Troubleshooting

The signed-in user does not have Global Administrator or Privileged Role Administrator permissions in the tenant.

1. 1.Sign in with a Global Administrator account to complete the consent flow
2. 2.If your organization restricts admin consent, ask your Azure AD administrator to approve the Veri-Tech enterprise application from the Entra admin center

The consent callback may not have completed due to a browser redirect issue or network interruption.

1. 1.Try the consent flow again from the onboarding page — re-consent is safe and preserves existing permissions
2. 2.Clear your browser cache and cookies for veri-tech.net, then try again
3. 3.Check that your browser allows third-party cookies or has veri-tech.net whitelisted

You may be signed into a different Microsoft account than the one used during onboarding.

1. 1.Sign out and sign back in, ensuring you select the correct Microsoft organizational account
2. 2.If you have multiple tenants, verify the tenant ID shown in your Veri-Tech dashboard matches the one you are trying to access

Controls for disabled workloads (Exchange, Teams, Defender) are excluded. Controls requiring specific licenses (e.g., Entra ID P2) are skipped if the license is not detected.

1. 1.Enable Exchange and Teams workload permissions in Settings → Tenant Permissions
2. 2.Verify your tenant has the required licenses (Entra ID P1/P2, Intune, Defender for O365)
3. 3.Check the scan details — controls marked "license-missing" indicate which prerequisites are not met

One or more Graph API permissions may have been revoked or the admin consent may have expired.

1. 1.Go to Settings → Tenant Permissions and click "Re-consent with Microsoft" to refresh permissions
2. 2.If workload scanning fails specifically, re-enable workload permissions from Settings
3. 3.Verify the Veri-Tech enterprise application still exists in your Entra admin center under Enterprise Applications

Workload permissions (Global Reader role) have not been granted or were revoked.

1. 1.Go to Settings → Tenant Permissions → Workload Permissions
2. 2.Enable Exchange Online and/or Microsoft Teams
3. 3.An administrator must approve the consent prompt to assign the Global Reader directory role

Write permissions cannot be granted until at least one break-glass (emergency access) account is configured as a safety requirement.

1. 1.Navigate to Compliance Hub → Break-Glass Accounts
2. 2.Register at least one emergency access account
3. 3.Return to the remediation page to proceed

Individual control remediation can fail due to tenant-specific restrictions, missing licenses, or Graph API throttling.

1. 1.Review the job results to see the error details for each failed control
2. 2.Controls requiring specific licenses will fail if the license is not present — check prerequisites
3. 3.If failures are due to throttling (429 errors), wait a few minutes and retry
4. 4.Some controls may require manual intervention — follow the guidance provided in the runbook

In rare cases, the token clear step may fail due to network issues. If you are using Always-On mode, write access is intentionally retained between jobs.

1. 1.Go to Settings → Tenant Permissions to check write permission status
2. 2.If write access shows "Active" unexpectedly, click "Revoke Write Permissions" to manually clear the stored token
3. 3.Consider switching to JIT mode (recommended) for automatic token clearance after each job

The delegated write token stored during your last consent has expired. Write tokens have a limited lifetime and must be refreshed by re-authorizing.

1. 1.Click "Grant Write Access" on the remediation page to initiate a new delegated consent
2. 2.A Global Administrator must complete the Microsoft OAuth prompt — this takes under a minute
3. 3.Once re-authorized, retry the remediation job
4. 4.If you expect to run multiple jobs, grant access immediately before each one to minimize the chance of expiry

Intune assessment requires specific Graph API permissions (DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All) that may not have been granted during initial consent.

1. 1.Go to Settings → Tenant Permissions and click "Re-consent with Microsoft" to refresh permissions
2. 2.Ensure the Intune / Endpoint Management workload is enabled in Settings
3. 3.Verify the consenting administrator has at least Intune Administrator or Global Administrator role

Veri-Tune write operations require a separate delegated consent. The delegated token may have expired or consent was not completed.

1. 1.Click "Grant Write Access" on the Veri-Tune remediation page to initiate JIT consent
2. 2.A Global Administrator must complete the Microsoft OAuth prompt — this is separate from the initial read-only consent
3. 3.The token is scoped to Intune only (DeviceManagementConfiguration, ServiceConfig, Apps) — it cannot affect M365 or identity policies
4. 4.If the error persists, check that the Veri-Tech enterprise application has not been restricted by a Conditional Access policy in your tenant

Long-running Veri-Tune remediation jobs (typically those remediating 20+ controls) may exceed the write token lifetime if the job takes more than an hour.

