Skip to main content

Microsoft 365 Inspector Failures Caused by Conditional Access or GDAP Configuration

Use this article when Microsoft 365 parent or child inspectors fail because the delegated authentication attempt is blocked or restricted by Microsoft Entra, Conditional Access, GDAP role assignments, or risky user policies.

Historically, some of these failures appeared as Error 400 in Liongard. The same underlying issue may now appear through different Microsoft authentication errors or AADSTS messages, so troubleshooting should focus on the sign-in failure and Microsoft Entra policy results rather than the HTTP error code alone.

Common symptoms

You may need this article if you see any of the following:

  • A Microsoft 365 child inspector fails while the parent inspector succeeds.

  • A delegated Microsoft 365 inspector fails during authentication or Microsoft Graph collection.

  • The error references Conditional Access, MFA, external users, service provider users, tenant access, or identity provider access.

  • Microsoft sign-in logs show a failed non-interactive sign-in from the parent tenant.

  • The error includes an AADSTS message such as AADSTS50177x or wording similar to: User account from identity provider does not exist in tenant.

  • The child tenant has Conditional Access policies that apply to external users, service provider users, MFA, location restrictions, or device requirements.

Important: do not create a guest user in the child tenant

Do not resolve this by creating a guest user in the child tenant for the parent tenant account used to authenticate the Microsoft 365 parent inspector.

In a properly configured GDAP relationship, the parent tenant user should not need to be manually added as a guest user in the child tenant. The correct troubleshooting path is to review the child tenant’s sign-in logs, identify the policy or access requirement blocking the delegated sign-in, and update the relevant Microsoft Entra or Partner Center configuration.

Prerequisites

Before troubleshooting child inspector failures, confirm the following:

  1. The Microsoft 365 parent inspector is authenticated successfully.

    • If cached credentials may be causing issues, open Liongard in an incognito/private browser window or a clean browser session.

    • Navigate to the Microsoft 365 parent inspector configuration.

    • Select Open Microsoft Sign-In and complete the Microsoft authentication flow.

    • Confirm that the account receives and completes the expected MFA challenge when required.

  2. The GDAP relationship exists and is active.

    • Confirm the customer relationship exists in Microsoft Partner Center.

    • Confirm the relationship is active and not expired.

  3. The required GDAP roles are assigned to the correct partner security group.

    • Directory Writers

    • Cloud Application Administrator

    • Privileged Role Administrator

  4. Run order is correct.

    • Run the Microsoft 365 parent inspector first.

    • After the parent inspector completes successfully, run the child inspector again.

Most common cause: Conditional Access policy in the child tenant

The most common cause is a Conditional Access policy in the child tenant that blocks the delegated authentication attempt from the parent tenant.

Examples include policies that require:

  • MFA

  • Compliant or hybrid-joined devices

  • Approved locations or network ranges

  • Specific authentication strength

  • Risk-based controls

  • Controls that apply to guest, external, or service provider users

When this happens, the child tenant’s sign-in logs usually identify the exact Conditional Access policy that blocked the authentication attempt.

Review the child tenant sign-in logs

  1. Sign in to the child/customer tenant in the Microsoft Entra admin center.

  2. Navigate to Protection > Conditional Access > Sign-in logs.

  3. Select the User sign-ins (non-interactive) log group.

    1. Xnip2023-07-10_13-57-32.jpg

  4. Look for the failed sign-in attempt from the parent tenant or service provider user.

    1. Xnip2023-07-10_13-59-31.jpg

  5. Open the failed sign-in event.

    1. Xnip2023-07-10_14-00-32.jpg

  6. Review the Basic info and Conditional Access tabs.

  7. Identify which Conditional Access policy failed and what requirement the sign-in did not satisfy.

Resolve Conditional Access failures

After identifying the blocking Conditional Access policy, update the policy to exclude the parent tenant as a service provider user.

  1. Open the Conditional Access policy that failed.

  2. Go to Assignments > Users.

  3. Under Exclude, select Guest or external users.

  4. In the external user type dropdown, select Service provider users.

  5. Choose Select external Azure AD organizations.

  6. Select the parent tenant organization.

    • If the parent tenant does not appear when searching by name, copy the parent tenant ID and search using the tenant ID instead.

    1. Xnip2023-07-10_14-02-49.jpg

  7. Save the policy.

  8. Re-run the Microsoft 365 child inspector.

If the child inspector still fails, review the child tenant sign-in logs again. More than one Conditional Access policy may apply to the same sign-in attempt.

Less common cause: risky user status

Less commonly, the account used to authenticate the Microsoft 365 parent inspector may be flagged as a risky user in the parent tenant.

To resolve this:

  1. Sign in to the parent tenant.

  2. Review risky user alerts in Microsoft Entra ID Protection.

  3. Confirm whether the parent inspector authentication account is flagged.

  4. Remediate or dismiss the risky user event according to your organization’s security process.

  5. Re-authenticate the Microsoft 365 parent inspector if needed.

  6. Run the parent inspector, then run the child inspector again.

Less common cause: missing GDAP roles

These failures can also occur if the GDAP admin relationship does not include the required role assignments or if the roles are not assigned to the correct partner security group.

For the current Microsoft 365 delegated application permission workflow, confirm that the admin relationship includes the following roles:

  • Directory Writers

  • Cloud Application Administrator

  • Privileged Role Administrator

Confirm that these roles are assigned to the appropriate partner security group in Microsoft Partner Center.

Recommended troubleshooting order

Use this order when troubleshooting Microsoft 365 child inspector failures:

  1. Confirm the parent inspector is authenticated and runs successfully.

  2. Run the child inspector again in debug + clear cache mode.

  3. If the child inspector fails, review the child tenant’s non-interactive sign-in logs.

  4. Identify the failed sign-in event from the parent tenant or service provider user.

  5. Review the Conditional Access tab on the failed sign-in event.

  6. If a Conditional Access policy failed, exclude the parent tenant using Guest or external users > Service provider users.

  7. Re-run the child inspector.

  8. If the issue persists, check for additional Conditional Access policies, risky user status, or missing GDAP role assignments.

Do and don’t

Do

  • Review the child tenant’s non-interactive sign-in logs.

  • Use the Conditional Access tab to identify the exact policy that failed.

  • Exclude the parent tenant as a Service provider user when appropriate.

  • Confirm the GDAP relationship is active.

  • Confirm the required GDAP roles are assigned.

  • Run the parent inspector before running the child inspector.

Don’t

  • Do not create a guest user in the child tenant for the parent tenant account.

  • Do not assume the issue is only related to Error 400.

  • Do not disable Conditional Access policies without reviewing the security impact.

  • Do not add unnecessary GDAP roles without confirming they are required.

  • Do not troubleshoot only in the parent tenant; the blocking policy is often in the child tenant.

Related documentation

Did this answer your question?