Share via

Issue Viewing Sentinel incidents (Token Issue)

Evan Shannon 10 Reputation points
2024-12-11T19:22:36.3866667+00:00

Hey y'all, I've been having some issues viewing sentinel incidents. After I sign in and navigate to our sentinel workspace, click on "incidents" I'm greeted with the error below. Another co worker, SOC, and myself can't see this page. I was told by our SOC that they can access other clients tenants no problem. I have a suspicious that this issue is related to a token session limit that has been "fixed" either last night or early this morning. (Here's the article I'm referring to for reference - https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-takes-down-office-web-apps-admin-center/)

Is anyone experiencing this issue currently? Or has anyone run across this issue in the past?

ERROR IN PLAIN TEXT: 

{
  "sessionId": "1e0321c1dcec42728f255074ee69a288",
  "errors": [
    {
      "errorMessage": "interaction_required: AADSTS501312: Device used during the authentication is not registered for the account. Trace ID: dd333240-891e-42f1-ba34-5a52cd313b00 Correlation ID: ae9f49af-163a-4f0f-914c-d07301a89ac8 Timestamp: 2024-12-11 19:21:12Z",
      "clientId": "bda0771f-b6df-474a-b348-26a308db88aa",
      "scopes": [
        "https://securitycenter.microsoft.com/mtp/.default"
      ]
    }
  ]
}
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,195 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 34,521 Reputation points Microsoft Employee
    2024-12-12T08:47:01.8466667+00:00

    @Evan Shannon Thank you for reaching out. Upon researching the issue you mentioned, we identified similar cases reported this week. It appears that a classic Conditional Access (CA) policy might be causing this problem. We recommend checking your sign-in logs for more details. To resolve this effectively, we strongly advise migrating to a modern Conditional Access policy. You can find detailed guidance here: Migrate from classic policies to modern Conditional Access.

    Reference: https://techcommunity.microsoft.com/discussions/microsoftdefenderatp/classic-conditional-access-policy-for-defender-atp/1883297

    Let us know if this helps resolve the issue, or feel free to post back if you need further assistance.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.