Table of Contents:
- Troubleshooting Authentication Issues
- Token Expiration
- Error (MailboxNotEnabledForRESTAPI)
- Email Notification Stating "We Encountered an Issue" While Backing Up These Mailboxes Caused by Not Enough Space on the Mail-Server Side
- Authentication Errors Under Groups & Teams When the Backup Admin Credential is Already Verified
- Error “No Data Available” Displayed on the Restore Page
Troubleshooting Authentication Issues
When facing authentication issues within NinjaOne, there can be a number of causes. This guide is designed to help you troubleshoot issues and resolve some of the more common causes.
The first thing to determine, before we can properly investigate an issue is to determine what kind of problem you are having. The main question to ask yourself here is whether you are having issues connecting to your environment or if the issue is connecting to a specific user (or subset of users). The best way to check this is to take a look at all your backups and see if some of them are successful or if they are all failing.
Issues With Specific Users
If you are seeing an authentication or connection error with a single user, or a small subset of users, then the issue typically has something to do with that specific user. In cases like this, please sign into your environment as an Admin and check the following:
- Confirm that the user exists and that the address for the user matches what you see within NinjaOne.
- Confirm that the user is active and not disabled or blocked within the environment.
- Check the licensing for the user in order to ensure they have a license which allows them a mailbox. If backing up OneDrive for a user, ensure that the applied license includes that as well.
- Make sure that the user's mailbox (and OneDrive if applicable) is enabled and able to be accessed by the user.
If you do not find any issues with the user themselves, please check the environment connections outlined in the next section. While not common, it is possible that issues with our connection to the environment are resulting in issues with just a few mailboxes.
Issues With Environment Connection
If you are seeing errors with all of your users, of if the error occurs during the setup of your organization, then the issue is not likely to be related to an individual user. It could be that some permissions have been revoked (or not added properly) or that there is some security setting within your tenant that is blocking us. Please take the following steps to troubleshoot these types of issues:
- Check within the NinjaOne End-User Portal to see if there is an option available to re-authenticate. Note that you can access the end user portal by either logging into your organization directly or by using the “Login as Client” option from the Partner Portal.
- To check this, log into the end-user portal for your organization and navigate to the “Account Settings” page. This can be found in the account drop-down menu in the upper right corner of the page.
- The credentials tab within Account Settings will show you the status of our connection to your environment. If there are errors here, you should see an option to re-authenticate.
- Check within Entra ID to see if you have any conditional access policies in place which might be interfering with NinjaOne’s ability to connect to your environment. Likewise, check to see if you have any sort of connection filtering in place with which you will need to whitelist NinjaOne IP addresses.
- If using the Global Admin connection method, ensure that the backup admin account which was created still exists and has not been deactivated.
If you aren’t able to identify and resolve the issue with the above steps, please create a ticket with our support team. You can do this via the “Submit a request” button at in the upper right of this page (if signed in) or by sending an email to NinjaOne support. Our support team will assist with determining what is causing your issue and will help identify the steps needed to resolve it. When reaching out to us, providing screenshots showing what you have checked will go a long way towards speeding up the investigation process.
Token Expiration
For those organizations where you see frequent device authorization errors, check whether MFA settings have been enabled such as “remember multi-factor authentication on trusted devices” or Conditional Policy on Azure AD / M365. The configured Policy / MFA Setting causes the device token to expire, so there is a credential error.
Settings can be checked by following Azure Portal > Users > Per-user MFA > Service Settings Tab.
Also, you can check if the Password expiration policy is enabled on the tenant.
- Visit URL https://admin.microsoft.com/AdminPortal/Home?#/Settings/SecurityPrivacy.
- Check password expiry is enabled after x number of days.
In the case that there is at least one global admin with Azure AD Premium License, conditional access can be created to configure the token expiry; otherwise, it follows the default configuration (90 Days) as explained by Microsoft (Configurable token lifetimes - Microsoft Entra ).
Example:
“AADSTS50173: The provided grant has expired due to it being revoked; a fresh auth token is needed. The user might have changed or reset their password.”
This error is due to a backup admin change or backup admin password change. If any AD Policy forces to expire or renew the backup admin / backup admin password during a specific interval, ask your client to exclude the Backup Admin from the policy.
| Error Code | Reason | Resolution |
|---|---|---|
| AADSTS700082 | The refresh token is expired due to inactivity. The default period is 14 days, and we have a cron to renew the refresh token every 7 days. However, some tenants have a custom inactive period of less than 7 days. Another reason may be an issue on our side not renewing the refresh token due to an error in the cron. | This is mainly on our side. We need to check our crons; we don't have any logs or reports like the last refresh tokens renewed time. And support renewing the tokens more often and configurable renewal times for the tenants with an active period of less than 7 days. |
| AADSTS50078 | The refresh token is invalid due to a policy configured in the Azure tenant. Our application or backup admin should be included in a policy that leads to the token expiry. | Clients must exclude our application and backup admin from Conditional Policies in their tenant. If it happens for device tokens, it might be because "remember multi-factor authentication on trusted device" is enabled. Clients may need to disable this, create a conditional access policy, and exclude our backup admin. |
| AADSTS50173 | The user has reset or changed the password, or they have a password expiration policy. | Customer needs to reauthenticate if they have reset or changed their password. If they have any password expiration policy, they can disable it from our backup admin. |
| AADSTS500341 | Either their org admin, who authenticated the main app, or our backup admin is deleted from the tenant. | If their global admin is deleted, they must reauthenticate using a different org admin. If the backup admin is deleted, our system automatically creates a new one, and they need to set up MFA and reauthenticate using the new backup admin. |
| AADSTS50076 | Azure security defaults might be enabled in the tenant and admin setup MFA after authentication, leading to invalid tokens. If they reset the MFA device and reset the MFA on an org admin or backup admin, tokens will be invalid. | The best way would be to turn off security defaults and use conditional access policies if they have an Azure premium license and exclude our app and the backup admin from the policy. If not, they need to reauthenticate whenever they update MFA settings. |
| AADSTS70043 | The refresh token has expired or is invalid due to sign-in frequency checks by conditional access or token lifetime configured. | Clients need to exclude our app and backup admin from the policies if configured. |
Error (MailboxNotEnabledForRESTAPI)
Mailboxes with Microsoft API Error “MailboxNotEnabledForRESTAPI” happens when there is no valid M365 Mailbox, then RestAPI is not supported. To fix the error, the tenant’s admin has to enable Rest API Access for those mailboxes.
Email Notification Stating "We Encountered an Issue" While Backing Up These Mailboxes Caused by Not Enough Space on the Mail-Server Side
When our system finds the Microsoft API Error “ErrorQuotaExceeded” during the backup process, it triggers the email notification. To fix the backup error, please ask the organization to free up some space or add more space in the mailbox, which would eventually remove the Microsoft API Error. Once action is taken, the Backup process will automatically resume.
Authentication Errors Under Groups & Teams When the Backup Admin Credential is Already Verified
Please check if there are any Conditional Access Policies configured in Azure. The configured policy expires the delegated authentication token, which causes a backup error.
To fix it, please exclude the NinjaOne Backup Admin (Tenant Application Format: [email protected]) from any configured policy.
Error “No Data Available” Displayed on the Restore Page
When the selected date range doesn’t have data in the backup, the error “no data available” is displayed. Please recheck the date range chosen. In the event you still are unable to see "no data available," please reach out to NinjaOne support.