1. 1.The job will stop and report a token-expired error — your tenant will not be in a partially remediated state; only controls completed before expiry are applied
2. 2.Click "Grant Write Access" again on the remediation page to re-authorize
3. 3.Re-run the remediation job — previously-passing controls will be skipped on the next run

This is expected behavior. The "configured" score counts all policies that exist in your tenant, while the "deployed" score only counts policies assigned to device groups. A large gap means policies exist but are not assigned to any devices.

1. 1.Review the unassigned policies listed in the Veri-Tune results — these are configured but not protecting any devices
2. 2.Open the dedicated assignment page at /tune/[jobId]/assign to pick per-platform target groups (Windows, macOS, iOS, Android) in one pass
3. 3.Use Policy Insights to spot unassigned overrides — policies that override another with no group targeting, a common cause of the "configured but not deployed" gap
4. 4.Consider creating a "Baseline Devices" group and assigning core security policies to it

Microsoft Intune rejects hyphens in Autopilot and Enrollment Status Page profile display names. Additionally, rapid consecutive profile creates may be throttled.

1. 1.Remove hyphens from any profile display names — use spaces or underscores instead
2. 2.If creating multiple profiles, wait 10 seconds between each creation
3. 3.Verify you have Intune Administrator permissions for Autopilot profile management

Windows Update for Business (WUfB) reporting requires diagnostic data set to at least "Required" (formerly "Basic"). Devices that don't report telemetry won't appear in compatibility results.

1. 1.Check the Prerequisites page to verify your diagnostic data configuration
2. 2.Use the telemetry setup wizard to create a Settings Catalog profile for diagnostic data
3. 3.If you already have a diagnostic data profile, ensure it's assigned to all target devices
4. 4.Allow 24-48 hours after deploying the profile for Microsoft to process device telemetry data

Group sync requires a separate JIT consent with Group.ReadWrite.All scope, and the target groups must be inside the designated Administrative Unit.

1. 1.Click "Grant Group Sync Permissions" on the Reports page to initiate the dedicated consent flow
2. 2.Ensure the consenting admin has Global Administrator or Groups Administrator privileges
3. 3.Verify the target security groups are members of the Administrative Unit you configured
4. 4.If using AU scoping, confirm the Veri-Tech service principal has the Groups Administrator role scoped to that AU

Prerequisites are informational checks — some may report warnings based on incomplete Graph API data or because the configuration was applied recently and hasn't propagated.

1. 1.Prerequisites are not gating — you can proceed to the next step even with warnings
2. 2.Review each warning to confirm whether it applies to your environment
3. 3.Recently applied telemetry or enrollment changes may take up to 24 hours to reflect in the API
4. 4.Click "Next Step" to continue to compatibility scanning regardless of prerequisite status

Creating Settings Catalog profiles requires DeviceManagementConfiguration.ReadWrite.All, which needs JIT delegated consent. Browser popup blockers or redirect issues can interrupt the consent flow.

1. 1.Ensure your browser allows popups from veri-tech.net
2. 2.Try the consent flow again — the redirect URL persists your selections
3. 3.If the consent prompt doesn't appear, clear your browser cache for login.microsoftonline.com and try again
4. 4.Verify the consenting admin has Intune Administrator or Global Administrator role

The document generation job may have partially failed, or the download was interrupted.

1. 1.Try downloading the document again — intermittent network issues can corrupt downloads
2. 2.Check the job status on the Documents page — if the job status is not "succeeded," the output may be incomplete
3. 3.Re-run the SOP or assessment job to regenerate the documents

Branding settings (logo, organization name) may not be configured.

1. 1.Go to Settings → Branding and upload your company logo
2. 2.Set your organization name and preferred color scheme
3. 3.Re-generate the SOP — newly generated documents will include your branding

Another administrator in your organization may have removed consent from the Entra admin center, or an automated policy may have cleaned up unused enterprise applications.

1. 1.Go to Settings → Tenant Permissions and click "Re-consent with Microsoft"
2. 2.Check your Entra audit logs for recent changes to the Veri-Tech enterprise application
3. 3.If your organization has enterprise application lifecycle policies, ensure Veri-Tech is excluded

The credit card on file may have expired or been declined.

1. 1.Go to the Billing page and update your payment method
2. 2.If using invoice billing, check with your accounts payable team
3. 3.Contact support@veri-tech.net if your account remains inactive after updating payment