|
| 1 | +--- |
| 2 | +title: Error codes when onboarding Permissions Management |
| 3 | +description: Understand potential error codes that may appear during onboarding of Microsoft Entra Permissions Management |
| 4 | +services: active-directory |
| 5 | +author: jenniferf-skc |
| 6 | +manager: amycolannino |
| 7 | +ms.service: active-directory |
| 8 | +ms.subservice: ciem |
| 9 | +ms.workload: identity |
| 10 | +ms.topic: reference |
| 11 | +ms.date: 09/07/2023 |
| 12 | +ms.author: jfields |
| 13 | +--- |
| 14 | + |
| 15 | +# Error codes: Microsoft Entra Permissions Management |
| 16 | + |
| 17 | +During onboarding, Microsoft Entra Permissions Management may return error messages that an admin can triage. This article lists data collection error messages and their descriptions shown in the Permissions Management UI, along with proposed solutions. |
| 18 | + |
| 19 | + |
| 20 | +## AWS_ACCESSADVISOR_COLLECTION_ERROR |
| 21 | + |
| 22 | +This account does not have permissions to view ```Service Last Accessed```. |
| 23 | + |
| 24 | +### Proposed solution |
| 25 | + |
| 26 | +- Verify that you're signed in using Management Account credentials. The AWS account must have a policy that has permissions to generate, get, or list ```ServiceLastAccessDetails``` or equivalent permissions. |
| 27 | +- In the AWS Management Console, verify that Service Control Policies (SCPs) are enabled in your organization root. |
| 28 | + |
| 29 | +## AWS_CLOUDTRAIL_DISABLED |
| 30 | + |
| 31 | +The AWS environment doesn't have CloudTrail configured, or you don't have permissions to access CloudTrail. |
| 32 | + |
| 33 | +### Proposed solution |
| 34 | + |
| 35 | +CloudTrail is automatically created when an AWS account is created. |
| 36 | + |
| 37 | +To access: |
| 38 | +- Verify you're signed in using Management Account credentials. |
| 39 | +- Enable CloudTrail as a trusted service in your AWS organization. |
| 40 | +- Ensure that the AWS account has the CloudTrail managed policies ```AWSCloudTrail_FullAccess```, ```AWSCloudTrail_ReadOnlyAccess```, or is granted equivalent permissions. |
| 41 | + |
| 42 | +## AWS_CLOUDTRAIL_S3_ACCESS_DENIED |
| 43 | + |
| 44 | +This account doesn't have permissions to access S3 Bucket CloudTrail logs. |
| 45 | + |
| 46 | +### Proposed solution |
| 47 | + |
| 48 | +Steps to try: |
| 49 | +- Verify you're signed in using Management Account credentials. |
| 50 | +- Enable CloudTrail as a trusted service in your AWS organization. |
| 51 | +- The AWS account must have the CloudTrail managed policy ```AWSCloudTrail_FullAccess``` or have been granted equivalent permissions. |
| 52 | +- For cross-account access, each account must have an IAM role with an access policy that grants access. |
| 53 | +- CloudTrail must have the required permissions to deliver log files to the S3 bucket and S3 bucket policies are updated to receive and store log files. |
| 54 | + |
| 55 | +## AWS_LDAP_CREDENTIALS_INVALID |
| 56 | + |
| 57 | +Invalid LDAP Credentials. |
| 58 | + |
| 59 | +### Proposed Solution |
| 60 | + |
| 61 | +Verify that the hard drive on your domain controller is not full. |
| 62 | + |
| 63 | + |
| 64 | +## AWS_LDAP_UNREACHABLE |
| 65 | + |
| 66 | +Connection failure while trying to access LDAP service. |
| 67 | + |
| 68 | + |
| 69 | +### Proposed solution |
| 70 | + |
| 71 | +This issue is common with the AWS Managed Microsoft AD Connector used to enable LDAPS. Verify if the AD connector can communicate via TCP and UDP over the 88 (Kerberos) and 389 (LDAP) ports. |
| 72 | + |
| 73 | +## AWS_SYSTEM_ROLE_POLICIES_COLLECTION_ERROR |
| 74 | + |
| 75 | +Error during the collection of System role policies. |
| 76 | + |
| 77 | +### Proposed solution |
| 78 | + |
| 79 | +If your system role policies include Service Control Policies (SCPs), verify you're signed in using Management Account credentials. The AWS account must have the required permissions to display the policies’ details and attached entities. |
| 80 | + |
| 81 | + |
| 82 | +## ERROR_GCP_PROJECT_MIN_PERMISSION |
| 83 | + |
| 84 | +Insufficient Project permissions. |
| 85 | + |
| 86 | +### Proposed solution |
| 87 | + |
| 88 | +Verify you have been granted the correct IAM roles or roles with equivalent permissions that grant access to the project: *Organization Admin*, *Security Admin*, or *Project IAM Admin*. |
| 89 | + |
| 90 | + |
| 91 | +## ERROR_NO_IDENTIFIER_URIS_IN_APP |
| 92 | + |
| 93 | +No Identifier URIs configured for app. |
| 94 | + |
| 95 | +### Proposed solution |
| 96 | + |
| 97 | +- Verify the application configuration for the configured Identifier URI’s in the portal. |
| 98 | +- Check the Entra ID application’s manifest file. |
| 99 | + |
| 100 | + |
| 101 | +## Next steps |
| 102 | + |
| 103 | +- For information on how to onboard an Amazon Web Services (AWS) account, see [Onboard an Amazon Web Services (AWS) account](onboard-aws.md). |
| 104 | +- For information on how to onboard an account after initial onboarding, see [Add an account/subscription/project after onboarding](onboard-add-account-after-onboarding.md) |
0 commit comments