Transaction Errors
Use this page to look up any Exchange sync failure by its error code and fix it. When an appointment sync to Exchange fails, the connector diagnoses the failure and records it on the transaction row visible on the Errors page. Every diagnosed failure carries a stable DSEX code, prefixed on the Transaction.Message in square brackets (for example [DSEX002] The client secret … is invalid …). A code never changes once issued, and only new ones get added, so it is a reliable lookup key.
For Azure AD app-registration and consent walkthroughs, see Troubleshooting. This page covers the runtime classifications.
Retried statuses are transient and self-heal on the next retry pass. Fix configuration statuses need a change to the Exchange connector or Azure app first; once you correct the setting, the retry job replays the affected appointments automatically on its next pass (within a 14-day window), so no manual replay is needed. Send Undiagnosed failures (DSUNK001) to support so a rule can be added.
Each section pairs 💡 (what it means) with 🛠️ (what to do).
Quick lookup
| Code | Goes to | Status | Retry |
|---|---|---|---|
DSEX001 | Expired client secret | InvalidBackOfficeSettings | fix config |
DSEX002 | Invalid client secret | InvalidBackOfficeSettings | fix config |
DSEX003 | Unknown client ID | InvalidBackOfficeSettings | fix config |
DSEX004 | Unknown or malformed tenant ID | InvalidBackOfficeSettings | fix config |
DSEX005 | Other rejected credentials | InvalidBackOfficeSettings | fix config |
DSEX006 | Incomplete credentials | InvalidBackOfficeSettings | fix config |
DSEX010 | Credentials rejected after the call | Skipped | fix config |
DSEX011 | Exchange integration disabled | Skipped | fix config |
DSEX012 | Invalid user in the directory | Skipped | fix config |
DSEX020 | No mapping entry | EmptyBackOffice | retried |
DSEX021 | Event already deleted | Skipped | n/a |
DSEX030 | Access denied by the Azure AD app | Failed | retried |
DSEX040 | Microsoft Graph transient | Failed | retried |
DSUNK001 | Unexpected exception | Failed | undiagnosed |
All five credential-rejection cases below surface as the same typed failure (InvalidExchangeCredentialsException) on InvalidBackOfficeSettings; only the underlying AADSTS code and the field to fix differ. Once you correct the offending value, the appointment recovers automatically on the next retry pass.
Expired client secret
⚙️
DSEX001fix configuration💡
The client secret of the Exchange App Registration has expired. Microsoft Entra ID returns
AADSTS7000222 and the connector records a rejected credential carrying the offending Client ID.🛠️
- Open the Azure portal and navigate to the Exchange app registration.
- Under Certificates & secrets, generate a new client secret. Copy the secret value immediately - it is only shown once.
- Update the secret on the Exchange configuration page under the Microsoft Entra ID section.
warning
Client secrets expire after 6, 12, or 24 months. Set a reminder to rotate them before they expire.
Invalid client secret
⚙️
DSEX002fix configuration💡
The client secret value is wrong - most often the secret ID was pasted instead of the secret Value. Microsoft Entra ID returns
AADSTS7000215 (invalid_client).🛠️
On the app registration's Certificates & secrets page, generate a fresh secret if you no longer have the value, then copy the Value column (not the Secret ID) into the Exchange configuration page.
Unknown client ID
⚙️
DSEX003fix configuration💡
The Client ID is not an application in the connected directory - commonly the Tenant ID or a secret was pasted into the Client ID field, or the app registration was deleted. Microsoft Entra ID returns
AADSTS700016.🛠️
Copy the Application (client) ID from the app registration's Overview page into the Client ID field on the Exchange configuration page.
Unknown or malformed tenant ID
⚙️
DSEX004fix configuration💡
The Tenant ID does not match a known directory, or is not a valid identifier at all (rejected before any call goes out). Microsoft Entra ID returns
AADSTS90002 / AADSTS900023, or the value fails validation locally.🛠️
Copy the Directory (tenant) ID from the app registration's Overview page into the Tenant ID field on the Exchange configuration page.
