Skip to main content

Articles in this section

See more
Print

Troubleshooting connection to Microsoft 365

  • Updated

Troubleshooting connection to Microsoft 365

Summary

During installation and initial configuration, Cayosoft Administrator performs various pre- installation checks to ensure all required components are installed and system settings are configured properly. However, there is the possibility that some settings may have been updated after the Cayosoft Administrator installation, or some settings were not properly verified during installation. This article provides an extensive set of verification procedures to ensure the system where Cayosoft Administrator Service is installed and configured properly.

Microsoft 365 connection account password issues

Issue Requirements
Error: Authentication Error: Password has expired. You must call the Connect-MsolService cmdlet before calling any other cmdlets.

  1. Credentials provided for Microsoft connection account must be valid t to Microsoft Admin Portal.

  2. For resolution, please see step-by-s instructions in section 1.1.

Incorrect configuration for the Office 365 connection account: account password is expired or the account must change the password on the first sign in. Please sign in to Office 365 with that account credentials, resolve any issues and restart the Administration Service.

Error: Authentication Error: Unexpected authentication failure.

Microsoft 365 connection account issues

Issue Requirements

Incorrect configuration for the Office 365 connection account: multi-factor authentication (MFA) is enabled. Please disable MFA for the Office 365 Service Account and restart the Administration Service.

Error: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.

[outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

  1. Microsoft 365 connection account s be a cloud-only account, i.e. an account that is not synchronized with Azure Connect. For resolution, please see by-step instructions in section 1.3.

  2. Microsoft 365 connection account s be excluded from Azure AD Security Defaults. For resolution, please see by-step instructions in section 1.4.

  3. Multi-factor Authentication (MFA) be disabled for the Microsoft 365 connection account. For resolution, see step-by-step instructions in sect
Error: AADSTS53003 Blocked by conditional access.

  1. Microsoft 365 connection account s be excluded from all access policies including Baseline policies and cus policies.

  2. For resolution, please see step-by-st instructions in section 1.4 .
AADSTS50053: You've tried to sign in too many times with an incorrect User ID or password.

  1. The Azure AD Direct authentication should be enabled.

  2. For resolution, please see this Micr article.
   

 

Exchange Online connection issues

Issue Requirements

[ps.outlook.com] Closing remote server shell instance failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument and try the command again.

[outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message: The WinRM client cannot process the request. Basic authentication is currently disabled in the client configuration. Change the client configuration and try the request again. For more information, see the about_Remote_Troubleshooting Help topic.

Sessions to 'Microsoft Office 365' could not be established. Please read the platform returned error message(s) to identify the problem. The Check Settings Action, located on each extension's configuration page, may be useful for troubleshooting connection issues. Error Details: The term 'Get-SharingPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program.

  1. The connection account must be as Global administrator role in Micros 365 (Azure AD).

  2. The connection account must be a of the Organization Management ro Exchange Online.

  3. Check your firewall settings.

  4. Check that Organization Management Exchange Online role contains the list of role assignments.

  5. For resolution, please see step-by-st instructions in sections 1.5, 1.6 and 1.7.

Sessions to 'Microsoft Office 365' could not be established. Please read the platform returned error message(s) to identify the problem. The Check Settings Action, located on each extension's configuration page, may be useful for troubleshooting connection issues. Error Details: Data returned by the remote Get-FormatData command is not in the expected format.

For resolution, please see step-by-step instructions in the Appendix section.
The WS-Management service cannot process the request. This user has exceeded the maximum number of concurrent shells allowed for this plugin. Close at least one open shell or raise the plugin quota for this user.

  1. A maximum of three simultaneous PowerShell connections to Exchange Online Organization is allowed.

  2. For resolution, please see step-by-stepinstructions in the section 5.
Create Powershell Session is failed using OAuth.

  1. WinRM needs to allow Basic authentication.

  2. For resolution, please see step-by-st instructions in section 3.4.

Microsoft Teams module connection issues

Issue Requirements
Required components are missing for Microsoft 365 extension: Microsoft Teams PowerShell Module. Details can be found here: https://support.cayosoft.com/hc/en-us/articles/360055917372 Microsoft Teams module shoud be installed. Please see step-by-st instructions.
The operation couldn't be performed because object 'GUID' couldn't be found on 'DB5PR05A008DC05.EURPR05A008.PROD.OUTLOOK.COM'. The error may occur because the settings are applied not only to the team itself but also to the created Office 365 group and this group may not be created yet. To avoid this error increase the Cloud back-end services replication delay setting in New Team Web Action. For resolution, please see step-by-step instructions.

