Team: Huntress Managed Identity Threat Detection and Response (ITDR)
Product: Microsoft 365
Summary: This guide helps diagnose and resolve silent onboarding delays or stalled processing during Step 3, "Subscriptions In Progress," of the Microsoft 365 tenant integration process.
In this Article
Overview
Before you begin
What's happening at Step 3?
Steps
Reauthorize the Integration
Escalate to Huntress Support
Frequently Asked Questions
Overview
This article helps you diagnose and resolve a Microsoft 365 integration that stalls at Step 3, "Subscriptions In Progress" (Configuring audit logging and webhook subscriptions) during Huntress ITDR onboarding. Until this step completes, the tenant is not monitored, and Huntress ITDR cannot generate detections.
Do not use the Reauthorize option until you have completed all prerequisite checks below. Reauthorizing before fixing the root cause will lead to the same stall recurring.
Before you begin
Please confirm the following before continuing with troubleshooting.
Most Step 3 "Subscriptions In Progress" stalls are attributed to one of these items:
- The Microsoft 365 account used to authorize the integration currently holds the Global Administrator role, or a supported delegated role with audit log read permissions.
- The tenant has a Microsoft 365 license that supports unified audit logging: Business Premium, E3, E5, or an equivalent plan. Business Basic and some other tiers do not include this feature.
- Microsoft 365 audit logging is enabled in the Microsoft Purview compliance portal. It is not enabled by default on all license tiers.
- No conditional access policies, MFA step-up requirements, or device compliance policies block the Huntress application from completing Graph API calls for the tenant.
What's happening at Step 3, "Subscriptions In Progress", and why does it get stalled?
Step 3: "Subscriptions In Progress" registers Microsoft Graph change notification subscriptions and configures audit log webhooks for the tenant. This is what allows Huntress ITDR to receive real-time audit log data.
When this step fails, the Huntress portal does not display an error message. The integration card simply appears frozen or pending indefinitely. There is no automatic retry. The tenant remains unmonitored until the stall is resolved.
This behavior affects both new-tenant onboarding and the reauthorization of existing integrations equally.
Common Causes:
- The tenant's license does not include unified audit logging.
- Audit logging is not enabled on the tenant.
- The Global Administrator account used for initial consent was later converted to a service account, had its role reduced, or was disabled prematurely.
- Conditional access or MFA policies were changed after the initial authorization, blocking the Huntress application from completing Graph API subscription registration.
--
--
Troubleshooting Steps
1. Check audit logging status in Microsoft Purview
- Sign in to the Microsoft Purview compliance portal as a Global Administrator.
- Navigate to Solutions → Audit in the left navigation.
- Confirm that audit logging is enabled for the tenant.
- If auditing isn't enabled in your organization, a banner prompts you to start recording user and admin activity.
- Allow up to 24 hours for the change to propagate before proceeding.
2. Verify the consented account's role and status
- Sign in to the Microsoft Entra admin center (formerly Azure AD).
- Navigate to Users and locate the account used to authorize the Huntress ITDR integration.
- Confirm the account is active and not disabled or unlicensed.
- Navigate to Roles and administrators and confirm the account still holds the Global Administrator role or the required delegated role with audit log read permissions.
- If the role was removed or reduced, restore it before continuing.
--
--
3. Review conditional access policies
- In the Microsoft Entra admin center, navigate to Entra ID > Conditional Access > Policies.
- Review any active policies that apply to the consented admin account or to all users.
- Look for policies that enforce MFA step-up, device compliance, or app-based restrictions that could block the Huntress application from completing Graph API calls.
- If a policy is blocking access, work with the tenant's Microsoft 365 administrator to create an exclusion for the Huntress application or the consented admin account.
--
--
4. Confirm the tenant's license supports unified audit logging
- In the Microsoft 365 admin center, navigate to Billing > Licenses.
- Confirm the tenant holds an active Business Premium, E3, E5, or equivalent license.
- If the tenant only has Business Basic or another tier that does not include unified audit logging, the integration cannot complete Step 3. Upgrade the license or contact the tenant's Microsoft account team before proceeding.
5. Reauthorize the Integration
Proceed with reauthorization only after completing all steps above. Reauthorization re-initiates the full onboarding flow, including Step 3. It does not delete existing detections or historical data for the tenant.
In the Huntress Dashboard, navigate to Integrations > Microsoft 365 > Edit Integration.
Locate the stalled tenant in the list.
Select "Reauthorize Microsoft" for that tenant.
Sign in with the Global Administrator account when prompted and complete the consent flow.
Monitor the integration status for up to one hour after reauthorization.
--
--
6. Verify it worked
After reauthorization, confirm that the integration completed successfully. It can take up to 24 hours to complete the setup process. However, most complete much sooner.
- In the Huntress Dashboard, navigate to Integrations > Microsoft 365 > Edit Integration.
- Locate the tenant you reauthorized.
- Confirm the integration status shows as Active or Connected, with no pending or incomplete indicators.
- Confirm that Step 3 no longer appears as "in progress" or "stuck".
If the status returns to active, the tenant is now monitored, and Huntress ITDR will begin receiving audit log data. Allow up to one hour for the first detections to appear if audit logging was recently enabled.
If the integration remains stuck at Step 3 after reauthorization, move to the escalation step below.
--
--
How to gather relevant information and escalate to Huntress Support
If the integration remains stuck after reauthorization and all Microsoft prerequisites are confirmed, gather the following before opening a ticket:
- The affected tenant name and domain
- The Microsoft 365 admin account used for consent
- The date the integration was configured or reauthorized
- Whether this is a new onboard or a previously working integration that stopped after a potential change
After the information is gathered, select the "Submit a request" button located below.
Frequently Asked Questions
Why is my ITDR Microsoft 365 integration stuck at Step 3 for days with no error message?
Step 3 registers audit log webhooks with Microsoft Graph. If it fails, the Huntress portal shows no error and does not retry automatically. The most common cause is that Microsoft 365 audit logging is disabled on the tenant. Check the Purview compliance portal to enable it, then reauthorize the integration in Huntress after confirming all prerequisites are met.
Will reauthorizing the ITDR integration fix a Step 3 stall?
Only if the underlying Microsoft issue is resolved first. Reauthorizing without enabling audit logging or fixing permission issues will cause the same stall to repeat. Always verify Microsoft prerequisites before using the Reauthorize option.
Is the Microsoft 365 tenant being monitored while the ITDR integration is stuck at Step 3?
No. Until onboarding completes successfully, Huntress ITDR does not receive audit log data for that tenant and cannot generate detections. Resolving the Step 3 stall promptly is important to avoid gaps in coverage.
Does every Microsoft 365 license support ITDR audit logging?
No. Unified audit logging requires Business Premium, E3, E5, or an equivalent license. Business Basic and some other tiers do not include this feature. Confirm the tenant has a supported license before troubleshooting further.
Can a previously working integration get stuck at Step 3 during reauthorization?
Yes. If conditional access policies, MFA requirements, or admin account roles change after the initial setup, a reauthorization attempt can stall at Step 3, just as it would during new onboarding. Review all prerequisites in the Before you begin section, even if the integration was working before.
How long should I wait after enabling audit logging before reauthorizing?
Allow up to 24 hours for audit logging to fully propagate across the tenant before attempting reauthorization. Reauthorizing too soon may result in another stall.