Troubleshoot Managed Security Awareness

This information provides solutions for common Managed Security Awareness (MA) errors. After onboarding or the initiation of AD integration, errors might persist if a customer did not correctly enter their credentials when completing the procedure. After onboarding or the initiation of AD integration, you may encounter errors if your credentials were incorrectly entered during configuration. For a list of common errors and problems, and how to resolve them, see the list below.

Error Have you entered a Client Secret ID? Please enter the Client Secret Value or recreate your Client Secret and enter the Value.

Possible causes:

• You have entered:

  • The field value for another field. For example, the Client Secret ID.
  • An incomplete field value. For example, you missed the last character of the value.
  • The wrong character in the field. For example, the number 0 instead of the letter O.
  • A space at the beginning or end of the value.

• Use a Client Secret Value that:

  • Is 34–35 characters long.
  • Contains characters other than a dash. For example, a tilde (~).
  • Does not repeat a pattern in the same way that a Client Secret ID does.

  Example Client Secret value: J6~XME~i36.E.ib2T0p_iV11UdG11j~_O

Resolution:

1. Check that you entered the Client Secret value into the correct field.
2. If the Client Secret value is in the correct field, but the error message remains, delete the value in the Client Secret value field in the User Management tool in the MA Portal.
3. Copy the Client Secret value from the Azure Admin Portal, and paste it in the corresponding field in the User Management tool.

   Tip: Click Copy to clipboard to avoid leading or trailing spaces.

4. With the rest of the fields completed, click Test Connection.
5. If the same error message reappears, return to the Azure AD Tenant and delete the value that was created.
6. Create a new Client Secret value and copy it.
7. Return to User Management in the MA Portal, and enter the credentials and the Client Secret value. If the error persists, submit a ticket in the Arctic Wolf Portal for assistance.

Error Connection Failed: Insufficient Privileges to complete the operation. Ensure the AD API Permissions have been setup correctly. Please return to the AD API permissions created for Managed Awareness and review the following: Verfify the AD API Permissons for both Directory.Read.All and User.Read.All are "Application"Permissions not "Delegated" Permissions. Ensure that you have selected "Grant Admin Consent" Please refer to the Configuration Guide.

Possible cause: The API permissions in your Azure Admin Portal were incorrectly set up during app registration.

Resolution:

1. Go to Azure Admin Portal > App Registrations, and then select the Arctic Wolf Managed Awareness registration.

2. Delete the fields marked Not granted for Arctic Wolf.

3. Click Add a permission, and then select Microsoft Graph.

4. Click Application permissions.

   Note: Do not select Delegated permissions. This will not provide the API permissions required for MA setup and generates an Insufficient permissions error message.

5. In the Select permissions field, search for and select these permissions:

   • Directory.Read.All
   • User.Read.All

6. Click Add permissions. The Configured permissions screen lists the permissions that you added.

   • Make sure User.Read is selected.
   • Make sure the Type is Delegated.

     Note: Do not change the default permission and do not remove the type from the permissions.

7. In the Status column beside each permission, if you see a message similar to Not granted for <company_name>, click Grant admin consent for <company_name>.

8. In the MA Portal, input your credentials into the User Management tool. If the error persists, submit a ticket in the Arctic Wolf Portal for assistance.

The Awareness Group ID and Groups fields are empty in the Integration box of the User Management tool in the MA Portal.

Possible cause: There is no AD Group associated with your AD integration and no users can be synced. Select, query, and save the AD Group to complete the integration. You may have:

• Not completed the AD integration.
• Not started the AD integration.
• Not clicked Save when completing the AD integration.

Resolution:

1. In the MA Portal, click Settings > User Management.
2. Click Test Saved Connection.
3. In the Groups list, click the AD Group.
4. Click Query to populate the name of the AD Group and the number of participants who will be active users of the MA program.
5. Click Save.
6. Click Sync Now.

   Tip: Confirm that the sync was successful. Go to Administration Dashboard > User Information, and then compare the active user count to the synced number of users in the User Management tool.

7. If the sync is:
   • Successful — No further action is required.
   • Unsuccessful — Submit a ticket in the Arctic Wolf Portal for assistance.

Error The Client Secret Value Expiration date must not have already occurred. Please enter the correct Client Secret Expiration Date

Possible cause: The Client Secret expiration date is in the past.

