Skip to content

Solving synchronization failures

Authorization problems can cause synchronization failures.

API synchronization between Sophos Cloud Optix and cloud environments can fail for different reasons. You can solve many of these failures.

The table shows what can cause this and how you can solve it for AWS, Microsoft Azure, and GCP cloud environments.

AWS synchronization failures

Failure reason Solution
The Sophos-Optix-Role has been deleted from your AWS account. In legacy environments this may be called Avid-Role. Add the environment to Sophos Cloud Optix again.
The trust relationship for the Sophos-Optix-Role has changed in your AWS account. Add the environment again.
The external ID for the Sophos-Optix-Role has changed in your AWS account. Add the environment again.
Explicit deny statements have been added to a role. You can remove the explicit deny statements from the role or remove the role and add the environment again.
AWS service control policies (SCP) may deny access to some regions or services. For more information, see Testing effects of AWS service control policies You can relax the SCP or change the allowed regions. For more details on changing the allowed regions, see Change API sync regions for AWS environments.

Microsoft Azure synchronization failures

Microsoft refers to “client secrets” as “application secrets”, but some of the error messages we receive still use the term “client secret”.

Failure reason Solution
Sophos Cloud Optix has received error AADSTS7000222 from Microsoft. This means “the provided client secret keys are expired.” Create a new application secret in Microsoft Azure, then use it for the Azure environment in Sophos Cloud Optix. See Create new Azure secret.
The application secret for the Sophos Cloud Optix Entra ID app has been deleted or changed. Create a new application secret in Microsoft Azure, then use it for your Azure environment in Sophos Cloud Optix. See Create new Azure secret.
The Sophos Cloud Optix app has been deleted from your Entra ID tenant. Add the environment to Sophos Cloud Optix again.
Your Azure subscription permissions have been revoked. Add the environment again.
The access token is from the wrong issuer. Your subscription has been transferred to another tenant. Add the environment again.
The subscription could not be found. Verify that the subscription is valid. Add the environment again.

GCP synchronization failures

Failure reason Solution
API disabled. You must turn on the following APIs in your Google account for Sophos Cloud Optix:
  • container.googleapis.com
  • cloudbuild.googleapis.com
  • cloudapis.googleapis.com
  • admin.googleapis.com
  • stackdriver.googleapis.com
  • sqladmin.googleapis.com
  • storage-api.googleapis.com
  • cloudbilling.googleapis.com
  • cloudresourcemanager.googleapis.com
  • compute.googleapis.com
  • cloudkms.googleapis.com
  • dns.googleapis.com
  • logging.googleapis.com
  • cloudfunctions.googleapis.com
  • monitoring.googleapis.com
  • storage-component.googleapis.com
Permissions revoked. Add the environment to Sophos Cloud Optix again.
Sophos Cloud Optix service account deleted. Add the environment again.