Troubleshooting missing Entra ID permissions after product update

Symptoms

After upgrading Cayosoft Guardian a health check reports issues related to Entra ID permissions.

Cause

Cayosoft Guardian cannot automatically re-grant permissions when the Entra ID service account is operating in Read-Only (RO) mode.

When a new Entra ID permission is introduced in a product update (for example, ProfilePhoto.Read.All in the current version), Guardian does not promote or re-consent permissions automatically for existing service accounts.

As a result:

• The permission is missing
• Guardian continues operating with the previously granted permission set
• Manual re-grant is required

Resolution

You must manually re-grant Entra ID permissions for the affected service account.

How to re-grant Entra ID permissions

1. Open the Cayosoft Guardian web portal.
2. Navigate to Configuration > Credentials.
3. Locate the Entra ID service account used by Guardian.
4. Open the credential Properties.
5. Click Grant access.
6. Complete the consent wizard.
7. Verify that the wizard completes successfully.

After re-granting permissions:

1. Run Health check on Managed tenant after consent is regranted.

2. Confirm that no Entra ID permission warnings are present.
3. Verify that the required permission (for example, ProfilePhoto.Read.All) appears in the Entra app registration.
4. Verify that affected functionality works as expected.