Remediation Issues
Diagnose and resolve common problems when remediating controls or rolling back drift events.
Write Permission Denied
Problem
Remediation fails with: "Authorization_RequestDenied" or "Insufficient privileges to complete the operation"
Cause
TrueConfig's default read-only permissions do not allow write operations. Auto-remediation requires additional Graph API permissions to be granted.
Resolution
- Navigate to Settings → Tenants → [Tenant Name]
- Click "Enable Write Permissions"
- A Microsoft consent dialog will appear requesting additional permissions
- Sign in with a Global Administrator account
- Grant the requested write permissions
- Retry the remediation action
RoleManagement.ReadWrite.Directory, while updating a Conditional Access policy requires Policy.ReadWrite.ConditionalAccess. TrueConfig only requests the minimum permissions needed for the specific remediation.Conditional Access Policy Conflicts
Problem
Remediation fails with: "Policy conflict detected" or changes don't take effect as expected.
Cause
Multiple Conditional Access policies may have conflicting settings. When TrueConfig attempts to modify one policy, another policy may override or conflict with the change.
Resolution
Step 1: Identify Conflicting Policies
In Microsoft Entra admin center, navigate to Protection → Conditional Access → Policies. Look for policies that target the same users/groups and have overlapping conditions.
Step 2: Review Policy Precedence
Conditional Access policies are applied in order of strictness. A more restrictive policy will override a less restrictive one. Use the "What If" tool to simulate policy effects.
Step 3: Consolidate or Exclude
Either consolidate conflicting policies into a single policy, or add appropriate exclusions to prevent overlap. Then retry the remediation.
Rollback Failures
Problem
Attempting to rollback a drift event fails with an error, or the rollback completes but the configuration doesn't match the expected state.
Common Causes
Referenced Object Deleted
The user, group, or policy referenced in the rollback no longer exists in Microsoft Entra ID.
State Already Changed
Another administrator already fixed the issue manually, so the rollback target state no longer applies.
Dependency Missing
The rollback requires a dependent resource (like a named location or authentication context) that no longer exists.
API Rate Limiting
Microsoft Graph API throttled the request. Wait a few minutes and retry the rollback.
Resolution
- Check the drift event details to understand the original state
- Verify the referenced objects still exist in Microsoft Entra ID
- If objects were deleted, recreate them before attempting rollback
- Run a new scan to refresh TrueConfig's state snapshot
- If the issue was already fixed, dismiss the drift event
Safety Gate Blocks
Problem
Auto-remediation is blocked with a message like: "Safety gate prevented remediation" or "Action requires manual approval"
What Are Safety Gates?
Safety gates are protective checks that prevent potentially dangerous auto-remediation actions. They ensure high-impact changes require human review before execution.
Common Safety Gates
Break-Glass Account Protection
Prevents removal of the last Global Administrator to avoid lockout scenarios.
Policy Deletion Prevention
Blocks automatic deletion of Conditional Access policies; only modification is allowed.
Bulk Change Threshold
Requires approval when a single remediation affects more than 5 users or groups.
Critical Control Override
Critical controls (PA-01 through PA-03) always require manual approval before remediation.
Resolution
- Review the safety gate reason in the remediation details
- Navigate to Remediation → Pending Approvals
- Review the proposed change and affected resources
- Click "Approve" to proceed or "Reject" to cancel
- Optionally, add a justification note for audit purposes
Justification Requirement Errors
Problem
Remediation fails with: "Justification required" or "Please provide a reason for this action"
Cause
Your organization has configured TrueConfig to require written justification for certain remediation actions. This is typically enabled for audit and compliance purposes.
Resolution
- Click on the remediation action you want to perform
- In the confirmation dialog, locate the "Justification" field
- Enter a clear, descriptive reason for the change (minimum 10 characters)
- Click "Submit" to proceed with the remediation
Good Justification Examples
- "Removing temporary admin access granted for migration project (PROJ-1234)"
- "Enforcing MFA per security policy update approved by CISO on 2024-01-15"
- "Rolling back accidental change made during maintenance window"
- "Compliance remediation per audit finding #42"
General Troubleshooting Tips
Check Audit Logs
Navigate to Activity → Audit Log to see detailed error messages and stack traces for failed remediation attempts.
Run a Fresh Scan
Trigger a manual scan to ensure TrueConfig has the latest state. Stale data can cause remediation mismatches.
Verify Service Health
Check Microsoft Service Health for any ongoing Azure AD/Entra outages affecting Graph API.
Contact Support
If issues persist, contact TrueConfig support with the error details and tenant ID for investigation.