Identity & MFA

MSP Toolkit
Practical troubleshooting paths for MSP technicians dealing with real-world support failures.

What This Category Covers

Identity tickets need sign-in evidence. Separate disabled account, password state, MFA method, Conditional Access, device compliance, risk, and token/session state before resetting credentials.

First Layer to Isolate

Exact sign-in attempt first: result, policy, method, risk, and device state.

Useful Tools, Logs, and Portals

  • Entra sign-in logs
  • Conditional Access report-only/result details
  • Authentication methods
  • Identity Protection risk
  • Audit logs

Before You Escalate

  • Timestamped sign-in checked
  • Method and CA result captured
  • Account/device state verified
  • Risk state reviewed

Articles in This Path

Pick the closest symptom and work from there.

Authenticator number matching works but sign-in still deniedAzure AD Connect sync errors after schema changeBreak glass account excluded from MFA cannot sign inBreak-glass account sign-in succeeds but portal access remains restrictedConditional Access policy report only mode differs from live resultEntra joined device shows compliant yet conditional access blocks sign-in from browserEntra sign-in logs show success but app still says unauthorizedGuest user redemption completes but collaboration apps still deny accessHybrid join succeeds but primary refresh token missingIdentity & MFA alerts indicate success while end-user experience never changesIdentity & MFA configuration survives testing but resets after restart or syncIdentity & MFA credential or certificate rotation breaks an existing integrationIdentity & MFA feature works in web app but fails in desktop clientIdentity & MFA healthy dashboard status masks a failing production workflowIdentity & MFA new deployment works for pilot group but not for production rolloutIdentity & MFA policy change applies in admin console but target users never receive itIdentity & MFA quarantine or protection action triggers but recovery workflow failsIdentity & MFA workflow succeeds for one account but fails for shared or delegated accessLegacy app password disabled and scanner workflow breaksLegacy authentication blocked report spikes after mailbox migration weekendMFA phone call option missing for one pilot group after policy changeMFA prompts delayed or never arrivingNew user signs in successfully but self-service password reset registration never completesPassword writeback succeeds but users cannot unlock accountsPasswordless sign-in works on mobile but desktop browser still prompts for passwordSign-in risk policy flags impossible travel after VPN rolloutTeams sign-in loop after MFA enrollmentTemporary Access Pass created but user cannot redeem it on first loginUser can enroll Microsoft Authenticator but number matching prompt never arrivesUser removed from MFA group but legacy sessions still prompt