If you have received an error related to either Office 365 or your PSA tool, this page contains some common errors and how to resolve them.
AADSTS700082: The refresh token has expired due to inactivity – Occurring to a single tenant
As the system automatically keeps your refresh token up to date, this is typically seen for a single one of your tenants rather than all of your tenants.
We have typically seen this occur when the “remember mfa for X days” option is selected in a customer MFA settings (admin portal > Users > multi factor authentication)
NOTE: Microsoft’s recommendation is for this to disabled and MFA requirements configured via MFA.
Having this option enabled, creates an additional security risk and will also break the refresh token from accessing this customers Office 365 Tenant.
To resolve the issue, please disable this option, wait roughly 30 minutes
AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access
This error typically happens if you switch your delegated admin account from having MFA enabled or not enabled.
Alternatively this can happen if you roll out Conditional Access MFA and have not previously had it.
If this error is for license counts:
When this happens, you need to grant us access to your partner center again by going to Company > Delegated Admin > Click “Grant partner center consent”
If this error is for a custom license that is counting mailboxes: Update the mailbox token by following this
AADSTS530034: A delegated administrator was blocked from accessing the tenant due to account risk
There are a couple of things that can cause this error.
- Your delegated admin has been listed as a risky user (Check this in your own tenant, not the customers)
- You can check this in: Azure active directory > Security > Risky users
- If your delegated admin account is in here. It can be blocked based on a tenants conditional access policies. Remove it from here by dismissing the user risk and it should fix the issue.
- Security defaults can add some security items that can cause a block. It is better to use conditional access policies rather than microsofts security defaults which was introduced for any tenants that do not have MFA policies setup.
- You can check this in the customer tenant: Azure active directory > Properties > Manage security defaults
Access Denied. You do not have permissions to call this cmdlet. for <tenant>
This typically occurs if you still have a tenant linked to your Partner Center, but have had admin rights removed so you cannot access the tenant.
You can contact MS Partner support to ask them to remove the tenant from your Partner Center list.
Direct CSP can also remove the relationship from their partner center.
This can also happen if the delegated admin link did not work correctly when it was accepted for the tenant.
If this is a tenant you should be able to manage, try using your Partner Delegated Admin link to accept the admin rights within that tenant again.