Troubleshooting

Sign-in succeeds but I see no tenants

Your Microsoft account signed in to Supabase Auth but isn't mapped to an MSP. Contact your operator. They need to:

1. Insert/update public.msp with a billing_email matching your sign-in email
2. Optionally pre-insert your msp_user row, or let the auth callback create it on next sign-in

Tenant stuck in pending

Connect was not completed. From Customers, click Continue setup (or open Settings → Open connect) and save Graph app credentials.

Tenant stuck in consented (Import didn't fire)

Click Import now on the tenant onboarding page. If it errors with graph_credentials_unavailable, finish the Connect page first - each customer needs their own Graph app credentials in Vault.

"Requires Entra ID P2" on the Risk page

The customer doesn't have P2. Either upgrade their license or skip the Risk feature for this tenant. License detection refreshes on every Resync - if you know the SKU was added recently, click Resync first.

Drift report says "Baseline unavailable"

The tenant may still have a retired baseline_source (policytab or j0eyv) in the database. Policytab auto-migrates to imported on the next drift or deploy load when a snapshot exists. If migration cannot run (no snapshot yet), change the comparison baseline in tenant onboarding settings, or run:

npm run migrate:legacy-baselines -- --dry-run

If the source is already imported or msp_custom, ensure a reference snapshot or workspace baseline manifest exists.

Apply fails with graph_patch_failed

The Graph PATCH returned a 4xx. Common causes:

• Permission missing - the app reg consent didn't include Policy.ReadWrite.ConditionalAccess
• Customer admin revoked app access or the secret expired - flip to disconnected and reconnect on the Connect page
• Microsoft service degradation - check the Microsoft 365 status page and retry

The change_request row keeps the error message in error_message. After fixing root cause, re-run dry-run from the change detail page (status returns to draft after a failed apply; you can re-dry-run and re-apply).

"Sync N expired to Entra" never goes to zero

The "Sync N expired to Entra" button on the tenant Exclusions page is how expired exclusions get cleaned up from Entra. It's an explicit operator action by design (no system-side dispatch). Click it after each exclusion.expired alert.

Notification channel says "sent" but I didn't receive anything

• Slack: check the channel's webhook in Slack's app config. Webhooks expire if the workspace deleted the integration.
• Teams: same - the connector URL becomes invalid when the channel is deleted.
• Email: check the provider's bounce/complaint logs (Resend, SendGrid).
• Webhook: check your receiver logs. We sent a 200 from our side; the receiver may be silently dropping.

notification_delivery.error will record the HTTP status if we got one.