Autotask PSA: Troubleshooting guide for Microsoft Azure Active Directory sync failures



This article describes how to troubleshoot Active Directory synchronization failures between Autotask PSA and Microsoft Azure.


  • Autotask PSA
  • Microsoft Azure


There are several reasons why sync may fail in Azure. You will know sync has failed when the Status column in Active Directory (AD) Sync page displays a red X rather than a green dot. You can resolve most synchronization failures by following the steps below. 

figure1.pngFigure 1: Sync page

1. You need to link each company in the Azure set up in Autotask to its group in Azure. Additionally, each group needs to have a group type of either Security or Microsoft. There may be other group types that will work; however, these are the two types we know will work. Make sure the group type is one of these two options. 

2. Verify that the Client ID, Tenant, and Group ID, as well as the Client Secret, is correct. The Group ID should be specific to your company's group in Azure. If you have verified these items and the sync is still failing, delete the Client Secret from Azure and generate a new one. Then replace the Client Secret in Autotask. Save the configuration and select Test Connection. If you receive an error message stating there was a problem connecting to the Active Directory, move on to the next steps.

figure2.pngFigure 2: Connection error

3. Navigate to the Notifications tab of your company's Azure set up in Autotask. In the Other emails section, add your email address and click Save. Then from the context menu, select Force Sync. Autotask will email an error message to the email you input in the notifications tab. Check that error message.

4. The most common error message received is: "The remote server returned an error: (403) Forbidden." This error is typically caused by incorrect API settings in Azure. Follow the steps below to ensure proper settings.

  • In the app menu, click Manage → API permissions. The Your App Name - API permissions page will open.
  • Click Add a permission. On the Request API permissions page, click Microsoft Graph.
  • Click Application permissions and expand Directory. Check Directory.Read.All and Directory.ReadWrite.All.
  • Click Add permission. The permission is added but appears as Not granted.
  • Scroll to the Grant consent section and click Grant admin consent for [your company name]. If the permission still appears as Not granted, log out and back in to refresh the settings.

figure3.pngFigure 3: Request API permissions

5. Attempt to force synchronization again.

If the synchronization still fails, contact Autotask PSA technical support. A screenshot of the error and a list of your Azure group settings can help in troubleshooting the issue.

Additional Resources

Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Datto Community Forum or the Datto Community Online.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Still have questions? Get live help.

Datto Homepage