Resolution: Check the Client Secret expiration date. If the date:

• Has occurred — Remediate the discrepancy:
  1. In the MA Portal, in the User Mangement tool, delete the Client Secret expiration date.
  2. In the Azure Admin Portal, in the App Registration section, review the Client Secret expiration date.
  3. In the MA Portal, in the User Mangement tool, re-enter the Client Secret expiration date.
• Has not occurred — Enter the Client Secret Value again to make sure it is correct.

Error Value is not a valid GUID. Please enter a valid Application (Client) ID.

Possible cause: You have entered a GUID that is:

• Not complete.
• Missing characters.
• In the wrong input field (mismatched).

Resolution:

1. Make sure you entered the Application (Client) ID into the correct field.

2. If the Application (Client) ID is in the correct field, but the error message remains, delete the Application (Client) ID in the User Management tool.

3. Click Azure Admin Portal > App Registrations, and then select the Arctic Wolf Managed Awareness registration.

4. Copy the relevant GUID from the Azure Admin Portal, and then paste the GUID into the Application (Client) ID field in the User Management tool in the MA Portal.

   Tip: Click Copy to clipboard to avoid leading or trailing spaces.

5. With the rest of the fields complete, click Test Connection. If the error persists, submit a ticket in the Arctic Wolf Portal for assistance.

Error Connection Failed: <GUID> not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen is there are no active subscriptions for the tenant. Trace ID: <ID>

Possible cause: You have entered:

• The field value for another field. For example, the Directory (tenant) ID.
• An incomplete field value. For example, you missed the last character of the value.
• The wrong character in the field. For example, the number 0 instead of the letter O.
• A space at the beginning or end of the value.

Resolution:

1. Make sure you entered the Application (Client) ID into the correct field.
2. If the Application (Client) ID is in the correct field, but the error message remains, delete the value in the Application (Client) ID field in the User Management tool in the MA Portal.
3. Copy the Application (Client) ID from the Azure Admin Portal, and paste it in the corresponding field in the User Management tool.

   Tip: Click Copy to clipboard to avoid leading or trailing spaces.

4. With the rest of the fields completed, click Test Connection. If the error persists, submit a ticket in the Arctic Wolf Portal for assistance.

Error The Client Secret for your Managed Awareness Program has expired. Please refer to the Managed Awareness Configuration Guide to follow the steps for creating a new Client Secret, copy the Client Secret VALUE and re-enter the new Secret VALUE with your credentials to reinstate your AD Group Sync with Managed Awareness.

Possible cause: The Client Secret for your AD integrated app registration has expired.

Resolution: Create a new Client Secret with a valid expiry:

1. Go to Azure Admin Portal > App Registrations, and then select the Arctic Wolf Managed Awareness registration.

2. You will see either:

   • A certificate or secret is expiring soon. Create a new one →
   • A certificate or secret has expired. Create a new one →

3. Click Create a new one →.

4. Enter a meaningful description for the Client Secret, such as Arctic Wolf Secret.

   Note: Failure to click Grant admin consent for <company_ name> generates an insufficient permissions error message.

5. Set the expiry period.

   Tip: Arctic Wolf recommends setting a 24 month expiration period.

6. Click Add.

7. Verify that the Client Secret value appears in the Client Secrets section, and then copy the exposed value.

   Tip: Click Copy to clipboard to avoid leading or trailing spaces.

8. In the MA Portal menu, click Settings > User Management.

9. Click Clear Credentials.

10. On the confirmation dialog, click Yes.

11. Paste the Client Secret value and set the expiry date in the corresponding fields of the User Management tool.

12. Paste the Directory (Tenant) ID and the Application (Client) ID into the corresponding fields of the User Management tool in the MA Portal.

13. Click Test Connection to make sure the permissions and criteria for the configuration are correct and click Acknowledge to the confirmation message that appears.

14. Click Save Credentials.

15. Make sure the desired AD Group is selected and synced in the User Management tool in the MA Portal. If the error persists, submit a ticket in the Arctic Wolf Portal for assistance.

Error 500 error

Possible cause: The sync was not completed in the User Management tool in the MA Portal.

Resolution: Sync your Azure Active Directory credentials again. See Manage users with Azure or Microsoft 365 Active Directory for instructions. If the error persists, submit a ticket in the Arctic Wolf Portal for assistance.

