Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
How to Use Scans
Scans OverviewHow to Work with ScansHow to Create a New Discovery or Sensitive Data ScanScan OptionsHow to Use the Ignore List (Ignored Locations or Ignored Matches)How to Schedule a ScanCreate New Scan Wizard - Select SQL Advanced OptionsCreate New Scan Wizard - Select NoSQL Advanced OptionsHow to Search DropboxHow to Search Google Workspace: Gmail, DriveHow to Search a File Server (Remote Search)How To Search a Snowflake DatabaseHow to Search Mongo Databases (mongoDB)How to Search OneDrive for BusinessHow To Search Exchange O365 E-mail with Modern AuthenticationHow to Search an IBM Informix DatabaseHow to Configure and Test Database Connection StringsWhat is Differential Scanning and What is it Used for?What is a Distributed Scan?Legacy SettingsWhat are common permission errors during scans?
How to Use Scan Playbooks
How to Use Scan Results
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

What are common permission errors during scans?

When running email or cloud scans, permission errors are the most common cause of "Partial Success" or "Failed" scan statuses. Because Spirion Agents operate as a Service Account or App Registration, they are highly sensitive to any gaps in the security chain.

Here are the most common permission errors and how to identify them:

1. "Access Denied" / "403 Forbidden" (M365 & Gmail)

This is the most frequent error in cloud environments.

  • The Cause: The App Registration (M365) or Service Account (Google) has been created, but Admin Consent was never granted.
  • How to Fix: In the Azure Portal or Google Admin Console, ensure a Global Admin has clicked the "Grant Admin Consent" button for the specific API permissions (like full_access_as_app or Gmail.Read).

2. "MAPI_E_FAILONEWAY" or "Logon Failed" (On-Prem Exchange)

This error typically appears when using a Service Account for on-premises Exchange.

  • The Cause: The Service Account lacks Application Impersonation rights for the specific mailbox it is trying to enter.
  • How to Fix: Re-run the PowerShell command to assign the ApplicationImpersonation role to the Service Account. Also, ensure the Service Account is not "Hidden from Address Lists," as this can sometimes interfere with the initial connection.

3. "The account does not have permission to impersonate the requested user"

This is a specific Exchange error that occurs even if the role is assigned.

  • The Cause: A Management Scope has been applied that restricts the Service Account to only a subset of users (for example, "Only scan the Finance Dept"). If the scan policy tries to hit a user outside that scope, it fails.
  • How to Fix: Check your Exchange Management Role Assignments to see if a CustomConfigurableWriteScope is limiting the account's reach.

4. "Authentication Failed: MFA Required"

This happens when a Service Account is subject to the same security policies as a human user.

  • The Cause: Conditional Access policies in Azure or Global MFA settings are challenging the Spirion agent for a text code or app approval. Since the agent is a service, it cannot respond, and the connection times out.
  • How to Fix: Exclude the Spirion Service Account from MFA requirements or use Certificate-based authentication instead of a client secret/password.

5. "Insufficient Permissions for Remediation"

The scan finishes successfully and finds data, but "Shred" or "Quarantine" actions fail.

  • The Cause: The account has Read-Only permissions. While this is enough to find the data, it is not enough to modify or delete it.
  • How to Fix: Upgrade the permissions. For Gmail, add the gmail.modify scope. For Exchange, ensure the account has Write access to the mailbox.

6. "Throttling / Rate Limit Exceeded" (429 Too Many Requests)

While technically a performance limit, it often looks like a permission failure.

  • The Cause: The server (M365/Google) is intentionally blocking the agent because it is making too many requests too quickly.
  • How to Fix: This isn't fixed by "adding more permissions." Instead, you must reduce the thread count in your Spirion Scan Policy to be "gentler" on the server.

Troubleshooting Tip: The "One-User Test"

If you are seeing widespread permission errors:

  1. Create a new Scan Policy.
  2. Target only one mailbox (one you have access to).
  3. Run the scan.
    • If it fails, the issue is with your Global Configuration (App Reg, Service Account, or Scopes).
    • If it succeeds, the issue is likely with specific mailbox permissions or Management Scopes in your environment.

Summary: Most permission errors are solved by Granting Admin Consent (Cloud) or verifying Application Impersonation (On-Prem). Always check if MFA or Conditional Access is blocking the service account's "silent" login.

Was this article helpful?

Powered by Product Fruits