Troubleshooting Users and Sign-in
This guide collects common symptoms users and administrators see around sign-in, account state, and the IAM pages, and points you to the place to verify and resolve each one.
Symptom: User cannot sign in even with a correct password
Likely cause: The user account is inactive, or the email address does not match an existing site user.
Where to verify: Admin Center > Site Settings > IAM > Users. Find the row by Email. Check the Active column.
Resolution: 1. Open the user record. 2. Set Active to on. 3. Save and ask the user to retry.
If the email does not appear, invite the user. See How to Manage Users.
Symptom: "Sign in with Microsoft" or "Sign in with Google" button is not on the login page
Likely cause: The provider is not enabled for the site, the provider's configuration is incomplete, or SSO providers are not enabled for this deployment.
Where to verify: Admin Center > Site Settings > IAM > SSO providers. If the menu entry itself is missing, contact vendor support to confirm deployment availability.
Resolution: - If the menu entry is visible, enable the provider and complete its configuration. See How to Set Up Microsoft SSO or How to Set Up Google SSO. - If the menu entry is missing, contact your vendor support to confirm whether SSO providers are enabled for the deployment.
Symptom: SSO sign-in fails with a provider-side error
Likely cause: Redirect URI mismatch between AlloyScan and the provider-side App registration; tenant restriction on the provider; or an expired client secret.
Where to verify: Admin Center > Site Settings > Logs > Security log for the failed sign-in event; the provider admin portal (Microsoft Entra ID or Google Cloud Console) for the registered application.
Resolution: 1. Confirm the redirect URI configured on the provider matches the one shown on SSO providers in AlloyScan. 2. Confirm the user's tenant or directory is allowed by the provider configuration. 3. If the client secret is expired, generate a new one on the provider side and paste it into AlloyScan.
Symptom: Account locked after repeated failed sign-ins
Likely cause: Lock-out behaviour on repeated failed attempts.
Where to verify: Admin Center > Site Settings > Logs > Security log for repeated failed-login events for the affected email.
Resolution: An Administrator reactivates the account via Admin Center > Site Settings > IAM > Users. Toggle Active off and on, or ask the user to use Forgot password? on the sign-in page.
Note: Details may vary by deployment.
Symptom: User is missing menus they expect to see
Likely cause: The user holds the User role rather than Administrator, or deployment-level configuration hides the menu entry for everyone on this deployment.
Where to verify: - Role: Admin Center > Site Settings > IAM > Users — confirm the user's Role column. - Deployment availability: compare with another site on the same instance, or contact vendor support.
Resolution: - For a missing capability that depends on role: change the user's role. See How to Manage Users. - For a missing menu entry that is hidden for everyone: this is a deployment-level setting and is not changed from the site Admin Center.
Note: A missing menu entry can be caused by deployment-level availability, not only by role.
Symptom: Direct URL to IAM > Users returns "Not Found"
Likely cause: The IAM Users page does not always resolve when navigated to directly by URL.
Where to verify: Sidebar navigation works reliably.
Resolution: Open the page from the left sidebar (Admin Center > Site Settings > IAM > Users) instead of typing or pasting the URL. If the URL navigation persists in failing, contact support.
Symptom: Session expires during long activity and forces re-sign-in
Likely cause: Sign-in session reached its expiration window.
Where to verify: Browser was redirected to the sign-in page after the expiration.
Resolution: Sign in again. Session timing is set at the instance level.
Note: Details may vary by deployment.
Symptom: Cannot invite a new user — + New user action does not save
Likely cause: The Max Users quota for the site is reached, or the email address is already taken on this site.
Where to verify: Admin Center > Site Settings > Limits and usage for the Max Users counter; Admin Center > Site Settings > IAM > Users for the existing email address.
Resolution: - If the quota is reached: ask the Global Administrator to raise the per-site cap, or deactivate users no longer in use to free a slot. - If the email already exists: edit the existing record instead of creating a new one.
Symptom: App registration banner reads "API client alert" on every page
Likely cause: An App registration has expired or is within 30 days of expiry.
Where to verify: Admin Center > Site Settings > IAM > App registrations. Look at the Expires column for Expired or In N days.
Resolution: Renew the App registration before its expiration date, or disable it if it is no longer used. See Authentication Reference for the App registration fields.