Sharepoint Online connection issues

Issue Requirements

  1. Access control policies are enforce SharePoint Online, and Microsoft 3 connection accounts and machines not configured properly to be comp with these policies.

  2. For resolution, please see step-by-st instructions in section 1.8.

  • This user doesn't have a OneDrive site.

  • Timed-out waiting for OneDrive personal site creation.

  • Can't connect to Sharepoint Online: Cannot contact web site 'https://domainname-admin.sharepoint.com/' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'.

  • There is no service currently connected.

 Add a registry subkey to the client computer

  • SharePoint Client-Side Object Model (CSOM) is not installed.

  • The term 'Disconnect-SPOService' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

  1. Run the Prerequisites Check tool an ensure all Sharepoint components a installed.

  2. Remove odd DLLs from GAC.

Microsoft 365 connection issues

Issue Requirements

Error: Relative URIs are not supported in the creation of the remote sessions.

  1. Microsoft 365 API URL (Advanced be specified in Microsoft 365 exten

  2. For resolution, please see step-by-st instructions in section 4.1

  3. Verify Microsoft 365 connection account

Verify Microsoft 365 connection account

Login to Office Portal with the Microsoft 365 connection account

Requirements:

Credentials provided for Microsoft 365 connection account must be valid to log on to Microsoft Admin Portal. If there is a prompt to complete a password reset it must be completed.

How to check:

  1. Open Microsoft 365 Admin Panel and reset the password for Microsoft 365 connection account. Make sure to clear the checkbox Make this user change their password when they first sign in:

  1. Log on to https://portal.office.com with the new password for Microsoft 365 connection account, to make sure these credentials would be valid.

  2. Open the Cayosoft Administrator Console.

  3. Click [...] button next to the account.

  4. Specify a new password for Microsoft 365 connection account.

  5. Restart the Cayosoft Administrator Service to make sure all sessions are fully re-established:

How to check if the account password is set to never expire

You can check and set the account password to never expire if it is not set to it. Microsoft 365 native Admin Center does not provide a user interface for this, so you have 2 options:

  1. Using PowerShell, as described for examples here: Set an individual user's password to never expire - Microsoft.

  2. Using CayosoftWeb Portal, after you reset the password. After that, Cayosoft Administrator re-establishes the connection to Microsoft 365:

    1. Open the Web Portal.

    2. Navigate to Microsoft 365 > Users.

    3. Search for the connection account used to connect to Microsoft 365.

    4. Click the Reset Password action.

    5. Check the Password never expires option.

 

Check Microsoft 365 settings in the Cayosoft Administrator Console

Requirements:

  • The Microsoft 365 extension must be enabled.

  • The valid Microsoft 365 credentials must be provided as a Microsoft 365 connection account. Check Settings and the Run Components Check and resolve any reported errors.

How to check:

  1. In Cayosoft Administrator console, navigate to Microsoft 365 extension settings.

  2. Check the Microsoft 365 credentials are not empty - this is the account being used to connect to Microsoft 365. There are several steps listed below to verify this account is configured properly.

  3. Click the Check Settings command from the menu in the right pane and confirm it completes without an error.

    NOTE: This command validates the specified settings and verifies that:

    1. The account credentials are correct.

    2. Connection account role membership.

    3. Connection to Exchange Online.

      If the Check Settings command completes successfully but you still get the error in Web Portal you should troubleshoot the Exchange Online connection. Please see the step-by- step instructions in sections 1.5 and 1.6.

    4. Run the Run Components Check and confirm all required components are installed.

 

Check if Microsoft 365 connection account is a cloud- only account

Requirements:

  • The Microsoft 365 connection account must be a cloud-only account, i.e. an account that is not synchronized with Azure AD Connect.

How to resolve:

  1. Navigate to https://login.microsoftonline.com.

  2. Open Microsoft 365 Admin Center, then open the list of Active users.

  3. Locate the Microsoft 365 connection account in the list. Make sure the Sync Type column states In cloud for the account.


Validate Microsoft 365 connection account for MFA enforcement

Requirements:

  • The Microsoft 365 connection account must be excluded from MFA enforcement.

