To begin with, let's look at the Audit log to analyze the reason for IPP failure. Follow the below steps:
Please navigate to the IPP and click on the Audit logs tab of the IPP.
Click on the View Logs for the failed Datasource in the audit log entries.
You can find the error message like mentioned below:
Some of the common errors and their resolution are listed below:
The refresh token could have expired and it should be updated in the realm/Datasource configuration. Most common scenarios are
Error Message | Resolution |
Refresh token expired | New refresh token* |
The provided authorization code or refresh token has expired due to inactivity | New refresh token* |
Presented multi-factor authentication has expired due to policies configured by your administrator | New refresh token* |
Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication | New refresh token* |
The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. | New refresh token* |
Invalid user/service account details in the Realm
Error Message (found in the Audit log) | Resolution |
Request is malformed or invalid/Invalid National Cloud Token | Private key for the MFA account should be valid |
Username is empty for the data source | Check the user name in the Realm or Datasource |
Password is empty for the data source | Check the password in the Realm or Datasource |
User account/location is empty for the data source | Check the configuration in Realm or Datasource |
The Private key of the MFA should be valid
Error Message (found in the Audit log) | Resolution |
Request is malformed or invalid | Ensure the Private key for the MFA account is right |
Invalid National Cloud Token | Ensure the Private key for the MFA account is right |
The Identity Provider returned an error. Trace ID: | Ensure the Private key for the MFA account is right |
The service principal for resource 'https://ps.compliance.protection.outlook.com' is disabled. This indicates that a subscription within the tenant has lapsed, or that the administrator for this tenant has disabled the application, preventing tokens from being issued for it. | Ensure the Private key for the MFA account is right |
