Skip to main content
This page covers the most common issues you may encounter with RAIDEN and how to resolve them. If you work through the steps below and the problem persists, contact support@raidenhq.com.

Connection issues

These issues typically surface during setup or after a permission change in your Microsoft 365 tenant.

Audit logging is not enabled

If the connection test fails with an error related to audit logs, Microsoft 365 audit logging may be turned off for your tenant. Fix: Go to Microsoft PurviewAuditStart recording user and admin activity. Once enabled, return to RAIDEN and rerun the connection test.
Audit logging must be enabled before RAIDEN can ingest any events. This is a tenant-level setting in Microsoft Purview and is separate from RAIDEN configuration.
If the connection fails with a permissions or consent error, the account used to grant consent may not have the required role. Fix: The account completing the consent flow must be a Global Administrator in your Microsoft 365 tenant. Sign out of Microsoft, sign back in with a Global Administrator account, and repeat the consent steps in RAIDEN. RAIDEN requires consent to two separate Microsoft APIs. If you completed the first consent (Microsoft Graph) but the second consent screen (Office Management Activity API) was skipped or dismissed, the connection will be incomplete. Fix: Go to Settings → Connection and click Reconnect M365 to restart the consent flow from the beginning. Complete both consent screens.

Unverified publisher warning from Microsoft

During the consent flow, Microsoft may display an “Unverified publisher” warning on the consent screen.
This warning is expected and does not indicate a security risk. RAIDEN is in early access and Microsoft publisher verification is in progress. Click Accept to continue.

Detections not appearing

If RAIDEN is connected but you are not seeing alerts or cases, use the steps below to diagnose the issue.

Check the last poll time and event count

Go to Settings → Connection. This view shows the last time RAIDEN successfully polled your audit log and how many events were ingested.
  • If the last poll time is recent and the event count is non-zero, RAIDEN is working normally. Detections only appear when the audit log contains activity that matches a detection rule.
  • If no events have been ingested in the last 30 minutes, check the connection status on the same page.

First-time setup — allow time for the initial poll

After connecting, RAIDEN processes the last 24 hours of audit logs in its first poll. Findings typically appear within 5–10 minutes, depending on the volume of activity in your tenant.
If you connected recently and are not yet seeing detections, wait 10 minutes and then refresh the Cases and Alerts views before raising a support request.

Account & access issues

Invite email not received

If a team member did not receive their invite email, it has likely been filtered by their mail system. Fix: Ask the affected user to check their junk or spam folder. If the email is not there, contact your RAIDEN onboarding contact to have the invite resent. Invite links are valid for 7 days from the time they are generated. If a user tries to use an expired link, they will see an error. Fix: An Owner or Admin can generate a new invite link from Settings → Team. Locate the user in the Pending Invites list and regenerate the link.

Contacting support

If you cannot resolve an issue using this guide, email support@raidenhq.com. RAIDEN support responds within 1 business day for standard queries. When writing your support request, include:
  • Your organisation name or tenant slug (shown in Settings → Account)
  • The Case or Alert ID if your question is about a specific detection
  • A brief description of what you expected to see and what you saw instead
If you are dealing with an active compromise, include URGENT in the subject line of your email. Urgent requests are prioritised over standard queries.