fbpx

Troubleshooting Authentication Errors

Introduction

MSPMagic uses various methods to authenticate to your customers Microsoft 365 tenants.

We always prefer to use Modern Authentication following the Microsoft Secure Application Model, however this is not always supported by Microsoft for all services.

Microsoft Teams supports Modern Authentication for some settings, while others still rely on the older Skype for Business service and often requires the use of Basic Authentication.

In order for MSPMagic to use Basic Authentication, the tenant needs to be configured correctly to allow this authentication method where it is used, while blocking unwanted access using Basic Authentication.

Authentication Methods used by each service

ServiceAuthentication Method
Partner CenterModern – Secure App Model via Direct Access
Azure ADModern – Secure App Model via Delegate Admin
Exchange OnlineModern – Secure App Model via Direct Access
SharePoint OnlineModern – Secure App Model via Direct Access
Microsoft TeamsBasic – Global Administrator via Direct Access, and;
Modern – Secure App Model via Delegate Admin
Endpoint ManagerModern – Secure App Model via Delegate Admin

Security Defaults

SharePoint Online settings will not be available if your customers tenant has Security Defaults enabled.
Security Defaults automatically blocks all legacy authentication methods.

To Disable Security Defaults

  1. Sign into your customers Azure Active Directory (https://aad.portal.azure.com) as the Global Administrator
  2. Navigate to Properties -> Manage Security defaults and then Select No under Enable Security defaults
  3. Click Save to apply the setting.

When disabling Security Defaults, MSPMagic recommends you replace the settings with Conditional Access policies to ensure that access to your customers tenant is secured. Please see the following guide: Replacing Azure AD Security Defaults with Conditional Access Policies

Conditional Access Policies

If there are any Conditional Access Policies assigned in the customer tenant, the MSPMagic Administrator Global Admin account must be excluded from the policies and our IP address is to be whitelisted.

The use of Conditional Access Policies requires that the tenant has at least a single license of Azure AD P1 or P2.

IP Address: 20.188.223.13/32
Display Name: MSPMagic Administrator
User Principal Name: MSPMAGIC-<PartnerTenantGUID>@<TenantDefaultDomainPrefix>.onmicrosoft.com

Please see the following procedure:

  1. Sign into your customers Endpoint Manager Portal (https://endpoint.microsoft.com) as the Global Admin
  2. Navigate to Devices -> Conditional Access
  3. For each Conditional Access Policy, add the MSPMagic Administrator to the Excluded.

Per User Multi-Factor Authentication

If you are using Per User Multifactor Authentication, the MSPMagic Administrator Global Admin account must have the setting configure to “Disable”.

Please use the following procedure:

  1. Sign into your customers Azure Active Directory (https://aad.portal.azure.com) as the Global Administrator
  2. Click to manage Users
  1. Click Multi-Factor Authentication to bring up the Per-User Multifactor Authentication Menu
  1. Search for MSPMagic and set/ensure the Multi-Factor Auth Status is set to Disabled

Get Started!

The first three tenants are free! No credit card required.

Sign Up