Troubleshooting Microsoft 365 (Office 365) connectivity
When you verify connection settings in the last step of the Exchange connection wizard, CodeTwo Backup performs the following actions: it registers itself in Microsoft Entra ID (Azure Active Directory) of the tenant to which you are configuring the connection (applies only if you chose the Automatic registration option), attempts to authenticate itself with that Entra ID, and checks connections to Exchange Web Services and Microsoft Graph API. If the program fails to perform any of these actions, it will display failure notifications (Fig. 1.).
Fig. 1. Failure notifications shown when configuring a connection to Exchange Online.
Click the links below to learn about possible causes and solutions for each of these errors.
- Failed to register the application in Entra ID (Azure AD)
- Failed to authenticate the application
- Failed to connect to Exchange Web Services
- Failed to connect to Microsoft Graph API
Troubleshooting application registration
Failed to register 'CodeTwo Backup' with tenant '<TenantID>'.
If you see this error, it means that the account provided in the Application registration step of the connection wizard doesn't have enough permissions to register CodeTwo Backup in your Microsoft Entra ID (Azure Active Directory). Close the Exchange connection wizard, reopen it and use the account with the Global Administrator or Privileged Role Administrator permissions in the Microsoft 365 tenant to which you want to connect.
Keep in mind that even if this step fails, the CodeTwo Backup Exchange entry is created in your Entra ID (Azure AD). However, this application is missing the necessary permissions that only a user with either of the above-mentioned roles can grant. Delete this entry by following these steps or grant the necessary admin consent in the Microsoft Entra admin center and then configure a connection to your Exchange server by following the manual registration path.
Troubleshooting application authentication
The SMTP address has no mailbox associated with it.
This error occurs if the email address provided in the Application details step of the server connection wizard is not mailbox-enabled (it is not assigned a Microsoft 365 license that included the Exchange Online plan). You will also get this message if the provided email address is from a different Microsoft 365 tenant than the one determined by the Tenant ID.
CodeTwo Backup uses Exchange Web Services (EWS) to access Exchange Online, list users/mailboxes and perform data backup and restore jobs. The requirement that the admin account used by the program needs to have a mailbox is enforced by EWS itself.
ClientId is not a Guid.
The Client ID entered in the Application details step is not valid. A valid GUID has the following form: 12345678-1234-1234-1234-1234567890AB. Double-check the entered Client ID and try again.
The operation was canceled.
This is a timeout error message that you will receive if the provided Client ID is not identified with any application registered in your Entra ID. Provide the correct ID or check if the application under that ID still exists in the Entra ID.
Tenant '<Tenant ID'> not found.
Make sure you have entered a correct Tenant ID of your Microsoft 365 tenant. The Tenant ID (or Directory ID) can be found in the Microsoft Entra admin center – simply navigate to Identity > Overview. The Tenant ID is visible under the name of your company.
The certificate used must have a key size of at least 2048 bits.
This error appears if you have registered CodeTwo Backup manually in your Entra ID and used a certificate that contains a key that is shorter than 2048 bits. Use a different certificate that uses the necessary key or generate a client secret instead.
The wrong application (public or confidential) is being used with this authentication flow.
You will get this error if you enter an incorrect Certificate thumbprint / Client secret (app password) in the Application details step, if that certificate / client secret no longer exists in your Entra ID, or if it has expired.
You can also try the following solutions:
- synchronize the time on the machine where CodeTwo Backup is installed with a time server,
- use the Client secret credential instead of Certificate thumbprint in the case you registered the CodeTwo Backup application in Entra ID manually.
Troubleshooting EWS connectivity
The request failed. The remote server returned an error: (401) Unauthorized.
There are three known reasons why this error may occur:
- the CodeTwo Backup application registered with your Entra ID tenant is missing the full_access_as_app permission (find out how to assign it here),
- the SMTP email address of the account used to register the application in Entra ID is different than its UPN (User Principal Name) – note that these two values are also case-sensitive,
- the application has just been registered, but not all changes have been propagated in your Entra ID. Wait awhile and try configuring the connection again.
The SMTP address has no mailbox associated with it.
You will get this error if the email address provided in the Application details step of the server connection wizard is not mailbox-enabled (it is not assigned a Microsoft 365 license that included the Exchange Online plan). You will also get this message if the provided email address is from a different Microsoft 365 tenant than the one determined by the Tenant ID.
AADSTS700016: Application with identifier '<Client ID>' was not found in the directory '<Tenant ID>'.
This error occurs if:
- CodeTwo Backup has been deleted from your Entra ID. If so, make sure to register it again (automatically or manually),
- you have provided incorrect Client ID and/or Tenant ID in the Application details step of the server connection wizard. Make sure that you have provided correct registration details and try again.
- the application has just been registered, but not all changes have been propagated in your Entra ID. Wait awhile and try configuring the connection again (in the server configuration wizard, click Back, then Next to return to the Configuration step and click Configure).
Troubleshooting Graph API connectivity
Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
CodeTwo Backup doesn't have the necessary permissions to perform that operation. Make sure to follow these steps in order to grant all the required permissions in your Entra ID (Azure AD).
The wrong application (public or confidential) is being used with this authentication flow.
You will get this error if you enter an incorrect Certificate thumbprint / Client secret (app password) in the Application details step, if that certificate / client secret no longer exists in your Entra ID, or if it has expired.
AADSTS700016: Application with identifier '<Client ID>' was not found in the directory '<Tenant ID>'.
This error occurs if:
- CodeTwo Backup has been deleted from your Entra ID. If so, make sure to register it again (automatically or manually),
- you have provided incorrect Client ID and/or Tenant ID in the Application details step of the server connection wizard. Make sure that you have provided correct registration details and try again.
- the application has just been registered, but not all changes have been propagated in your Entra ID. Wait awhile and try configuring the connection again (in the server configuration wizard, click Back, then Next to return to the Configuration step and click Configure).
Problem not solved?
If you can't find the solution to your problem, try searching our Knowledge Base.
If you still need help, contact our Customer Service. We know our products inside out.