have any logs or reports like the last refresh tokens renewed time. And support renewing the tokens more often and configurable renewal times for the tenants with an active period of less than 7 days. |
| AADSTS50078 | The refresh token is invalid due to a policy configured in the Azure tenant. Our application or backup admin should be included in a policy that leads to the token expiry. | Clients must exclude our application and backup admin from Conditional Policies in their tenant. If it happens for device tokens, it might be because "remember multi-factor authentication on trusted device" is enabled. Clients may need to disable this, create a conditional access policy, and exclude our backup admin. |
| AADSTS50173 | The user has reset or changed the password, or they have a password expiration policy. | Customer needs to reauthenticate if they have reset or changed their password. If they have any password expiration policy, they can disable it from our backup admin. |
| AADSTS500341 | Either their org admin, who authenticated the main app, or our backup admin is deleted from the tenant. | If their global admin is deleted, they must reauthenticate using a different org admin. If the backup admin is deleted, our system automatically creates a new one, and they need to set up MFA and reauthenticate using the new backup admin. |
| AADSTS50076 | Azure security defaults might be enabled in the tenant and admin setup MFA after authentication, leading to invalid tokens. If they reset the MFA device and reset the MFA on an org admin or backup admin, tokens will be invalid. | The best way would be to turn off security defaults and use conditional access policies if they have an Azure premium license and exclude our app and the backup admin from the policy. If not, they need to reauthenticate whenever they update MFA settings. |
| AADSTS70043 | The refresh token has expired or is invalid due to sign-in frequency checks by conditional access or token lifetime configured. | Clients need to exclude our app and backup admin from the policies if configured. |
Error (MailboxNotEnabledForRESTAPI)
Mailboxes with Microsoft API Error "MailboxNotEnabledForRESTAPI" happen when there is no valid M365 Mailbox, then the RestAPI is not supported. To fix the error, the tenant's administrator has to enable Rest API Access for those mailboxes.
Email Notification Stating "We Encountered an Issue" While Backing Up These Mailboxes Caused by Not Enough Space on the Mail-Server Side
When our system finds the Microsoft API Error "ErrorQuotaExceeded" during the backup process, it triggers the email notification. To fix the backup error, ask the organization to free up some space or add more space in the mailbox, which would eventually remove the Microsoft API Error. Once you take this action, the backup process will automatically resume.
Authentication Errors in Groups and Teams When the Backup Admin Credential is Already Verified
Check if there are any Conditional Access Policies configured in Azure. The configured policy expires the delegated authentication token, which causes a backup error.
To fix this issue, exclude the NinjaOne Backup Admin (Tenant Application Format: [email protected]) from any configured policy.
Error "No Data Available" Displayed on the Restore Page
When the selected date range doesn't have data in the backup, the error "No data available" is displayed. Recheck the date range chosen. If you still see "No data available," reach out to NinjaOne support.
Additional Resources
Refer to the articles below for more troubleshooting guidance: