Troubleshooting SharePoint connectivity

This article contains information on all known connectivity problems related to SharePoint servers (both SharePoint Online and its on-premises version) as well as possible solutions.

• Problems with configuring a connection to SharePoint Online
• Problems with configuring a connection to on-premises SharePoint server
• Other known SharePoint connectivity problems

Problems with configuring a connection to SharePoint Online

When configuring a connection to SharePoint Online, in the last step of the SharePoint Server connection wizard, the program registers itself in Microsoft Entra ID (Azure Active Directory) of the tenant to which you are configuring the connection (applies only if you chose the Automatic registration option), attempts to authenticate itself with that Entra ID, and checks connections to Microsoft Graph API, and finally tries to enumerate SharePoint site collections and connect to one of them. If the program fails to perform any of these actions, it will display failure notifications (Fig. 1.).

Fig. 1. Failure notifications shown when configuring a connection to SharePoint Online.

Click the links below to learn about possible causes and solutions for each of these errors.

• Failed to register the application in Azure AD
• Failed to authenticate the application
• Failed to connect to Microsoft Graph API
• Failed to connect to SharePoint

Troubleshooting application registration

Failed to register 'CodeTwo Backup' with tenant '<TenantID>'.

If you see this error, it means that the account provided in the Application registration step of the connection wizard doesn't have enough permissions to register CodeTwo Backup in your Entra ID (Azure AD). Close the SharePoint Server connection wizard, reopen it and use an account with the Global Administrator or Privileged Role Administrator role in the Microsoft 365 (Office 365) tenant to which you want to connect.

Keep in mind that even if this step fails, the CodeTwo Backup SharePoint entry is created in your Entra ID. However, this application is missing the necessary permissions that only a user with either of an above-mentioned roles can grant. Delete this entry by following these steps or grant the necessary admin consent in the Microsoft Entra admin center and then configure the SharePoint server connection by following the manual registration path.

Troubleshooting application authentication

ClientId is not a Guid.

The Client ID entered in the Application details step is not valid. A valid GUID has the following form: 12345678-1234-1234-1234-1234567890AB. Double-check the entered Client ID and try again.

The operation was canceled.

This is a timeout error message that you will receive if the provided Client ID is not identified with any application registered in your Entra ID. Provide the correct ID or check if the application under that ID still exists in the Entra ID. 

Tenant '<Tenant ID'> not found.

Make sure you have entered a correct Tenant ID of your Microsoft 365 (Office 365) tenant. The Tenant ID (or Directory ID) can be found in the Microsoft Entra admin center – simply navigate to Identity > Overview. The Tenant ID is visible under the name of your company.

The certificate used must have a key size of at least 2048 bits.

This error appears if you have registered CodeTwo Backup manually in your Entra ID and used a certificate that contains a key that is shorter than 2048 bits. To fix it, use a certificate with an appropriate key length. 

The wrong application (public or confidential) is being used with this authentication flow. 

You will get this error if you enter an incorrect Certificate thumbprint in the Application details step, if that certificate no longer exists in your Entra ID, or if it has expired.

You can also try to synchronize the time on the machine where CodeTwo Backup is installed with a time server.

Troubleshooting Graph API connectivity

Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

CodeTwo Backup doesn't have the necessary permissions to perform that operation. Make sure to follow these steps in order to grant all the required permissions in your Entra ID.

The wrong application (public or confidential) is being used with this authentication flow.

You will get this error if you enter an incorrect Certificate thumbprint in the Application details step, if that certificate no longer exists in your Entra ID, or if it has expired.

AADSTS700016: Application with identifier '<Client ID>' was not found in the directory '<Tenant ID>'.

This error occurs if:

• CodeTwo Backup has been deleted from your Entra ID. If so, make sure to register it again (automatically or manually),
• you have provided incorrect Client ID and/or Tenant ID in the Application details step of the server connection wizard. Make sure that you have provided correct registration details and try again.
• the application has just been registered, but not all changes have been propagated in your Entra ID. Wait awhile and try configuring the connection again (in the server configuration wizard, click Back, then Next to return to the Configuration step and click Configure).

User '<admin_account>' could not be found on the server. Make sure to register CodeTwo Backup in Azure Active Directory of the same tenant as provided on the 'Server address' page of this connection wizard.

You will get this error if SharePoint server URL provided in the Server address step points to a different Microsoft 365 tenant than the credentials used in the Application registration (automatic registration) or Application details (manual registration) step. 

Failed to connect to SharePoint

Failed to connect to SharePoint using account '<admin_account>'. Make sure that you have entered the account credentials and server URLs correctly.
Failed to connect to SharePoint by using legacy authentication.
Failed to read the list of team sites from the server.

You will get this error if you have enabled legacy authentication in the SharePoint Server connection wizard. This feature is now deprecated because legacy authentication was permanently retired in SharePoint Online on May 1, 2026.

Reconfigure the connection and disable legacy authentication.

Exception: For security reasons DTD is prohibited in this XML document.

This problem is most likely caused by the DNS assistance service (also known as DNS hijacking or DNS redirection) used by your Internet Service Provider (ISP). Suggestions on how to troubleshoot this problem can be found in this Knowledge Base article. 

The sign-in name or password does not match one in the Microsoft account system.
Failed to connect to SharePoint. Identity Client Runtime Library (IDCRL) did not get a response from the Login server.

You will get this error if you have enabled multi-factor authentication (or Security defaults in the Microsoft Entra admin center) for the admin account used in the Legacy authentication step of the SharePoint Server connection wizard. To use that account, reconfigure the connection and disable legacy authentication.

Failed to connect to SharePoint. 'center' is an unexpected token. The expected token is '"' or '''. Line 7, position 12.

The most likely causes of the error are as follows:

• the UPN of the admin account used to connect to SharePoint Online contains special characters, for example - or _, or
• the admin account has abnormal/non-standard values defined in other properties.

There are two known solutions to the problem:

• Use the UPN with the default onmicrosoft.com domain name (e.g. [email protected]) to connect to SharePoint Online in CodeTwo Backup.
• Use another admin account (Global Administrator or SharePoint Administrator) to configure a SharePoint connection in the program. Preferably, create a fresh account that does not include any problematic configuration or special characters in its UPN.

Problems with configuring a connection to on-premises SharePoint server

When configuring a connection to the on-premises SharePoint server, in the last step of the SharePoint Server connection wizard the program tries to enumerate site collections with PowerShell and connect to any SharePoint site collections and Admin service. If the program fails to perform any of these actions, it will display failure notifications, as shown in Fig. 2. below:

Fig. 2. Failure notifications shown when configuring a connection to the on-premises SharePoint server.

The examples below show the most common error messages:

Failed to connect to SharePoint using account '<admin_account>'. Make sure you have entered the account credentials and server URLs correctly.

In case you get this message, double-check the details entered in the Server address and Admin's credentials steps of the connection wizard and try again. Also, make sure that the admin account has all the necessary roles and permissions assigned. Finally, check your internet connection. 

Failed to connect to Central Administration service. Make sure that you have entered its URL correctly.

Go back to the Server address step of the wizard and check if the URL address entered in the Central Administration URL field is correct. Keep in mind that it is filled automatically based on the entered SharePoint Server URL; however, you need to provide the port number manually. 

Other known SharePoint connectivity problems

Below are some of the most common error that may appear when configuring various jobs in CodeTwo Backup. 

The term 'Get-UnifiedGroup' is not recognized as the name of a cmdlet, function, script file, or operable program.

You may get this error while configuring a SharePoint backup job and trying to list team sites. Try to reconfigure your connection to SharePoint Online. Also, make sure that the admin account used to connect to your SharePoint server is assigned at least the SharePoint Administrator role (learn more).

Cannot contact web site '<site URL>' or the web site does not support SharePoint Online credentials.

You may receive this error in the SharePoint restore job wizard while attempting to create a new site collection or map users, groups, or permission levels. These options are now deprecated because they require legacy authentication protocols, which were permanently disabled in SharePoint Online as of May 1, 2026.

Additionally, connections to SharePoint Online from CodeTwo Backup may be blocked by the feature that allows guests/external users to sign in only with the account included in the original invitation message.

Failed to list <SharePoint object> from the target server. Make sure that you properly defined the SharePoint connection and that the administrator's account used in the connection has sufficient access rights.

The <SharePoint object> may refer to site collections, team sites, or OneDrive for Business sites. This error usually appears when listing SharePoint objects in the backup or restore jobs. Try reconfiguring the connection to your SharePoint server.

Double-check also if the admin account used to establish the connection to your SharePoint server has all the necessary roles and permissions assigned.

Access denied. You do not have permission to perform this action or access this resource.

This error may occur while restoring SharePoint lists to SharePoint Online. To fix this problem, you need to allow custom script in your SharePoint Online tenant. Find out how to do so here.

Resolving authentication-related connectivity problems using SharePoint Online Management Shell

1. Open the SharePoint Online Management Shell command prompt.
2. Connect to your SharePoint Online by using the following command:

   Connect-SPOService -Url https://<organization>-admin.sharepoint.com

   where <organization> is the organization (tenant) name set in Microsoft 365 (Office 365).
3. Run the following cmdlets:

   Set-SPOTenant -AllowLegacyAuthProtocolsEnabledSetting $True​
   Set-SPOTenant -LegacyAuthProtocolsEnabled $True​
   Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $False

For a more detailed description of the procedure, refer to this article.