What This Category Covers
Identity tickets need sign-in evidence. Separate disabled account, password state, MFA method, Conditional Access, device compliance, risk, and token/session state before resetting credentials.
First Layer to Isolate
Exact sign-in attempt first: result, policy, method, risk, and device state.
Useful Tools, Logs, and Portals
- Entra sign-in logs
- Conditional Access report-only/result details
- Authentication methods
- Identity Protection risk
- Audit logs
Before You Escalate
- Timestamped sign-in checked
- Method and CA result captured
- Account/device state verified
- Risk state reviewed
Articles in This Path
Pick the closest symptom and work from there.
Sign-in risk policy flags impossible travel after VPN rollout
Field Summary
Sign-in risk policy flags impossible travel after VPN rollout is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.
Break-glass account sign-in succeeds but portal access remains restricted
Field Summary
Break-glass account sign-in succeeds but portal access remains restricted is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.
User can enroll Microsoft Authenticator but number matching prompt never arrives
Field Summary
User can enroll Microsoft Authenticator but number matching prompt never arrives is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.
Legacy authentication blocked report spikes after mailbox migration weekend
Field Summary
Legacy authentication blocked report spikes after mailbox migration weekend is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.
Entra joined device shows compliant yet conditional access blocks sign-in from browser
Field Summary
Entra joined device shows compliant yet conditional access blocks sign-in from browser is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.
Temporary Access Pass created but user cannot redeem it on first login
Field Summary
Temporary Access Pass created but user cannot redeem it on first login is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.
Passwordless sign-in works on mobile but desktop browser still prompts for password
Field Summary
Passwordless sign-in works on mobile but desktop browser still prompts for password is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.
MFA phone call option missing for one pilot group after policy change
Field Summary
MFA phone call option missing for one pilot group after policy change is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.
New user signs in successfully but self-service password reset registration never completes
Field Summary
New user signs in successfully but self-service password reset registration never completes is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.
User removed from MFA group but legacy sessions still prompt
Field Summary
User removed from MFA group but legacy sessions still prompt is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.