Troubleshooting
Common issues and resolution steps for The One Protect.
Authentication
"Not authorized" after Hub SSO login
Cause: Your Hub account does not have a role in the Protect organization, or the SSO exchange token has expired.
Resolution:
- Sign out of
app.theoneprotect.app - Sign in again via Hub
- If the error persists, an Owner or Admin must add your account in Protect Settings → Team
SSO redirect loop
Cause: Session cookie is stale or there is a domain mismatch.
Resolution: Clear cookies for *.theoneprotect.app and try again.
SaaS Security
SaaS app connection fails
Cause: Insufficient permissions in the target tenant, OAuth popup was blocked, or the app requires additional admin consent.
Resolution:
- Ensure the connecting account has admin-level access in the target SaaS tenant
- Allow popups from
app.theoneprotect.appin your browser - For M365, ensure the account is a Global Admin or has the required admin roles
- For Google Workspace, ensure the account is a Super Admin
- Retry the connection from SaaS Security → Connected Apps
SaaS security score not updating
Cause: The scan has not run since the last configuration change, or the OAuth token has expired.
Resolution:
- Check the Last Scan timestamp on the connected app — scans run every 24 hours
- Click Scan Now to trigger an immediate scan
- If the scan fails, check the connection status — a "Reconnect" button appears if the token has expired
Misconfiguration shows as "Not Remediated" after fixing
Cause: The fix was applied in the SaaS admin console but the next scan has not run yet.
Resolution:
- Click Scan Now on the connected app to trigger a rescan
- Allow 5–10 minutes for the scan to complete and findings to update
- If the finding persists, verify the fix was applied correctly in the SaaS admin console
Dark Web Monitoring
No results after adding a domain
Cause: The first scan has not completed, or the domain has no known breaches.
Resolution:
- Allow up to 30 minutes for the first scan to complete after adding a domain
- Click Scan Now to trigger an immediate check
- If no results appear, the domain may have no known exposures — this is a positive result
HIBP API rate limit errors
Cause: Too many monitored addresses are being scanned simultaneously, exceeding the API rate limit.
Resolution:
- Ensure
HIBP-API-KEYis set in Key Vault - Confirm you are using a paid HIBP API key (higher rate limit than free tier)
- Avoid running manual scans during the automated 12-hour scan window
Dark web alert for a very old breach
Cause: Historical breaches are reported on first scan. This does not mean a new exposure occurred.
Resolution:
- Review the breach date in the alert — if the breach is old and credentials have been changed since, the risk is lower
- Acknowledge the alert with a note indicating the breach predates current credentials
- If credentials have not been changed since the breach date, treat as actionable
Email Security
DMARC reports not being received
Cause: The domain's DMARC rua tag does not point to The One Protect, or the record was recently added.
Resolution:
- Verify your DMARC record:
dig TXT _dmarc.yourdomain.com - Ensure the
ruatag includesmailto:[email protected] - Reports arrive within 24–48 hours after receivers send their daily digest
- Some smaller receivers may not send aggregate reports
Email authentication score is low despite correct records
Cause: SPF/DKIM records are present but alignment is failing, or a sending service is not properly authenticated.
Resolution:
- Check the Aggregate Reports tab for senders failing SPF or DKIM
- Identify unauthorized senders and either add them to SPF or remove the sending service
- Verify DKIM alignment — the
d=domain in the DKIM signature must match the From header domain - Check for SPF lookup limit — if SPF has more than 10 DNS lookups, it fails
SPF record shows "Too many DNS lookups"
Cause: The SPF record includes too many include: mechanisms, exceeding the 10-lookup limit.
Resolution:
- Review the current SPF record for redundant or unused includes
- Remove sending services that are no longer in use
- Consider SPF flattening (replacing includes with IP addresses) for stable services
- Use the recommended SPF record from Email Security → DNS Records as a starting point
Credential Monitoring
Credential exposure alert but user says they changed their password
Cause: The breach may predate the password change but was only recently added to breach databases.
Resolution:
- Check the breach date vs. the user's last password change date
- If the password was changed after the breach date, acknowledge the alert as resolved
- If the user reuses passwords across services, recommend changing passwords on all related accounts
Auto-actions not triggering
Cause: The auto-action is disabled, the severity threshold is not met, or the RMM/PSA integration is not configured.
Resolution:
- Verify auto-actions are enabled in Settings → Auto-Actions
- Check the severity threshold — the alert severity must meet or exceed the configured threshold
- Ensure the RMM and/or PSA integration is connected and configured
- Check the auto-action execution log in Settings → Auto-Actions → History
Reports
Report generation fails
Cause: Insufficient data for the selected reporting period, or the client has no connected services.
Resolution:
- Ensure the client has at least one active service (SaaS monitoring, dark web monitoring, or email security)
- Verify the reporting period contains data — a client connected mid-month may not have a full month of data
- Try generating the report for a shorter period
Scheduled report not delivered
Cause: The recipient email address is invalid, or the schedule is paused.
Resolution:
- Check the schedule status in Reports → Schedules — ensure it is Active
- Verify recipient email addresses
- Check Reports → History to see if the report was generated but delivery failed
- Try generating and downloading the report manually