Troubleshooting Microsoft 365 sync issues

Find out what to do if you are having issues with syncing users or groups from Microsoft 365.

Micke Ahola avatar
Written by Micke Ahola
Updated over a week ago

Here's what to do if:

What should I do if users are missing from my sync?

The most common reason for missing users is that you've run a Test Sync, instead of a Manual Sync. You can run a Manual Sync from the Microsoft 365 Sync page. If that doesn't resolve your missing users issue, please follow our guide to troubleshooting missing users below.

How can I stop shared inboxes from being brought over?

You can stop any accounts from being brought over by adding them to the sync deny list.

How can I stop inactive users from being made active by the sync?

If you don't wish an inactive user to be made active by the M365 sync, you can add the user's email address to the sync forbid list. You can do this in the Microsoft 365 Sync Wizard on the configuration page of your platform settings.

What should I do if my User Limit has been exceeded?

The sync will fail if the total number of all users (active or inactive) on your account exceeds the user limit placed upon it if present. The Summary sheet on the spreadsheet attachment of your sync summary includes an Updated User Count and User Limit. These figures will give you an impression of how far over the limit the account is. Sync failure alerts do not always include a full summary or attachment, you can run a test sync to obtain this data.

To get the sync working you will either need to delete users or have the user limit on your account increased.

The sync does not delete users but rather sets them to inactive. The idea is to provide a recycle bin of users who you can delete when you no longer need them. You can view your inactive users on the Users page and delete them as you see fit. Similarly you should review the Users Deactivated sheet on the sync summary spreadsheet attachment as you can also delete these users to bring your total down.

What privileges do I need to authorise the M365 sync?

You will need to have the correct privileges set on your Azure account in order to set up the M365 sync. View a list of the requirements below.

What should I do if my sync failed due to authentication issues?

This means that the authentication setup for your sync is no longer valid. This can happen for the a number reasons particularly if your sync authenticates using Delegated Permissions.

Delegated Permissions authentication can be invalidated if the authorising M365 user:

  • Changes their password

  • Sets up MFA on their account

  • Has their roles or privileges changed

  • Has been deleted from M365/AD

The Applications Permissions method is not affected by the above.

Both of our authentication methods can fail if the Enterprise Applications entry for the sync in Azure AD is deleted or if it has had its permissions modified.

The simplest way to resolve authentication issues is to rerun the authentication process by clicking the Sign in with Microsoft on the Microsoft 365 settings page. You run the Microsoft consent process using an eligible M365 account after which you will be taken to the sync's setup wizard. You can close the wizard at this point as you do not need to complete it for re-authentication to take effect. You should run a test sync after re-authenticating the sync to ensure it is working.

What should I do if the groups in my sync configuration are missing?

The sync will fail if the groups you selected to load users from no longer exist in Azure AD. Typically this is because the selected groups have been deleted from Azure AD since the M365 sync was configured on your account.

Under these conditions you would see the warning message below in the View Current Setting option on the M365 sync settings page.

You would also see the error below in the Summary sheet in the Sync Summary email's spreadsheet attachment on a test or manual sync:

No allow listed groups found in the group data from the synced API

You can resolve this issue by running the configuration wizard and selecting new groups on the Group Configuration step.

What should I do if my sync fails because it can't find any users?

The M365 sync establishes a synced dataset based on your M365 data and the filtering configuration of your sync. The sync will fail if it can't find any users that comply with your filtering preferences or the system's requirements for user records. The system requires that users have a first name, last name and a valid email address that conforms with your domain lock if enabled.

The Sync Summary email can give further information about this. The Users Loaded count will be 0 if all users fail to meet the system's requirements for user records. The Users Processed count will be 0 is there are no users in the synced dataset after filtering.

The error message in the Summary sheet of the Sync Summary spreadsheet attachment can also highlight the reason for this.

  • No users loaded from API - The sync could not load users from the MS Graph API. The users API request includes filters for account enabled and the "Member" User Type. Users will be loaded if they do meet these criteria.

  • No viable users loaded from API - The sync could load users from the MS Graph API but none of them meet the system's requirements for user records. Depending on your sync settings, users without assigned licences are not considered viable.

  • No users present after filtering - The sync found users that fit the system's requirements but none of them comply with your filtering preferences.

To resolve these issues you should run the steps in this article and check whether the groups in your sync's filtering preference contain users in Azure AD.

Did this answer your question?