Overview 💥
A 401 Unauthorized error in Liongard’s Microsoft 365 inspectors indicates an authentication or permission issue when connecting to Microsoft services.
Two primary types of 401 errors are commonly observed:
1️⃣ SSO Token Retrieval Failure
Unable to get Microsoft access_token (SSO auth). Request failed with status code 401 calling https://login.microsoftonline.com/<tenant-guid>/oauth2/v2.0/token
This typically occurs when the account attempting to authenticate does not meet Microsoft security requirements (e.g., MFA not enforced), preventing the inspector from obtaining a valid OAuth token.
2️⃣ Graph API Call Failure
Inspection failed at https://graph.microsoft.com/<endpoint> with status code 401: Request failed with status code 401.
This indicates a permission or consent issue within Microsoft 365 itself. The account successfully retrieves a token but does not have access to the requested resource.
⚠️ Important: In both cases, this is not a defect in Liongard. These errors reflect Microsoft authentication, token, or permission configurations.
Why Does This Happen? 🤔
1️⃣ Microsoft Multi-Factor Authentication (MFA) Requirements
To connect to Microsoft Partner Center and Graph API, the account used by the Liongard inspector must have MFA enforced.
Even if third-party MFA solutions (Okta, Duo, OneLogin) are used, Microsoft requires MFA enforcement on the account registering the Liongard app.
Without MFA, SSO token retrieval fails, producing 401 errors.
MFA ensures the token returned contains the necessary claims for Microsoft Graph API and GDAP access.
References:
2️⃣ GDAP Relationships
Granular Delegated Admin Privileges (GDAP) must be established between partner and customer tenants for Liongard inspectors to access customer data.
Without proper GDAP relationships, Graph API calls fail with 401, even if MFA is enabled.
Reference:
3️⃣ Token Caching or Browser Issues
Cached credentials may prevent a fresh token from being retrieved.
4️⃣ Permissions Issues
Even with MFA and GDAP, 401 errors may occur if:
The user is missing required roles in Partner Center.
Conditional Access Policies block authentication from certain IPs.
Security Defaults in Azure AD are misconfigured.
Steps To Resolve 👨💻
Step 1: Verify MFA Enforcement
Sign in to Azure AD Conditional Access.
Confirm a policy enforcing MFA exists for the account used by Liongard.
If missing, ensure Security Defaults are enabled or consult your security officer.
Step 2: Confirm GDAP Relationships
Verify GDAP relationships between your partner tenant and customer tenants.
Follow Microsoft documentation or Liongard’s GDAP setup guide.
Step 3: Validate Token Retrieval
Open Microsoft Graph Explorer in a private browser.
Sign in with the account used for the parent inspector.
Run the following query:
GET https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminCustomers
If the output shows (or similar):
"error": {
"code": "unauthorized",
"message": "You are not authorized to access the resource.",
"innerError": {
"code": "unauthorizedMissingMfaTokenClaim",
"message": "The MFA claim was missing in the token."
}
}✅ This confirms MFA or token issue.
Verify Conditional Access policies or Security Defaults are applied correctly.
Step 4: Clear Cached Credentials in Liongard
Login into Liongard via Incognito / private browser
Go to Admin → Inspectors → Microsoft 365
On the Parent Inspector, click Edit under the Actions dropdown.
Scroll down and find the "Open Microsoft Sign-In" button. Click this button and re-authenticate.
Ensure the MFA prompt is displayed and successfully completed.
Save and re-run the Parent Inspector in Clear Cache + Debug Mode, followed by Child Inspector(s).
Step 5: Confirm Permissions for Graph API Endpoints
Check the account has appropriate roles and consent to access Graph endpoints required by the inspector.
Verify the Liongard Enterprise application on the Child Tenant to ensure it has the correct permissions assigned. For example:
Missing permissions may cause 401 during Graph API calls even if token retrieval succeeded.
Step 6: Validate Liongard Agent Health (if using self-managed agent)
Go to Admin → Agents.
Ensure agent is running and healthy.
Confirm recent inspections do not fail due to connectivity issues.
References / Further Reading 📚
‼️ Disclaimer
This article references third-party documentation published by Microsoft for informational purposes only. External documentation is owned and maintained by the respective vendor and may change without notice. Liongard does not control or guarantee the accuracy, availability, or future behavior of third-party APIs, features, or documentation referenced herein.
Summary 🎯
401 errors in Microsoft 365 inspectors occur due to:
Missing MFA claims or incomplete SSO authentication
Missing GDAP relationships or delegated admin permissions
Insufficient Graph API permissions
Cached credentials causing invalid tokens
Resolution:
Ensure Microsoft MFA enforcement for the account registering Liongard app.
Confirm GDAP relationships are correctly established.
Authenticate via Incognito / private browser to generate a fresh token.
Validate Graph API permissions for the account.
Re-run Parent and Child Inspectors to confirm connectivity.
By following these steps, you ensure proper authentication, minimize repeated 401 errors, and achieve accurate Microsoft 365 data collection.