Other rejected credentials
⚙️
DSEX005fix configuration💡
Microsoft Entra ID rejected the app registration for a reason the connector does not classify into one of the cases above. Any authentication failure that is not a transient throttle is treated as a configuration problem rather than retried blindly.
🛠️
Re-check all three values - Client ID, Tenant ID, Client Secret - on the Exchange configuration page against the app registration's Overview and Certificates & secrets pages. If they are all correct, send the transaction message to support.
Incomplete credentials
⚙️
DSEX006fix configuration💡
One or more of the required values - Client ID, Client Secret, Tenant ID - is missing on the Exchange configuration. The connector refuses to call Graph without all three.
🛠️
Fill in every required field on the Exchange configuration page and save.
Credentials rejected after the call
⚙️
DSEX010fix configuration💡
Graph accepted the request shape but rejected the token at call time. Usually a permission issue rather than a missing value - distinct from the configuration failures above, which fire before any call goes out.
🛠️
In the Azure AD app, confirm that the application permissions (
Calendars.ReadWrite, MailboxSettings.ReadWrite, User.Read.All) are present and that Grant admin consent has been clicked.Exchange integration disabled for the assigned resources
⚙️
DSEX011fix configuration💡
None of the resources on the appointment have Exchange enabled, so there is no mailbox to write to. The message lists the affected resources (
Resource (No) pairs), or "No resources were assigned to this appointment" when the appointment has no assignments at all.🛠️
If the resource is meant to sync to Exchange, enable Exchange integration on the resource record. If not, the
Skipped status is correct and no action is needed.Invalid user in the directory
⚙️
DSEX012fix configuration💡
The resource's e-mail address does not match any user in the Microsoft Entra ID directory of the connected tenant. Graph returns no match for that UPN.
🛠️
Verify that the resource's e-mail address corresponds to a real, licensed mailbox user in the tenant. Typos and disabled accounts are the usual causes.
No mapping entry
🔁
DSEX020retried automatically💡
The connector tried to look up the Exchange event that previously corresponded to a Dime.Scheduler appointment and resource pair, and no mapping record was found. The originating Exchange event was already deleted, or the mapping table was reset without re-syncing.
🛠️
In most cases this self-heals on the next sync because the next event creation re-establishes the mapping. If the appointment keeps failing, force a full re-sync of that resource's calendar.
Event already deleted
🔁
DSEX021retried automatically💡
On a delete, the Exchange event the appointment pointed at no longer exists - it was already removed (in Exchange directly, or by an earlier sync). There is nothing left to delete.
🛠️
None. This is benign and recorded as
Skipped; the desired end state (no event) is already true.Access denied by the Azure AD app
⚙️
DSEX030fix configuration💡
The Azure AD app does not have sufficient permissions to write events to the target calendar. The connector records the underlying Graph message after the canned
"The Azure AD app does not have sufficient permissions to write events to the calendar." prefix.🛠️
- In the Azure portal, open the Exchange app registration and go to API permissions.
- Make sure
Calendars.ReadWriteis granted as an Application permission (not Delegated). - Click Grant admin consent for [Your Organization].
- Replay the failed transaction from the Errors page.
Microsoft Graph transient
🔁
DSEX040retried automatically💡
Graph or the transport layer returned a transient signal - HTTP 429, 503, 504, socket / DNS hiccups, or request timeouts. The message reads
Transient error from Microsoft Graph: <inner>. Will retry on the next sync attempt..🛠️
Nothing in the normal case. The transaction is left on
Failed so the retry job picks it up on the next pass. If the rate of transients spikes, check the Microsoft 365 service health dashboard and tenant-level Graph throttling.Unexpected exception
🚨
DSUNK001undiagnosed💡
The exception did not match any of the typed shapes above. The connector still records it as
Failed so the retry job can replay it, but it also writes a full stack trace to the operational log so the maintainers can add a typed rule.🛠️
Send the transaction ID and full error message to Dime.Scheduler support. If the same shape recurs, a new typed classification will be added in a subsequent release.