Review OneDrive, SharePoint, and Exchange Sync Failures Using Service Health and Sign-In Logs

When users report that Outlook, OneDrive, or SharePoint stopped syncing during off-hours — a weekend, holiday, or overnight window — the root cause is almost always one of three things: a Microsoft-side service incident, a tenant-wide authentication or Conditional Access change, or a per-user credential/token problem. Manually opening each user ticket wastes time when a single 10-minute sweep of Service Health plus Entra sign-in logs will tell you which bucket the incident falls into.

This recipe walks through the correlation workflow admins should run first thing Monday morning (or immediately after any reported sync outage). It pulls active and resolved service health issues for Exchange Online, SharePoint Online, and OneDrive for Business, then joins that data with sign-in failures scoped to the sync client apps (OneDrive, Outlook, SharePoint, Microsoft OneNote Sync, etc.) across the incident window.

Run this when: multiple users report sync issues at once, Help Desk ticket volume spikes after a weekend, or you receive a Microsoft message center advisory and want to confirm which of your users were impacted.

After completing this recipe you will have:

• A list of active and recently resolved Microsoft service health issues affecting Exchange Online, SharePoint Online, and OneDrive for Business during the incident window.
• A categorized report of sign-in failures (by user, app, error code, and timestamp) for sync-related clients during the same window.
• Clear identification of the failure pattern: Microsoft service incident, tenant-wide misconfiguration (Conditional Access, MFA), or individual user/credential issues.
• An action list — which users need password resets, session revocations, or MFA re-registration, versus which tickets can be closed with a "Microsoft-side incident, auto-resolved" note.
• Exportable CSV evidence for the incident ticket or post-incident review.

Warnings and gotchas

• ServiceHealth.Read.All is required to query /admin/serviceAnnouncement/issues. The older /serviceAnnouncement/issues path is deprecated — use the /admin/ prefix.
• Sign-in logs require Entra ID P1 or higher. Tenants on the free tier will not have /auditLogs/signIns data available.
• Graph filter syntax is strict. Combining status/errorCode ne 0 with createdDateTime ge ... and contains() in a single $filter often returns HTTP 400. Build queries incrementally — filter by date on the server, then filter by app name client-side.
• Do not bulk-revoke sessions across all impacted users as a knee-jerk response. If the cause is a Microsoft service incident, revocation adds no value and forces users to re-authenticate unnecessarily.
• Error code 53003 (Conditional Access blocked) over a weekend frequently points to a policy change that was deployed Friday afternoon. Check policy audit logs before assuming user error.
• PII and retention: sign-in log exports contain UPNs and IP addresses. Store CSVs in a compliance-appropriate location and purge per your data retention policy.