401 Unauthorized: The credentials used to access the configured mailbox are invalid, or the credentials specified do not have access to the configured mailbox, or you may have overutilized resources.
This is a common suite of errors which may be referencing several endpoint issues. The most common instances are listed below, with suggested resolutions. Note that there may be variations which are not listed here, or are errors from your source or destination environments.
This error most commonly occurs in Office 365 or On-Prem Exchange migrations.
Troubleshooting 401 Unauthorized
401 Unauthorized is an authentication error and is generally the result of an incorrect username or password being entered in the endpoint. You can verify if the user name and password are correct by testing mailbox access using OWA. If your connector is set to use administrative access, make sure to log in to the mailbox using administrator credentials (because this is what MigrationWiz will do) to correctly test your access.
If you have verified that the credentials are correct, try re-entering the credentials into MigrationWiz, and resubmit the mailbox for migration. It may be possible that the credentials were specified incorrectly.
To troubleshoot and test access, follow the steps below.
- Identify which endpoint is failing authentication by reviewing the MigrationWiz project user line item error history.
- Log in to the environment using the endpoint admin information and password.
- When logging in, you should only be prompted for a username and password. Any other pop-up or input requirement (such as MFA, expired password, or account selection screen) will cause this type of error.
- If the login attempt succeeds on both endpoints but the migration continues to fail, attempt to login using the EWS URL: Example: https://webmail.sample .com/EWS/Exchange.asmx
Solving the error
- If the login attempt fails due to incorrect username or password, the specific admin credentials are incorrect. You may have outdated credentials, typos, or activated all-cap. Verify your credentials and try the troubleshooting steps above.
- If the login attempt fails on the EWS endpoint, your EWS endpoint is either disabled or inaccessible and you will need to troubleshoot this through your Exchange support.
Other causes may include:
If you are using OAuth 2.0
Verify that you have correctly followed the steps outlined in (https://help.bittitan.com/hc/en-us/articles/360034124813-MigrationWiz-Migration-Planning-Modern-Authentication-for-Office-365)
401 After Successful Pre-Stage or Full Migration
Sometimes the 401 error occurs days after a pre-stage or full migration. In this case, the security default policy in favor of 2-factor authentication is getting triggered, which causes the servers to fail authentication.
Logging into the destination Office 365 admin portal during migration set up triggers a pop-up prompting you to set up 2-factor authentication. You may skip to continue without 2-factor authentication, but this is only valid for 14 days. After that, the migration project still fails to verify the credentials, triggering the error.
To resolve this, disable the Enable Security Defaults option, following the steps below, to allow MigrationWiz servers to authenticate without triggering the 2-factor authentication set up.
To disable security defaults
- Log into Azure using the destination admin account and password by going to https://portal.azure.com
- Click on the Menu icon in the upper left corner
- Click on Azure Active Directory
- Click Properties
- Make sure "Access management for Azure resources" is set to No
- Click Manage Security Defaults and set Enable Security Defaults to no also.
- Save the settings and log off
- Run verify credentials for the user again.
If using MFA on the admin account
You may also receive this error if you have MFA enabled for the admin account you are using in the source endpoint. MSPComplete will not be able to discover the users if MFA is enabled for the admin account being used, and MigrationWiz will not be able to migrate the users.
If you are using an administrator login for migration, and have verified that the credentials are correct, but are still encountering the 401 Unauthorized issue, you may need to look into the administrator account's permission.
Follow the directions outline in the grant the administrator permission article. This should solve the issue.
DatabaseNotFoundException - 401 Unauthorized - Http POST request to 'autodiscover-s.outlook.com' failed
In this case, you are not able to log in to the destination. Expanding the error message in the browser shows:
Mail store object is not found after authentication occurs. MigrationWiz and the Console tool both generate the error.
- Attempt to login to Office 365 OWA portal as the mailbox.
- Verify user is in AAD Connect state (admin > users > active users > open user > Mail setting > "user mailbox has not been migrated" is present. If that is not the case, mailbox is not instantiated on provisioning, user can contact Microsoft or recreate the object.
- Mailbox is not instantiated (AAD Connect GUID not set to NULL)
- Mailbox is not fully provisioned or is corrupt in the tenant.
- For item 1 above, set the needed GUID in AAD Connect to NULL: https://help.bittitan.com/hc/en-us/articles/115008109087-How-can-I-set-msExchMailboxGUID-attribute-to-null-
- For item 2 above, delete and recreate mailbox object or user in Office 365.
401 Unauthorized - Http POST request to 'autodiscover-s.outlook.com' failed - Basic Auth Disabled
In this case, you are able to log in to OWA with your MigrationWiz credentials, but MigrationWiz is generating the error.
The issue is likely caused by Modern Authentication.
To check your permissions in EWS, execute the following remote PowerShell commands:
$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection
Verify that your Basic Authentication for EWS is enabled for the associated account, using the following commands in Powershell.
Get-User -Identity "email@example.com" | fl *auth*
Get-OrganizationConfig | fl *defaultauth* | fl Oauth*
Enabling BASIC Authentication in EWS via Powershell
New-AuthenticationPolicy -Name "Enable Basic Auth for EWS"
Set-AuthenticationPolicy -Identity "Enable Basic Auth for EWS" -AllowBasicAuthWebServices
Set-User -Identity "firstname.lastname@example.org" -AuthenticationPolicy "Enable Basic Auth for EWS" (replace Admin_or_user@domain.com with your own address, using this sample address will not succeed. ).
Set-OrganizationConfig -DefaultAuthenticationPolicy "Enable Basic Auth for EWS"
This is often the result of an outdated server. If you have validated that your credentials are working properly, and are on a platform such as Exchange 2010, Lotus Notes, or another older system, it may not have the resources necessary for the current migration.
To check resource utilization, first attempt to open your OWA URL from an external network from a system that is not joined to your domain. If OWA loads in a timely manner, check your server resources:
- Check server CPU usage
- Check memory usage
- Check disk I/O usage using performance monitor
- Check for overutilization of the network resources
- Lower the number of mailboxes you are migrating simultaneously and try again
None of these options resolved your error?
Please leave us a comment below with your environment and any supplementary information you may have so that we can add the scenario to this article.