Error 0 users are populating

Possible cause: If you have completed the integration and there are no users in the MA Portal after the sync runs, this is likely due to you setting up “nested groups”. At this time, we do not support nested groups.

Resolution: Add users individually to the AD group. If the error persists, submit a ticket in the Arctic Wolf Portal for assistance.

False-positive phishing simulation clicks or alerts in Mircrosoft Defender Office 365

Possible cause: If you are using Microsoft Defender for Office 365 for your mail environment and experience false clicks, link processing rules in Defender for Office 365 are causing issues.

Resolution: Set up additional mail flow rules that allow you to bypass safe links:

1. In the Microsoft Defender menu, click Policies & Rules > Threat policies.

2. Under Policies, locate Safe Links.

   If you see text that indicates Safe Links is a premium-only feature or otherwise not available, this means that you are on Microsoft Defender Office 365 Plan 1.

   Depending on your Microsoft Defender Office 365 plan, do one or both of these procedures:

   Note: If you use both plans, configure your allowlist for both plans.

   • Microsoft Defender Office 365 Plan 1
   • Microsoft Defender Office 365 Plan 2

Allowlist the MA IP address for Microsoft Defender Office 365 Plan 1

1. Open Microsoft Exchange or Office Admin Center.

2. Click Mail Flow > Rules.

3. Click + Add a rule > Create a new rule.

4. In the Set rule conditions pane, do these actions:

   • Name — Enter a name for this rule. For example, Bypass Arctic Wolf MA URL.

   • Apply this rule if — Select The Sender, and then select IP address is in any of these ranges or exactly matches in the list that appears. When the specify IP address ranges pane opens, enter the MA IP address, and then click Add.

     Note: If you are not able to add an IP address, do these steps:

     1. In the Apply this rule if list, select A message header.
     2. In the next list that appears, select includes any of these words.
     3. In the message header field, enter the MA header value. This value can be found in the same area of the Arctic Wolf Portal where the MA IP address is located.

   • Do the following — Select Modify the message properties, and then select set a message header in the list that appears. Click the first Enter text link, in the message header pane enter X-MS-Exchange-Organization-SkipSafeLinksProcessing, and then click Save. Click the second Enter text link, in the message header pane enter 1, and then click Save.

   • Except if — Leave empty.

   Your settings should look similar to this:

   

5. Click Next.

6. Leave the default rule settings.

7. Click Next.

8. Click Finish.

9. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

   1. In the MA Portal menu, click Administration Dashboard.

   2. Click the User Information tab.

   3. In the Search field, enter the name of an MA administrator, and then press Enter.

   4. Locate the user in the list, and then click Assign Session.

   5. On the Assign Session page, in the Search field, enter Phishing simulation.

   6. In the list of search results, select a phishing simulation to use for testing, and then click Assign.

      Tip: Arctic Wolf recommends assigning the phishing simulation titled Friendsgiving Celebration or Commonwealth Games Viewing Parties for this test.

   7. Check if the test MA phishing simulation email is in your inbox. If the email is:

      • In your inbox — Your settings are correct. Continue with the next procedure.

        Tip: You can also verify that the percentage in the Secure Culture Dashboard under Phishing Simulation is at 0%, indicating no false positives.

      • Not in your inbox — Submit a ticket in the Arctic Wolf Portal for assistance.

Allowlist the MA IP address for Microsoft Defender Office 365 Plan 2

1. Sign in to Microsoft 365 Defender or to the Microsoft 365 Admin Center, and then click Security Admin Center.

2. Navigate to Email & Collaboration > Policies & Rules > Threat Policies > Safe Links.

3. Click + Create.

   Note: If you have an existing custom Safe Links policy, you can edit that instead. Select the policy and click Edit in each section to modify the settings as appropriate.

4. In the Name field, enter a name for the policy. We recommend an easily identifiable name. For example, AW MSA Safe Links Policy.

5. Click Next.

6. On the Users and domains page, enter the users, groups, and domains for the policy to apply to.

7. Click Next.

8. On the URL & click protection settings page, for On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default, select On.

9. Under Do not rewrite the following URLs in email, click Manage <number> URLs, where <number> is the number of URLs that are not rewritten.

