User removed from MFA group but legacy sessions still prompt
Scenario
A user is excluded from a prompt path, but existing sessions or cached tokens still behave as if MFA is required.
Entra sign-in logs show success but app still says unauthorized
Scenario
The identity platform records a successful sign-in, but the target app immediately returns an authorization error.
Conditional Access policy report only mode differs from live result
Scenario
A new policy looked harmless in report-only mode, but enabling it caused more access failures than expected.
Legacy app password disabled and scanner workflow breaks
Scenario
An organization disables legacy app passwords, and a scanner or line-of-business device immediately loses sign-in capability.
Hybrid join succeeds but primary refresh token missing
Scenario
A Windows device appears joined correctly, but users do not receive SSO because the primary refresh token never issues.
Break glass account excluded from MFA cannot sign in
Scenario
An emergency admin account is deliberately excluded from MFA policies, yet login still fails during a real incident test.
Authenticator number matching works but sign-in still denied
Scenario
A user approves the correct number matching prompt, but the sign-in fails immediately afterward.
Password writeback succeeds but users cannot unlock accounts
Scenario
Users can reset passwords through self-service, but on-premises account unlock or sign-in does not behave as expected afterward.
Azure AD Connect sync errors after schema change
Scenario
Directory sync begins failing after changes to on-premises AD attributes or OU structure.
MFA prompts delayed or never arriving
Scenario
Users report delayed push approvals or no MFA prompts during normal sign-in attempts.
- Read more about MFA prompts delayed or never arriving
- Log in to post comments