How to resolve:

Cayosoft Administrator can automatically validate the Microsoft 365 connection account and check that the Microsoft 365 connection account is enrolled to MFA. However, some additional configuration steps are required:

  1. In Cayosoft Administrator Console, navigate to Home > Configuration > Connected Systems Extensions > Microsoft 365.

  2. Click the [...] button next to Microsoft 365 credentials.

  3. On the Specify Credentials window, click Validate to check that Microsoft 365 connection account is enrolled to MFA.

  1. Perform the steps described in these articles:

Verify the Global Administrator role for the Microsoft 365 connection account

Requirements:

How to check:

  1. In the Microsoft 365 Admin Portal, select the account you intend to use as the connection account for Cayosoft Administrator.

  2. Open the Roles dialog for the selected account.

  3. Make sure the Global administrator role is assigned, as shown in the screenshot below.


 

Verify Exchange Online roles for the Microsoft 365 connection account

Requirements:

  • The Microsoft 365 connection account must be a member of the Organization Management role in Exchange Online.

How to check:

  1. In the Microsoft 365 Admin Portal, expand the Admin centers navigation group and select Exchange to go to Exchange Admin Center.

  2. Select Roles > Admin roles menu item.

  3. Find the Organization Management role group and click the Assigned tab.

  4. Make sure the Microsoft 365 connection account is present in the list. If the connection account is a member of the Global Administrators Azure role, the presence of the group Company Administrator in the list is sufficient.


 

Verify Organization Management role group in Exchange Online has all default roles enabled

Requirements:

  • Ensure that the Organization Management role group in Exchange Online has all default roles enabled. If you disable some default roles, the Cayosoft Administrator connection account can lose assets to required functions and you'll get errors that some PowerShell commands are not found.

How to check:

  1. In the Microsoft 365 Admin Portal, expand the Admin Centers navigation group and select Exchange to go to Exchange Admin Center.

  2. Select Roles > Admin roles menu item.

  3. Find the Organization Management role group and click the Permissions tab.

  4. Make sure that you have all the permissions from the list in this article for the Organization Management role group selected.

Verify Access Control policies are enforced in SharePoint online

How to check:

  1. Sign in to the Access control page of the SharePoint admin center.


  2. Check Unmanaged devices and Apps that don't use modern authentication policies:

  1. If the Unmanaged devices policy is set to anything other than Allow full access, you need to make the computer running Cayosoft Administrator a managed device, i.e. you need to join it to Azure AD.

  2. If the Apps that don't use modern authentication is set to Block access, you need to check that Modern authentication is enabled in Microsoft Microsoft 365 extension in the Cayosoft Administrator console.

  3. If the error still persists add the registry subkey on the client computer to force modern authentication that will resolve the errors with connection to SharePoint Online. For details please see this article Troubleshooting connection to SharePoint Online.

Verify required software components and system settings

Verify required software components

Requirements:

  • The Exchange Online PowerShell module is required to connect to and manage Microsoft Entra ID, Microsoft 365, and Exchange Online.

How to check:

  1. On the server where the Cayosoft Administrator Service is deployed, run the Cayosoft Requirements Check tool.

  2. Verify the Exchange Online PowerShell Module (EXO V3) is marked as <Installed>.

  1. Test connection.

Verify PowerShell remoting is enabled

Requirements:

  • The PowerShell Remoting must be enabled.

How to check:

  1. Click Start (or press the Windows flag key). The windows start menu or start screen appears.

  1. Run the PowerShell ISE as administrator.

  1. Run the following script:

    Copy
    Enter-PSSession –computername localhost

  2. No warnings or messages should appear, only the command prompt should be visible, as shown in the screenshot below.

How to resolve:

If a warning message appears you will need to enable PowerShell Remoting: Enable-psremoting.

Verify PowerShell Execution Policy is Unrestricted or RemoteSigned

Requirements:

The PowerShell Execution Policy must be set to Unrestricted or RemoteSigned.

How to check:

  1. Run PowerShell ISE as administrator.

  2. In the PowerShell ISE Window run the following script:

    get-ExecutionPolicy

The following values must be returned: 

Unrestricted

or

RemoteSigned


How to resolve:

If the system does not return Unrestricted or RemoteSigned then use the following command to set the policy:

Copy
set-executionpolicy remotesigned

Verify Windows Remoting (WINRM) is Enabled

Requirements:

  • The Windows Remoting service must be started.

How to check:

  1. Run the PowerShell ISE as administrator.

  2. Run the following script:

    Copy
    Get-service winrm

  3. You should see the message displayed below:


How to resolve

If the system indicates WINRM is not running then run the following command to start the service:

Copy
net start winrm

Verify Basic Authentication is Enabled for Windows Remoting (WINRM)

Requirements:

  • For versions 9.x and earlier, Basic Authentication must be enabled for Windows Remoting on the machine running Cayosoft Administrator. This is a Microsoft requirement for Exchange online: About the Exchange Online PowerShell V2 module and V3 module | Microsoft Learn

  • Cayosoft Administrator uses the newer EXO module and REST- based commands that do not require Basic authentication in WinRM.

