Possible errors while adding a Office 365 tenant

• When adding an Organization there are 11 Verification checks that happen. Below lists each of the verification and what it means if it fails. In addition any permission assigned in Office 365 Online can take 15-60 minutes to apply on Microsoft’s end.
   

Connection to Microsoft Graph: #

This meaning can change based on if you are using Modern authentication or Basic authentication.

Modern authentication: This would mean that the Application ID and secret failed to authenticate.

• Make sure the Application ID and Secret were properly entered
• Check the Application APIs from the “Azure AD Application” section below
• Try generating a new Application Secret from Azure AD

Basic authentication: This would mean that your username does not have permissions to authenticate with the Microsoft Graph Online.

• If your Organization is Federated try creating a new cloud user account from Microsoft Azure AD for authentication.
• Make sure that the user belongs to the Organization.
• Check that user has all permissions assigned from the above SharePoint and Exchange section

Connect to EWS: #

This is a connection to the Exchange Web Service.

Modern authentication: This uses a duel authentication leveraging the Application ID and Username.

• For the Application ID check in Microsoft Azure AD that the correct APIs were assigned as Application and not Delegated.
• For the Username check Microsoft Exchange Admin center that all permissions have been assigned to the user as documented below.

Basic authentication:

• For the Username check Microsoft Exchange Admin center that all permissions have been assigned to the user as documented below.

Connection to PowerShell:

This step checks that we can connect to Exchange Online PowerShell. Only the username is used for this verification. Require AllowBasicAuthPowershell and AllowBasicAuthWebServices to be allowed in the group policy this user is added to.

• In Azure AD check Conditional Access- Polices for anything blocking legacy authentication and make sure the service account is being excluded from these policies: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
• Check through PowerShell to see if the policies are allowed for the user:
  1. Connect to Exchange Online PowerShell module: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps
  2. Next you will run the “Get-AuthenticationPolicy” command. If there is a blank return then there is no policy in place.
  3. If the current policy does not have true for AllowBasicAuthPowershell and AllowBasicAuthWebService contact your Domain admins to update the policy with the following Microsoft Document
  4. https://docs.microsoft.com/en-us/powershell/module/exchange/organization/set-authenticationpolicy?view=exchange-ps

Check Exchange plan and SharePoint plan: If either of these fail then your plan cannot automatically identified as Valid. Use the below KB to add the proper plans to your configuration

Service plan is not found when adding Office 365 organization:

 https://www.veeam.com/kb2946

Check Required cmdlets access, Mailbox Search role, and Applicationimpersonation role: The roles are all related to Exchange Online.

• Check that the user has been properly added to the role group with all necessary permissions as shown above in the Exchange section

Check SharePoint Online Administrators role: This refer the SharePoint Administrator role that you assign to the user in the Admin Center.

• Refer to the SharePoint section above and make sure that the service has the SharePoint Administrator role assigned

Check LegacyAuthProtocolsEnabled: This is a setting in SharePoint Admin center to enable legacy Authentication. 

• Refer to the SharePoint section above to Allow Apps that don’t use modern authentication.
• “Unauthorized” error is thrown by SharePoint Online and/or OneDrive for business backup jobs: https://www.veeam.com/kb2714