Skip to content

promote troubleshooting to standalone page #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
laishettikarthik-tech wants to merge 2 commits into
base: main
Choose a base branch
from
Open

promote troubleshooting to standalone page #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
17d01ac
docs: promote troubleshooting to standalone page
laishettikarthik-tech Jun 10, 2026
515d16d
docs: link troubleshooting page from README
laishettikarthik-tech Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ the evidence without exposing tenant data:
- [Threat model](docs/threat-model.md)
- [Sentinel KQL validation snippet](docs/sentinel-kql.md)
- [Roadmap](ROADMAP.md)
- [Troubleshooting](docs/troubleshooting.md)

> [!WARNING]
> This tool is for authorized security testing and defensive canary deployments only. `Mail.ReadWrite` application permission grants tenant-wide mailbox write access by default. Production use requires formal approval and explicit scoping decisions.
Expand Down
88 changes: 88 additions & 0 deletions docs/troubleshooting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Troubleshooting

This page collects common symptoms and fixes when running Anglerfish
against a Microsoft 365 demo tenant.

> **Tip:** UAL typically takes 60–90 minutes to show activity,
> and up to 12 hours for a brand-new subscription.

---

## Monitor shows nothing after demo-access

**Likely cause:** UAL ingestion latency.

| Situation | Typical delay |
|---|---|
| Existing subscription | 60–90 minutes |
| Brand-new subscription | Up to 12 hours |
| First poll after monitor starts | May return empty — normal |

**Fix:** Wait the expected time then re-run `monitor`.

---

## Auth succeeds but deploy returns 403

**Symptom:** `GraphApiError: 403 Forbidden`

**Likely cause:** Missing Graph admin consent.

**Fix:** Re-check permissions for your selected workflow, then
grant admin consent again in the Azure portal.

---

## Authentication errors

### `AuthenticationError: AADSTS7000215`

**Likely cause:** Invalid client secret.

**Fix:** Regenerate the secret in Azure and update
`ANGLERFISH_CLIENT_SECRET`.

---

### `AuthenticationError: No application credential configured`

**Likely cause:** Secret or certificate environment variables missing.

**Fix:** Set `ANGLERFISH_APP_CREDENTIAL_MODE` correctly.

---

## Mailbox not found

**Symptom:** `GraphApiError: 404 Not Found` on mailbox

**Likely cause:** Wrong UPN or mailbox not licensed.

**Fix:** Verify the user exists and has an Exchange Online license.

---

## Monitor fails to authenticate

**Symptom:** `monitor` fails to authenticate

**Likely cause:** `ActivityFeed.Read` permission not granted.

**Fix:** Add the Office 365 Management API permission and grant
admin consent in the Azure portal.

---

## verify returns an error for a send record

**Likely cause:** Expected behavior.

**Note:** `verify` only supports draft-mode Outlook records.

---

## Still stuck?

- Re-read [Demo Tenant Setup](demo-tenant-setup.md)
- Check all environment variables in `.env.example` are set
- Open an issue with the exact error message