title: Troubleshooting cloud directory connections category: Troubleshooting tags: connector errors, oauth consent, expired secret, throttling, entra, google, aws priority: High
Troubleshooting cloud directory connections
This guide covers the errors you are most likely to hit when connecting Certification Center to a cloud directory (Entra ID, Google Workspace, or AWS IAM) and syncing identities from it. Because Certification Center is a cloud service, these problems are almost always about authorization, credentials, or provider rate limits, not networking or firewalls. Work through the symptom that matches your error below.
Consent or authorization was not granted
Symptoms:
- Connecting a directory ends with "admin consent required," "access denied," or the provider's consent screen closes without returning to Certification Center.
- The connection saves but the first sync returns zero objects with an authorization error.
Cause: The account that authorized the connector is not an administrator of the source directory, or a required permission (scope) was not consented to. Cloud providers require an administrator to grant tenant-wide or organization-wide read access before Certification Center can enumerate identities.
Fix:
- Re-run the connect flow while signed in as a directory administrator (Global Administrator or Privileged Role Administrator for Entra ID; a Super Admin for Google Workspace; an account with the required IAM permissions for AWS).
- When the provider's consent screen appears, approve all requested permissions. Partial consent leaves the connector unable to read some object types.
- Confirm the exact permissions each connector needs, and grant them at the least-privilege level, using Least-privilege permissions for each connector.
- Save the connection again and run a test sync.
Important: Certification Center only ever requests read access by default. Write-back (for example, revoking access as a certification action) is optional and is consented separately. If you have not enabled write-back, a "read-only" scope is expected and correct.
The app secret or credential has expired
Symptoms:
- A connection that worked for weeks suddenly fails with "invalid client secret," "unauthorized," or "credentials rejected."
- Syncs were healthy, then began failing on the same day for one connector.
Cause: The client secret, service-account key, or access key used to authorize the connector reached its expiry date, or was rotated or revoked in the source directory. This is the single most common cause of a connector that "stopped working on its own."
Fix:
| Connector | What expired | How to fix |
|---|---|---|
| Entra ID | Client secret on the app registration | Create a new client secret, then update the connection with the new value |
| Google Workspace | Service-account key | Generate a new key for the service account, then update the connection |
| AWS IAM | Access key for the integration user, or an assumed-role trust | Rotate the access key (or re-establish the role trust) and update the connection |
- Generate a fresh credential in the source directory. Set a calendar reminder before the new expiry date.
- In Certification Center, open the affected connection and paste the new credential.
- Run a test sync to confirm the connection is healthy again.
Tip: Prefer the longest reasonable secret lifetime your security policy allows, and note the expiry date. A connector that fails quarterly is almost always an expiring secret on a 90-day rotation.
The provider is throttling requests
Symptoms:
- Sync runs partially complete, then fail with "too many requests," "rate limit exceeded," HTTP 429, or a "retry later" message.
- Large directories fail more often than small ones; retries sometimes succeed.
Cause: Cloud directories enforce their own API rate limits. During a full sync of a large tenant, Certification Center can approach those limits, and the provider temporarily rejects further requests. This is a provider-side limit, not a fault in your workspace.
Fix:
- Wait and let the sync retry. Certification Center backs off and retries throttled requests automatically, so a run that hits a limit will often recover on its next attempt.
- Avoid running several full syncs across connectors at the same moment. Stagger them so they do not compete for the same provider's quota.
- If a specific connector throttles on every run, contact support so we can review the sync pacing for your workspace.
The connection tests fine but no identities appear
Symptoms:
- The connection saves and authorizes successfully, but after a sync you see no users, or far fewer than expected.
Cause: The authorized account can sign in but lacks read permission on the directory objects, or the connector scope excludes the accounts you expected.
Fix:
- Confirm the authorizing account has directory-read permission, not just sign-in rights, per Least-privilege permissions for each connector.
- Check whether the missing accounts are a type the connector does not read by default (for example, guests, external identities, or disabled accounts).
- If identities are present in the directory but not surfacing, or are appearing twice, see Why is an identity missing or duplicated?.
Still stuck?
Email support@certification-center.com and include:
- The connector type (Entra ID, Google Workspace, AWS IAM, or SCIM) and the connection name.
- The exact error text and roughly when it started.
- Whether anything changed recently (a rotated secret, a new admin, a permissions change).
- Whether a test sync succeeds, fails, or returns partial results.