Troubleshooting

Common issues and resolution steps for The One Security.

Authentication

"Not authorized" after Hub SSO login

Cause: Your Hub account does not have a role in the Security organization, or the SSO exchange token has expired.

Resolution:

1. Sign out of app.theonesecurity.app
2. Sign in again via Hub
3. If the error persists, an Owner or Admin must add your account in Security Settings → Team

SSO redirect loop

Cause: Session cookie onesec_session is stale or domain mismatch.

Resolution: Clear cookies for *.theonesecurity.app and try again.

M365 Posture

M365 OAuth not connecting

Cause: Insufficient admin consent in the target tenant, or the OAuth popup was blocked.

Resolution:

1. Ensure the connecting account is a Global Admin or has Cloud App Security admin role in the target M365 tenant
2. Allow popups from app.theonesecurity.app in your browser
3. In the target tenant, navigate to Azure AD → Enterprise Applications and grant admin consent for the Security app
4. Retry the connection from SecOps → SaaS Posture → Connected Tenants

No events appearing after M365 connection

Cause: The posture scanner has not run yet, or the connected account lacks audit log access.

Resolution:

1. Check the Last Scan timestamp in the Connected Tenants tab — allow up to 15 minutes after connection for first results
2. Confirm the connected account has AuditLog.Read.All permission
3. Ensure M365 Unified Audit Logging is enabled in the Security & Compliance center of the target tenant

M365 connection shows "Error" status

Cause: OAuth token expired or permissions were revoked.

Resolution: Click the Test button for the connection. If it fails, disconnect and reconnect the tenant to re-authorize.

DMARC Reports

DMARC report not parsing after upload

Cause: File format is invalid, compressed file is corrupt, or the domain in the report is not in your monitored domains list.

Resolution:

1. Ensure the file is a valid DMARC RUA XML (uncompressed) or a .zip/.gz containing exactly one XML file
2. Add the domain to Email Security → Domains before uploading
3. Check that the XML contains valid <feedback> root element and <policy_published> with a <domain> element

Reports not being received automatically

Cause: Your DMARC record's rua tag does not point to [email protected].

Resolution:

1. Check your current DMARC record: dig TXT _dmarc.yourdomain.com
2. Add or update the rua tag: v=DMARC1; p=none; rua=mailto:[email protected]
3. Reports arrive within 24–48 hours after receivers send their daily digest

Security Awareness Training

SAT completion rate not updating

Cause: The training platform is not posting completion events back to The One Security.

Resolution:

1. Confirm the training content URL is accessible by the target users
2. If your LMS supports webhook callbacks on completion, configure it to call the Security webhook endpoint
3. Alternatively, manually update completion status via the API

Vulnerability Management

Vulnerability scans timing out

Cause: The scan target is unreachable, the Docker image pull is slow, or the ACI instance ran out of memory.

Resolution:

1. Verify the target URL is accessible from Azure (East US 2 region)
2. Check Network Scans — if status is stuck at Running for >30 min, the scan likely failed silently; click Run Scan again
3. For large target ranges, use Quick scan type for initial coverage, then schedule Full scans during off-hours

0 vulnerabilities returned after scan completes

Cause: The scan was scoped too narrowly, or the target required authentication that the scanner does not have.

Resolution:

1. Review the target range — ensure it covers the correct IP range or URL
2. For authenticated endpoints, configure scan credentials if the scanner supports them
3. Check Dependencies to confirm dependency inventory is working — dependency-based CVEs do not require network access

Dark Web Monitoring

HIBP API rate limit errors

Cause: The HIBP API enforces rate limiting per API key. Large numbers of monitored emails can exhaust the daily quota.

Resolution:

1. Ensure HIBP-API-KEY is set in Key Vault (theonesecurity-kv)
2. The paid HIBP API key has a higher rate limit than the free tier — confirm you are using a paid key
3. On-demand "Check HIBP" scans count against the same rate limit — avoid running bulk manual scans simultaneously with the automated 12h scan

Dark web findings not appearing for known breached emails

Cause: HIBP API key missing or expired, or the monitor was added but has not been scanned yet.

Resolution:

1. Click Check HIBP on the specific monitor to trigger an immediate scan
2. If the scan returns an error, check the HIBP-API-KEY in Key Vault
3. HIBP data is updated as HaveIBeenPwned ingests new breach data — some recent breaches may have a delay

Billing

Managed user count looks wrong

Cause: Users removed from monitoring are not immediately removed from the billing count.

Resolution: Managed user billing is calculated at the start of each billing cycle based on active monitors at that time. Removing a monitor before the cycle end reduces your count for the next cycle.

ℹ️For issues not covered here, contact support via The One Hub or file a ticket in your PSA. Include your tenant ID and the browser console error message when reporting bugs.