10. In the Manage URLs to not rewrite menu, click + Add URLs.

11. Click Simulation URLS to allow.

12. In the Simulation URLs to allow field, enter the domains below, specific to the language the simulations will be sent, and press the Enter key after each entry:

    Note: The Simulation URLs to allow field must include the same domains entered in the Domains field to ensure that the simulations send.

    • All languages:
      • *.arcticwolf.com/*
    • English:
      • automated-mailsender.com/*
      • mail-donotreply.com/*
      • humanresources-mailer.com/*
      • internal-humanresources.com/*
      • helpdesk-itsupport.com/*
      • internalcorporate-mailer.com/*
      • securityalert-corporate.com/*
      • corporate-alert.com/*
    • Deutsch:
      • mitarbeiter-helpdesk.de/*
      • unternehmenssicherheit-alarm.de/*
      • itsupport-mitarbeiter.de/*
      • admin-hinweis.de/*

13. Click Save.

14. In the Click protection settings section:

    1. Make sure the Track user clicks checkbox is selected.
    2. Select the Let users click through to the original URL checkbox.

15. Click Save.

16. Leave the remaining default settings, and then click Next.

17. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

    1. In the MA Portal menu, click Administration Dashboard.

    2. Click the User Information tab.

    3. In the Search field, enter the name of an MA administrator, and then press Enter.

    4. Locate the user in the list, and then click Assign Session.

    5. On the Assign Session page, in the Search field, enter Phishing simulation.

    6. In the list of search results, select a phishing simulation to use for testing, and then click Assign.

       Tip: Arctic Wolf recommends assigning the phishing simulation titled Friendsgiving Celebration or Commonwealth Games Viewing Parties for this test.

    7. Check if the test MA phishing simulation email is in your inbox. If the email is:

       • In your inbox — Your settings are correct. Continue with the next procedure.

         Tip: You can also verify that the percentage in the Secure Culture Dashboard under Phishing Simulation is at 0%, indicating no false positives.

       • Not in your inbox — Submit a ticket in the Arctic Wolf Portal for assistance.

    See Microsoft's documentation Safe Links in Microsoft Defender for Office 365 for more information on setting up Safe Links policies.

Error Your JSON file is formatted incorrectly and does not contain the correct fields.

Possible cause: The JSON file has improper formatting, such as capitalization and brackets, or does not contain all the required fields.

Resolution:

1. Verify that your JSON file contains:

   • Two left curly brackets towards the beginning of the file and two right curly brackets at the end of the file. For example:

     {
                 "CustomerEmail": "<customer_email>",
                     "CustomerID": "<customer_id>",
                 "serviceKeys": 
                 { 
                 “type”: “<type>”,
                     “project_id”: “<project_id>”,
                     “private_key_id”: “<key_id>”,
                     “private_key”: “<key>”,
                     “client_email”: “<email>”,
                     “client_id”: “<id>”,
                     “auth_uri”: “<uri>”,
                     “token_uri”: “<uri>”,
                     “auth_provider_x509_cert_url”: “<url>”,
                     “client_x509_cert_url”: “<url>”,
                     “universe_domain”: “<domain>”
     }
     }

   • These fields:

     “CustomerEmail”: "<customer_email>”,
         “CustomerID”: “<customer_id>”,
     “serviceKeys”:

2. Verify that the value of <customer_email> is the email address for the administrator.

Error If the error persists, please submit a request in the Arctic Wolf Portal. when submitting a JSON file

Possible cause: The JSON file may be invalid, or there may be another issue with the Google Workspace service account creation and necessary permissions.

Resolution:

1. Check your JSON syntax for errors.

2. Try the resolution steps from Error Your JSON file is formatted incorrectly and does not contain the correct fields.

3. Review the steps from Enroll users in MA with Google Workspace.

4. If the error persists, submit a request in the Arctic Wolf Portal.

Error You need to enable domain wide delegation in Google Workspace.

Possible cause: The OAuth scopes aren’t configured correctly.

Resolution:

1. Sign in as a super administrator to Google Cloud Console.
2. Click Menu > Security > Access and data control > API controls.
3. Under Domain wide delegation, click Manage Domain Wide Delegation.
4. In the OAuth scopes (comma-delimited) field, verify that these OAuth scopes are correct:

   https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group

5. Click Authorize.