Knowledge Base
Azure Troubleshooting
Before starting any troubleshooting, log out from the Azure Portal (https://portal.azure.com) and go back to Cloudockit in private mode. Most of the issues are due to the fact that wrong credentials are used when trying to sign into Cloudockit.
What should you enter in the tenant name field?
- Have a look at this post, it will give you all the details on how to find which tenant to use
When I try to log into Cloudockit, I get the error AADTSTS900093: Does not have access to consent
- This means the Azure Active Directory Global Administrator has explicitly prevented users to use 3rd party applications
- You can confirm it by going the Azure Active Directory Blade (on portal.azure.com), and selecting User Settings. If “users can allow apps to access their data” is set to No, the Azure Active Directory Global Administrator has explicitly prevented users to use 3rd party applications
- You have the following options:- Change this setting to allow users to use third party applications
- Ask an Azure Active Directory Global Administrator to generate the documentation using Cloudockit
- Add Cloudockit as a trusted application. Follow the 3 steps below:
 
- Navigate to your Active Directory blade in the Azure Portal and select Enterprise Applications
- Click on New Application, select the category All and search for Cloudockit. Click on Cloudockit and then click Add
- Follow this procedure from Cloudockit – Admin Consent – Non AAD Global Admin Users
When I sign into Cloudockit, the list of subscriptions is empty and I see the following screen:

- If you do not see subscriptions in the drop-down list, you do not have access to any subscriptions. To ensure you have access to at least one subscription, you can connect to the Azure Portal. If you do not see any subscriptions, this means you do not have the required access
When I click on a generated document, I receive a “token is expired” message.
- For security reasons, the secured link you receive automatically expires after a certain period of time. You will need to regenerate the documentation. You can change the amount of time the secured link expires using the Drop Off Tab in the menu on the left
When I sign into Cloudockit, I receive an error message saying: “Calling principal cannot consent due to lack of permissions”.
- If you are not an Azure AD Global Admin, ensure you uncheck the Azure Active Directory Global Admin box. Restart the process with the box unchecked
When I sign into Cloudockit, I get the error message AADSTS90002: “Requested tenant identifier ‘00000000-0000-0000-0000-000000000000’ is not valid”. Tenant identifiers may not be an empty GUID.
- This is due to an issue with Azure Active Directory and specific Microsoft accounts
- Please use an account that is a member of the Azure Active Directory, not a Microsoft Account
I cannot see the Classic Azure Component (ASM, not ARM) (like Classic Virtual Machine) in the document that is generated but I can see them in the portal.
- For ARM component, Cloudockit supports the role like a reader or contributor but for Classic Deployment model, you need to be Administrator of the subscription (specified in the https://manage.windowsazure.com portal).
The document I received is empty. There may be multiple reasons why the document is empty. Please check the following elements:
- When you are logged into https://generate.cloudockit.com open a new tab and navigate to https://portal.azure.com. You should see some resources. If you only see the active directory and no other resources, the document will be empty
- Filters you have applied may be too restrictive. Please remove them
- If you used a custom template, please test with a built-in template to ensure the issue is not due to your template
I have specified a Storage Account to drop the document, but I cannot see the document even if the generation is successful.
- You need to ensure the account you are using has write permissions to the storage
The user that is licensed does not have appropriate permissions on the subscription that I need to document. I need to use another account. Cloudockit supports this scenario:
- First, sign into Cloudockit using the account that is licensed (even if this account has no privileges on the subscription to document)
- Once logged in, you will see a button on the top of the window that allows you to change users. Click on it and then enter the account you want to use
- Click on Log Out
- Go back to the Cloudockit home page and Sign In with this account
- You should now have a valid license
- Note: you have 5 minutes to do this procedure
- Note: It is illegal to use this procedure to give a license to someone else
The Virtual Machine diagrams are empty even if the Word Document contains the Virtual Machines:
- The Virtual Machine diagram is using Virtual Networks to display the Virtual Machines inside those Virtual Networks. If you use filters, ensure your filters include the Virtual Networks that contain the Virtual Machines otherwise the diagram will be empty
My subscription is in Azure Government, Azure China, or Azure Germany. How should I proceed with the authentication?
