‘The remote server returned an error: (400) Bad Request.’ error when auditing SharePoint online and Azure AD

Azure AD and Office 365
Copy Article URL Copied


Netwrix Auditor for SharePoint Online or Netwrix Auditor for Azure AD throwing an error “The remote server returned an error: (400) Bad Request.”.


To collect events from Microsoft cloud services Netwrix Auditor is using O365 Management API . It accesses graph.windows.net and manage.office.com endpoints.
If Unified Auditing is disabled for O365 you will get the “Tenant <TenantGUID> does not exist” error when connecting to manage.office.com/api/v1.0/ endpoint.


Enable Unified Auditing for O365.
Before doing that you need to check if the error above is in SpaOnline.log located in ..\Working folder (C:\ProgramData\Netwrix Auditor by default)\Logs\SharePoint Online Auditing\SomeGUID\..
To solve the issue:

  • Open PowerShell on Netwrix Server.
    Make sure you’re running PowerShell version 4.
  • $UserCredential = Get-Credential
    enter credential of the tenant you specified in Netwrix as an Item
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
  • Invoke-Command -session $Session -scriptblock {Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True}
  • Wait for 24 hours and check the status of collections and reports.
  • In case of any further issue submit a case with Netwrix Technical Support

Tracing file error (exception) example:

2019-11-22 12:31:30.4311 (INFO) TID:31 SpaOnlineHost.exe Start POST request url: https://manage.office.com/api/v1.0/be473d84....

2019-11-22 12:31:30.6654 (ERROR) TID:30 SpaOnlineHost.exe Catch WebException: {
"error":{"code":" StartSubscription [TenantId=be473d84-e829-4178-8054-0a2bc888c2a0,ContentType=Audit.SharePoint,ApplicationId=66ebbd8b-734d-425b-81a4-927e42bdfc55,PublisherId=be473d84-e829-4178-8054-0a2bc888c2a0] failed. 
 Exception","message":"Microsoft.Office.Compliance.Audit.DataServiceException: Tenant be473d84-e829-4178-8054-0a2bc888c2a0 does not exist.\r\n   
 at Microsoft.Office.Compliance.Audit.API.AzureManager.GetSubscriptionTableClientForTenant(Guid tenantID, Boolean throwIfTenantNull)\r\n   
 at Microsoft.Office.Compliance.Audit.API.AzureManager.d__22.MoveNext()\r\n--- 
 End of stack trace from previous location where exception was thrown ---\r\n   
 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   
 at Microsoft.Office.Compliance.Audit.API.StartController.d__0.MoveNext()"}


Useful links

Go Up