Comment on page
Error codes
Below are error codes that can occur in CIPP. Use this page to troubleshoot your received error code.
- 1.The account you use to generate your SAM tokens for CIPP must have Microsoft (Azure AD) MFA enabled, it can't use third-party MFA.
- 2.You can't have the
Allow users to remember multi-factor authentication on devices they trust
option enabled in the classic MFA admin portal in the partner tenant. - 3.
The required license for this feature is not available for this tenant. Check the tenant's license information to ensure that it has the necessary license for the requested operation. Most seen around security tasks that require M365 BP or Azure AD P1.
This feature requires a P1 license or higher. Check the license information of your clients tenant to ensure that they have the necessary licenses.
Error 400 occurred. There is an issue with the request. Most likely an incorrect value is being sent. If you receive this error with a permissions check, please redo your SAM setup. In the case of a CPV refresh you may get this code if you are using Duo as an MFA solution.
This occurs when GDAP has been deployed, but the user is not in any of the GDAP groups.
There is no Exchange subscription available, so exchange connections are no longer possible.
The relationship between this tenant and the partner has been dissolved from the client side. Check the partner relationship information and ensure that it is still active. This error also occurs when a GDAP relationship has expired or is not configured correctly.
Multiple Potential Causes:
- 1.The user has not authorized the CIPP-SAM Application. Use the Settings -> Tenants -> Refresh button to refresh the permissions.
- 2.The user that was used for the CIPP Authorisation is a guest in this tenant
- 3.You have not added the user to the correct group(s) for CIPP to function. See SAM Setup for more information.
Multiple Potential Causes:
- The user has not authorized the CIPP-SAM Application. Use the Settings -> Tenants -> Refresh button to refresh the permissions.
- The user that was used for the CIPP Authorization is a guest in this tenant
- A Conditional Access policy may be blocking your access. Add your CSP tenant as a serviceProvider exception.
- You have not added the user to the correct group(s) for CIPP to function. See SAM Setup for more information.
These errors may also present themselves something like the below. The steps above are still accurate in these cases:
- The user you have used for your Secure Application Model is a guest in this tenant, or your are using GDAP and have not added the user to the correct group. Please delete the guest user to gain access to this tenant.
- User account from identity provider does not exist in tenant and cannot access the application in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
You have not finished the SAM Setup wizard - CIPP cannot connect to the API with the current credentials.
This error can appear when performing a tenant access check. Try a GDAP check to see if you have the correct permissions in place, when you do try a CPV refresh, if the CPV refresh fails with an error it means we most likely do not have write access to the tenant.
The user does not have sufficient access rights to perform the operation or is missing the necessary Exchange role. Check the user's access rights and Exchange role information, when using GDAP the user must be in the "Exchange Administrators" group.
When executing the first authorization for CIPP, a trusted device was used. This device has been deleted from the Intune portal. Reauthorization is required by using the SAM Wizard "I'd like to refresh my tokens" option.
The user that authorized the CSP or Graph API connection has had their password changed, sessions revoked, or account disabled. Reauthorization is required by using the SAM Wizard "I'd like to refresh my tokens" option.
This error can have two causes.
- 1.The user has not had MFA set up when performing authorization.
- 2.The client has Conditional Access policies blocking CIPP's access. See the chapter about Conditional Access to resolve.
This error occurs when a Conditional Access Policy has set the maximum lifetime. Suggested is to change the Conditional Access Policy to exclude "Service Provider users". See the chapter about how to resolve this under Conditional Access.
The refresh token could not be retrieved and stored. The user must reauthorize.
This error occurs when CIPP cannot write to the errors table - Clear your tenant cache from the settings menu and try again. You might also receive the error when a tenant access check has failed, the only way to clear the Last Graph Error is by removing the tenant cache.
This occurs when the app has exists for more than 2 years and requires a new certificate or secret, or when a secret has been expired manually.
- 2.Find and click on your app
- 3.Navigate to "Certificates & secrets"
- 4.Click "+ New client secret"
- 5.Enter a description, choose an expiration, and click "Add"
- 6.Copy the new client secret value
- 7.Go to CIPP -> Settings -> SAM Wizard
- 8.Use the option "I have an existing application and would like to enter my keys"
- 9.Enter only the new secret and click Next.
- Find your repository secret by going to your CIPP Repository, go to "settings" (cog icon along the top), click on "Secrets and variables" in the left menu, then "actions"
- Note down the name of your repository secret (Should be similar to "AZURE_STATIC_WEB_APPS_API_TOKEN_RANDOM_WORD_047D97703"
- Create a new file (name doesn’t matter as long as it ends in .yml) in your .github/workflows folder
- Edit lines 25 and 44 to your repository secret name noted down in step 2 above
- Find your repository secret by going to your CIPP-API Repository, go to "settings" (cog icon along the top), click on "Secrets and variables" in the left menu, then "actions"
- Note down the name of your repository secret (Should be similar to "AZUREAPPSERVICE_PUBLISHPROFILE_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
- Create a new file (name doesn’t matter as long as it ends in .yml) in your .github/workflows folder
- Edit lines 4 and 26 so they have your function name in
- Edit Line 29 to your repository secret name noted down in step 2 above
Last modified 14d ago