Troubleshooting ‐ Common Errors
The base module returns a Bad Request to the logic app with the following error message The API call to msgraph with path /v1.0/organization failed with status 403.
This indicates that the function app executed by did not have sufficient permissions to access the Microsoft Graph. This is usually caused by one of the following issues:
- The GrantPermissions.ps1 script either was not run successfully or not run against the correct identity. Ensure the script is run correctly
- The function app has a cached token from prior to the GrnatPermissions.ps1 scripts execution, restart the function app to clear the cache
- A delay in processing the permissions in the backend, wait 1-2 hours and try again
The base module returns an Unauthorized error to the logic app with a content length of 0, such as:
{
"statusCode": 401,
"headers": {
"Date": "Thu, 07 Nov 2024 18:45:04 GMT",
"Content-Length": "0"
}
}This indicates the the function app could not be invoked which is usually due to either:
- The incorrect function app key is used in the API connection. See this FAQ on obtaining the correct function code.
- There is a configuration error in the function app itself, such as an issue in one of the environment variables, a network configuration is blocking access to function app or other issue. Please review any configuration changes you have made since deployment.
The connector is only visible for logic apps created in the same region as the connector.
Microsoft has announced the retirement of the investigation priority score which this module is based on. The retirement was announced in Message Center MC889532. As this module is based on this score, it's absence will cause the module to fail with an error such as:
{
"Error": "Module processing failed, an unknown exception has occurred.",
"InvocationId": "170d5892-08cd-4c18-9e2b-5aaf263fa877",
"Traceback": [
"Traceback (most recent call last):\n",
" File \"/home/site/wwwroot/modules/__init__.py\", line 19, in main\n return_data = coordinator.initiate_module(module_name=module_name, req_body=req_body)\n",
" File \"/home/site/wwwroot/shared/coordinator.py\", line 21, in initiate_module\n return_data = mdca.execute_mdca_module(req_body)\n",
" File \"/home/site/wwwroot/modules/mdca.py\", line 50, in execute_mdca_module\n current_account['ThreatScore'] = 0 if mdcaresults['threatScore'] is None else mdcaresults['threatScore']\n",
"KeyError: 'threatScore'\n"
]
}STAT releases v2.0.21 and later have deprecated this module. This work is tracked under 
If you are not able to upgrade, you can just remove this module from any logic apps that use it, including removing it from the risk scoring calculation.
While running the GrantPermissions.ps1 from Cloud Shell, or another device, you may get an error DeviceCodeCredential authentication failed: AADSTS530003: Your device is required to be managed to access this resource. This error indicates that conditional access policies are blocking the authentication due to the device not being hybrid joined or compliant. This will always happen with cloud shell, but may happen with other unmanaged devices.
To work around this you must either:
- Run the script from a device that is compliant with your conditional access policies OR
- Create a temporary exception on the blocking conditional access policy to allow the script to run as the user account you are using
Quota exceeded for : 0 VMs allowed, 1 VMs requested.. Try selecting different region or SKU. InvalidTemplateDeployment - SubscriptionIsOverQuotaForSku
When deploying STAT in some regions, you may receive a quota error despite STAT using the consumption plan. STAT's deployment explicitly deploys a consumption app service plan, however some regions block this deployment. This can be worked around but not deploying the app service plan and letting Azure automatically create it. To deploy STAT without the app service plan using this deployment template. This will be implemented into the main deployment at a later date.
As of 4/23/2025 we are seeing some failures to deploy STAT in certain data center regions with the error:
The custom API swagger is not valid: 'Error reading string. Unexpected token: StartObject. Path 'paths['/api/modules/base'].post.parameters[0].schema.default'.'
This error appears to be related to the datacenter region you deploy to as not all regions are impacted. No changes were made to the deployment template so we suspect this is an Azure issue. This issue has since been resolved
Additional Troubleshooting information is available under the Debug Module