Microsoft 365

MSP Toolkit
Practical troubleshooting paths for MSP technicians dealing with real-world support failures.

What This Category Covers

Microsoft 365 tickets are usually identity, license, mailbox, policy, client, or service-health problems. Start by comparing web access against the desktop/mobile client, then check sign-in logs and service health before touching profiles.

First Layer to Isolate

Account access first, then web-versus-client behavior, then policy/licensing/service health.

Useful Tools, Logs, and Portals

  • Microsoft 365 admin center service health
  • Entra sign-in logs and Conditional Access result
  • Exchange admin center and message trace
  • Office account state, Credential Manager, Work or School accounts

Before You Escalate

  • Affected user and app are identified
  • OWA/web app test completed where relevant
  • Sign-in logs checked for timestamped failure
  • License/policy group checked
  • Recent tenant changes reviewed

Articles in This Path

Pick the closest symptom and work from there.

Authenticator number matching works but sign-in still deniedAutodiscover points Outlook to retired Exchange endpointAzure AD Connect sync errors after schema changeBreak glass account excluded from MFA cannot sign inBreak-glass account sign-in succeeds but portal access remains restrictedConditional Access policy report only mode differs from live resultEntra joined device shows compliant yet conditional access blocks sign-in from browserEntra sign-in logs show success but app still says unauthorizedGuest user redemption completes but collaboration apps still deny accessHybrid join succeeds but primary refresh token missingIdentity & MFA alerts indicate success while end-user experience never changesIdentity & MFA configuration survives testing but resets after restart or syncIdentity & MFA credential or certificate rotation breaks an existing integrationIdentity & MFA feature works in web app but fails in desktop clientIdentity & MFA healthy dashboard status masks a failing production workflowIdentity & MFA new deployment works for pilot group but not for production rolloutIdentity & MFA policy change applies in admin console but target users never receive itIdentity & MFA quarantine or protection action triggers but recovery workflow failsIdentity & MFA workflow succeeds for one account but fails for shared or delegated accessLegacy app password disabled and scanner workflow breaksLegacy authentication blocked report spikes after mailbox migration weekendM365 group created but Teams team never appearsMFA phone call option missing for one pilot group after policy changeMFA prompts delayed or never arrivingNew user signs in successfully but self-service password reset registration never completesOneDrive & SharePoint alerts indicate success while end-user experience never changesOneDrive & SharePoint configuration survives testing but resets after restart or syncOneDrive & SharePoint connector health looks normal but data stops syncingOneDrive & SharePoint credential or certificate rotation breaks an existing integrationOneDrive & SharePoint feature works in web app but fails in desktop clientOneDrive & SharePoint healthy dashboard status masks a failing production workflowOneDrive & SharePoint logging shows delivery yet the target workflow never completesOneDrive & SharePoint new deployment works for pilot group but not for production rolloutOneDrive & SharePoint policy change applies in admin console but target users never receive itOneDrive & SharePoint quarantine or protection action triggers but recovery workflow failsOneDrive & SharePoint workflow succeeds for one account but fails for shared or delegated accessOneDrive admin reports sync healthy but files missing locallyOneDrive Files On-Demand icons missing after Windows feature updateOneDrive known folder move completes but desktop files stop syncingOneDrive known folder move stalls on Desktop onlyOneDrive photo uploads saturate branch office bandwidthOneDrive shortcut to shared folder duplicates content in File ExplorerOneDrive stops syncing after device name change in EntraOneDrive sync client reports healthy while one library never updatesOneDrive sync conflict storm in shared folderOutlook alerts indicate success while end-user experience never changesOutlook archive search misses messages older than one yearOutlook attachments open in Protected View foreverOutlook cached mode shows old unread count after mailbox cleanupOutlook calendar reminders pop on one workstation hours lateOutlook configuration survives testing but resets after restart or syncOutlook credential or certificate rotation breaks an existing integrationOutlook delegate can read calendar but cannot send update responsesOutlook desktop opens to blank white window after profile sign-inOutlook feature works in web app but fails in desktop clientOutlook healthy dashboard status masks a failing production workflowOutlook logging shows delivery yet the target workflow never completesOutlook meeting updates arrive but calendar does not reflect changesOutlook new deployment works for pilot group but not for production rolloutOutlook opens attachments slowly only from encrypted messages

Guest user redemption completes but collaboration apps still deny access

Submitted by Anonymous (not verified) on

Field Summary

Guest user redemption completes but collaboration apps still deny access is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.

Sign-in risk policy flags impossible travel after VPN rollout

Submitted by Anonymous (not verified) on

Field Summary

Sign-in risk policy flags impossible travel after VPN rollout is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Break-glass account sign-in succeeds but portal access remains restricted

Submitted by Anonymous (not verified) on

Field Summary

Break-glass account sign-in succeeds but portal access remains restricted is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

User can enroll Microsoft Authenticator but number matching prompt never arrives

Submitted by Anonymous (not verified) on

Field Summary

User can enroll Microsoft Authenticator but number matching prompt never arrives is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.

Legacy authentication blocked report spikes after mailbox migration weekend

Submitted by Anonymous (not verified) on

Field Summary

Legacy authentication blocked report spikes after mailbox migration weekend is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Entra joined device shows compliant yet conditional access blocks sign-in from browser

Submitted by Anonymous (not verified) on

Field Summary

Entra joined device shows compliant yet conditional access blocks sign-in from browser is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Temporary Access Pass created but user cannot redeem it on first login

Submitted by Anonymous (not verified) on

Field Summary

Temporary Access Pass created but user cannot redeem it on first login is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.

Passwordless sign-in works on mobile but desktop browser still prompts for password

Submitted by Anonymous (not verified) on

Field Summary

Passwordless sign-in works on mobile but desktop browser still prompts for password is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

MFA phone call option missing for one pilot group after policy change

Submitted by Anonymous (not verified) on

Field Summary

MFA phone call option missing for one pilot group after policy change is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

New user signs in successfully but self-service password reset registration never completes

Submitted by Anonymous (not verified) on

Field Summary

New user signs in successfully but self-service password reset registration never completes is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Subscribe to Microsoft 365