Identity & MFA

MSP Toolkit
Practical troubleshooting paths for MSP technicians dealing with real-world support failures.

What This Category Covers

Identity tickets need sign-in evidence. Separate disabled account, password state, MFA method, Conditional Access, device compliance, risk, and token/session state before resetting credentials.

First Layer to Isolate

Exact sign-in attempt first: result, policy, method, risk, and device state.

Useful Tools, Logs, and Portals

  • Entra sign-in logs
  • Conditional Access report-only/result details
  • Authentication methods
  • Identity Protection risk
  • Audit logs

Before You Escalate

  • Timestamped sign-in checked
  • Method and CA result captured
  • Account/device state verified
  • Risk state reviewed

Articles in This Path

Pick the closest symptom and work from there.

Authenticator number matching works but sign-in still deniedAzure AD Connect sync errors after schema changeBreak glass account excluded from MFA cannot sign inBreak-glass account sign-in succeeds but portal access remains restrictedConditional Access policy report only mode differs from live resultEntra joined device shows compliant yet conditional access blocks sign-in from browserEntra sign-in logs show success but app still says unauthorizedGuest user redemption completes but collaboration apps still deny accessHybrid join succeeds but primary refresh token missingIdentity & MFA alerts indicate success while end-user experience never changesIdentity & MFA configuration survives testing but resets after restart or syncIdentity & MFA credential or certificate rotation breaks an existing integrationIdentity & MFA feature works in web app but fails in desktop clientIdentity & MFA healthy dashboard status masks a failing production workflowIdentity & MFA new deployment works for pilot group but not for production rolloutIdentity & MFA policy change applies in admin console but target users never receive itIdentity & MFA quarantine or protection action triggers but recovery workflow failsIdentity & MFA workflow succeeds for one account but fails for shared or delegated accessLegacy app password disabled and scanner workflow breaksLegacy authentication blocked report spikes after mailbox migration weekendMFA phone call option missing for one pilot group after policy changeMFA prompts delayed or never arrivingNew user signs in successfully but self-service password reset registration never completesPassword writeback succeeds but users cannot unlock accountsPasswordless sign-in works on mobile but desktop browser still prompts for passwordSign-in risk policy flags impossible travel after VPN rolloutTeams sign-in loop after MFA enrollmentTemporary Access Pass created but user cannot redeem it on first loginUser can enroll Microsoft Authenticator but number matching prompt never arrivesUser removed from MFA group but legacy sessions still prompt

Entra sign-in logs show success but app still says unauthorized

Submitted by Anonymous (not verified) on

Field Summary

Entra sign-in logs show success but app still says unauthorized is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Conditional Access policy report only mode differs from live result

Submitted by Anonymous (not verified) on

Field Summary

Conditional Access policy report only mode differs from live result is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.

Legacy app password disabled and scanner workflow breaks

Submitted by Anonymous (not verified) on

Field Summary

Legacy app password disabled and scanner workflow breaks is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Hybrid join succeeds but primary refresh token missing

Submitted by Anonymous (not verified) on

Field Summary

Hybrid join succeeds but primary refresh token missing is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.

Break glass account excluded from MFA cannot sign in

Submitted by Anonymous (not verified) on

Field Summary

Break glass account excluded from MFA cannot sign in is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Authenticator number matching works but sign-in still denied

Submitted by Anonymous (not verified) on

Field Summary

Authenticator number matching works but sign-in still denied is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Password writeback succeeds but users cannot unlock accounts

Submitted by Anonymous (not verified) on

Field Summary

Password writeback succeeds but users cannot unlock accounts is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. Start with the exact sign-in attempt and policy result; password resets without log evidence often create a second problem.

Azure AD Connect sync errors after schema change

Submitted by Anonymous (not verified) on

Field Summary

Azure AD Connect sync errors after schema change is a Microsoft 365 ticket where the visible symptom can be misleading. When this Microsoft 365 workflow fails, separate account access, web-versus-desktop behavior, token state, licensing, Conditional Access, and service health before changing the client. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.

MFA prompts delayed or never arriving

Submitted by Anonymous (not verified) on

Field Summary

Delayed or missing MFA prompts can be a user device issue, a method registration issue, Conditional Access behavior, push notification delivery, or an identity provider service problem. The fastest path is to check sign-in logs and prove whether the prompt was generated, delivered, denied, or never required.

Subscribe to Identity & MFA