- When you need to authenticate one of these types of subscriptions, you need to use an Azure Active Directory Application for authentication
- Step 1: Log into Cloudockit, select Azure and you will be asked how you would like to authenticate
- Step 2: Select AAD Application and follow the instructions
When trying to log into Azure, you will get the following exception: “AADSTS50012: No client secret is provisioned in the store”
- This happens if you connect to Cloudockit using a GOV Azure Active Directory Tenant
- This is not supported so please use a Public Tenant or any other Authentication provider offered by Cloudockit. Once connected, you will be able to authenticate to Azure GOV using an AAD App
When trying to log into Azure, you receive the following exception: “Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50076”. Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
- This is due to multi factor authentication. In order to solve this issue, you need to open a separate tab in the same browser, navigate to https://portal.azure.com and connect using your 2FA. Then, you can come back to the generate.cloudockit.com tab and refresh the page. Try to log into Azure. You should no longer see the error message
The section with Azure SQL Details is empty even if I provided the security credentials.
- This could be due to a firewall set on your Azure SQL. Please see the Cloudockit Outbound IP Addresses below and add them to your firewall rules
I Cannot connect to my Storage Account for Drop Off even if my credentials are good
- This could be due to a firewall set on your Azure SQL. Please see the Cloudockit Outbound IP Addresses below and add them to your firewall rules
Cloudockit Outbound IP Addresses
- The following IP Addresses are the Outbound IP Addresses used by Cloudockit
- 20.62.212.229,20.62.212.231,20.62.212.234,20.62.212.248,20.62.213.3,20.62.213.6,20.49.104.16,20.62.212.169,20.62.212.170,20.62.212.185,20.62.212.198,20.62.212.214,20.62.212.222,20.62.213.33,20.62.213.63,20.62.213.67,20.62.213.85,20.62.210.20,20.62.213.118,20.62.213.137,20.62.213.145,20.62.213.147,20.62.213.156,20.62.213.173,20.62.213.207,20.62.213.238,20.62.213.241,20.62.213.243,20.75.155.127,20.75.155.138,20.75.155.144
- 13.64.153.198,13.73.39.202,40.83.192.34,40.83.192.18,13.64.152.65,13.64.100.62,40.112.243.49,40.83.136.131,104.42.151.30,104.42.147.141,104.42.151.74,104.42.148.53,104.42.146.233,104.42.146.65,104.42.147.38,13.64.101.9,13.64.101.192,13.64.97.22,40.78.16.184,13.64.159.2,13.64.22.244,40.118.231.172,104.42.248.60,40.112.133.197,104.42.149.53,13.64.99.248,13.64.19.2,13.64.19.239,13.64.20.115,13.91.124.174,13.91.125.68
- 51.143.229.226,51.143.230.17,51.143.230.55,51.143.230.73,51.143.225.143,51.143.230.106,51.104.28.72,51.143.228.209,51.143.229.5,51.143.229.29,51.143.229.38,51.143.229.71,51.143.229.203,51.143.230.114,51.143.230.140,51.143.230.218,51.143.230.228,51.143.230.242,51.143.230.244,51.143.230.253,51.143.231.30,51.143.231.50,51.143.231.144,51.143.231.159,51.143.231.231,20.77.184.4,20.49.137.113,20.77.184.11,20.77.184.28,20.77.184.51,20.77.184.57
- These addressees could change. Ensure to monitor this page
- If you do not want to manage those IP Addresses, you can use Cloudockit Desktop or Cloudockit Container as you manage your own outbound addresses for those type of Hosting
Once logged into Cloudockit, if I select Azure and click on Use Another Account, it signed me out and left me on the Sign-Out page
- This could be due to specific configuration you have in your Authentication Flow (like 3rd Party SSO)
- If that is the case, when you are on the Sign-Out Page, please replace the URL by https://generate.cloudockit.com/LogIntoCDKWithAAD/SwitchToOtherUser
- This will redirect you to the AAD Authentication for the other user you want to use
I never received the document I have asked for. The wheel is spinning at Generate Documents.
- First, if you have large environments, it can take hours to generate your documents, therefore please be patient
- If after one day you did not receive your document, it could be because the generated document is too large, and Word cannot generate it (thousands of pages). If that is the case, we recommend using one of the following two options:- Option 1 – Navigate to the filter tab and select the option “Split Generated Document” to create multiple word files instead of a big one which would not have been readable
- Option 2 – Navigate to the filter tab and select the option “Filters” to explicitly exclude/include specific resource groups. This will make the document smaller