How to check:

  1. Run the PowerShell ISE as administrator.

  2. Run the following script:

    Copy
    winrm get winrm/config/client/auth

  3. Check if the Basic parameter is set to true.


How to resolve:

  1. If Basic = false is displayed, then run the following command to enable Basic Authentication:

Copy
winrm set winrm/config/client/auth '@{Basic="true"}'


  1. If Basic = false [Source = "GPO"] is displayed you should find the Group Policy and disable it then set Basic = true:

    1. Get all available information about Group Policy. It includes detailed settings that were applied with a precedence of 1 and higher:

      Copy
      gpresult /z

    2. When you found the Group Policy, disable it.

    3. Update group policy:

      Copy
      gpupdate /force

    4. Run the following script to enable Basic Authentication:

    Copy
    winrm set winrm/config/client/auth '@{Basic="true"}'

  2. Restart the CCayosoft Administrator Service.

Test connection to Azure Cloud Services outside of Cayosoft Administrator

To eliminate the possibility that Firewall, Proxy, PowerShell, or other environmental problems are preventing the Cayosoft Administrator to connect to Azure Cloud Services, use PowerShell ISE Window as Administrator to run the scripts below.

For each Azure service, use Microsoft 365 connection account that is specified in the Cayosoft Administrator Console > Home > Configuration > Connected Systems Extensions > Microsoft 365.

Exchange Online

Stop the Cayosoft Administrator Service before connecting to Exchange Online to avoid the host processes limit.

Copy
Stop-Service CayoAdminService [Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12 -bo Connect-ExchangeOnline

Microsoft Teams

Copy
[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12 -bo Connect-MicrosoftTeams

SharePoint Online

Copy
[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12 -bo
$credential = Get-Credential
Connect-SPOService -Url https://contoso-admin.sharepoint.com -Credential $credent

Cayosoft Graph

Copy
[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12 -bo Connect-CGraphAdminService -Server '<Server name>'

Next Steps

  • If the connection was successful, but you still experience problems, please contact Cayosoft Support for additional assistance.

  • If the connection failed please verify that Antivirus, Firewall or Proxy Settings are not preventing this computer from connecting to Microsoft 365.

Check Cayosoft Administrator Configuration

Verify Microsoft 365 API URL is specified

How to check:

  1. In the Cayosoft Administrator Console, navigate to Home > Configuration > Connected Systems Extensions > Microsoft 365.

  2. Open the Advanced Settings section.

  3. Check that Microsoft 365 API URL (Advanced) setting has https://outlook.office365.com/powershell-liveid/ value.

How to resolve:

If the value is empty, copy/paste this value and save the changes.

The maximum number of Exchange Online connections exceeded

NOTE: Each Cayosoft Server should have its own set of service accounts for all managed platforms: Active Directory, Microsoft 365, Exchange Server on-premise, etc.

If you need to run some diagnostic script, stop the Cayosoft Administrator Service to avoid maximum connections exceed.

You might get the error due to the limitation of the number of sessions to Exchange Online. A maximum of three simultaneous remote PowerShell connections to Exchange Online Organization is allowed. You need to wait for 30 minutes, after that the sessions that are not used would be closed and the error won't be displayed.

Appendix

Error: Data returned by the remote Get- FormatData command is not in the expected format

This is a known issue related to Exchange Online sessions introduced by Microsoft. It appears only on some Microsoft 365 tenants. Cayosoft Administrator re-creates Exchange Online sessions on start and then after they are expired.

Due to this problem, new Exchange sessions can not be recreated. For more details, please read this post: Cannot connect to exchange online via powershel.

According to the post, this issue might go after some time. But in the 7.3.0 version, the new Apply fix for Get-FormatData error setting was added in the Advanced Settings section in Microsoft 365 extension:

  1. In the Cayosoft Administrator Console, navigate to Home > Configuration > Connected Systems Extensions > Microsoft 365.

  2. Expand the Advanced Settings section.

  3. Set Apply fix for Get-FormatData error to Try 2nd workaround.

  4. Click Save Changes.

  5. Restart the Cayosoft Administrator Service.

If the issue still is not resolved, select Try 1st workaround in step 3.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Article is closed for comments.