Microsoft Entra ID: MFA, SSO, Conditional Access, and User Management Guide 2026
Why Microsoft Entra ID Trips People Up
I've helped hundreds of IT admins and small business owners set up Microsoft Entra ID , and I can tell you the number one issue isn't the technology itself. It's the naming confusion. Microsoft rebranded Azure Active Directory to Microsoft Entra ID in 2023, and even in 2026 I still get tickets from people searching for "Azure AD" who don't realize they're already looking at the same product. So if you're staring at the Microsoft Entra admin center going "wait, where did Azure AD go?", it's right there. They merged.
Microsoft Entra ID is the cloud-based identity and access management engine that sits underneath almost every Microsoft cloud service you already pay for. If your organization uses Microsoft 365, Azure, or Dynamics CRM Online, you have a Microsoft Entra tenant right now. It was created automatically when you signed up. The question isn't whether you have it, it's whether you're actually using it properly to protect your organization.
The issues I see most often fall into a few buckets. First, MFA (multi-factor authentication) not enforcing correctly, users can still sign in without a second factor because someone configured a Conditional Access policy but left a gap in scope. Second, SSO (single sign-on) working for some apps but mysteriously breaking for others, usually because the enterprise application registration is missing a claim or redirect URI. Third, Conditional Access policies conflicting with each other and producing error AADSTS53003 or AADSTS50076, which tell the user access is blocked but give zero useful guidance on why. And fourth, license assignment issues where users can't access premium features like ID Protection or ID Governance because the right license tier wasn't applied at the user level.
What makes Microsoft Entra ID genuinely hard for new admins is that error messages are written for Microsoft's internal teams, not for the person at 9pm trying to unblock a colleague. Error codes like AADSTS700082 (refresh token expired) or AADSTS50126 (invalid username or password) show up in browser redirects and leave users completely cold. I know this is frustrating, especially when it blocks your whole team from getting work done.
This guide walks through every major configuration area, MFA, SSO, Conditional Access, and user and group management, with exact steps, real-world context, and the specific things that go wrong at each stage. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If users in your organization are being blocked from signing in and you're not sure where to start, the fastest diagnostic path in Microsoft Entra ID is the Sign-in logs. Here's exactly what you do.
Open the Microsoft Entra admin center at entra.microsoft.com. In the left sidebar, expand Monitoring & health and click Sign-in logs. Filter by the affected user's UPN (their email address) and set the date range to the last 24 hours. Look at the Status column, any row marked "Failure" is your lead.
Click the failed sign-in row. In the detail pane that slides out, look at three fields: Error code, Failure reason, and Conditional Access. The error code is your quickest lookup. The Conditional Access tab shows you exactly which policy triggered and what the result was, "Success," "Failure," or "Not applied." Nine times out of ten, a blocked user has a Conditional Access policy that matched when it shouldn't have, or a required control like MFA that the user hasn't registered for yet.
If the Conditional Access tab shows a policy with status "Failure" and the control is "Require multifactor authentication," go to Protection > Multifactor authentication > User settings and check whether that user has completed MFA registration. If they haven't, send them a registration link from Protection > Authentication methods > User registration details.
That single workflow, sign-in logs, failed row, Conditional Access tab, resolves about 60% of the tickets I see. Don't spend an hour guessing when the answer is sitting there in the logs.
Multi-factor authentication is the single most impactful security control you can turn on in Microsoft Entra ID. I've seen environments get compromised through credential stuffing where every single affected account had no MFA. Don't let that be yours.
There are two paths: Security Defaults (the simple switch) and Conditional Access policies (the enterprise-grade approach). Security Defaults is a single toggle that enforces MFA registration for all users, requires MFA for admins on every sign-in, and blocks legacy authentication protocols. It's free and included with every Microsoft Entra tenant. To enable it, go to Identity > Overview > Properties, scroll to the bottom, and click Manage security defaults. Flip the toggle to Enabled and save.
If you're on Microsoft Entra ID P1 or P2, turn Security Defaults off and use Conditional Access instead, the two are mutually exclusive by design. The Conditional Access approach gives you far more control: you can require MFA only on risky sign-ins, exempt compliant devices, or scope the policy to specific apps. Go to Protection > Conditional Access > Policies > New policy.
Set Users to "All users" (you can exclude a break-glass admin account, more on that in the Advanced section). Set Target resources to "All cloud apps." Under Grant, select "Require multifactor authentication." Set the policy to Report-only mode first and run it for a week, check the sign-in logs to see who would have been affected. Then flip it to On.
After enabling MFA, users will be prompted to register their second factor at next sign-in. They'll see the combined registration screen at aka.ms/mfasetup where they can add the Microsoft Authenticator app, a phone number for SMS, or a FIDO2 hardware key. If a user says they never got the prompt, check whether they're excluded from the policy scope or whether their session token predates the policy activation, signing out and back in resolves it.
Single sign-on through Microsoft Entra ID means your users authenticate once and get access to all their business apps without re-entering credentials. Getting it wrong produces errors like AADSTS700082, AADSTS50011 (reply URL mismatch), or a blank redirect loop that deposits users back at the Microsoft sign-in page with no explanation.
Go to Applications > Enterprise applications and either browse the gallery for a pre-integrated app or click New application > Create your own application for a custom SAML or OIDC app. For gallery apps, most of the SAML configuration is pre-populated, but you still need to verify two things that almost always cause problems: the Reply URL (Assertion Consumer Service URL) and the Identifier (Entity ID). These must exactly match what the application vendor specifies in their SSO documentation. Even a trailing slash difference will produce error AADSTS50011.
Once the app is registered, click Single sign-on in the app's sidebar. For SAML, download the Federation Metadata XML and upload it into the application's admin console. For OIDC apps, copy the Application (client) ID and the tenant's OpenID Connect metadata document URL, which follows the format https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration.
After configuration, click Test on the SSO configuration page, Microsoft Entra ID will walk through the SAML exchange and flag exactly which assertion or claim is failing. If the test shows a missing claim, go to Attributes & Claims and add the required attribute. Common missing claims include employee_id, department, or a custom attribute the SaaS vendor requires for user provisioning. Don't forget to assign users or groups to the application under Users and groups, a user with no assignment will hit error AADSTS50105 even if SSO is configured perfectly.
Conditional Access is where Microsoft Entra ID earns its keep, and where most admins inadvertently lock people out on a Friday afternoon. I've been there. Let me save you the experience.
Conditional Access sits at Protection > Conditional Access. Every policy has the same anatomy: Assignments (who, what apps, what conditions) and Access controls (what to grant or block). The logic is: IF [user] accesses [app] under [conditions] THEN [require/block]. Policies are evaluated at sign-in time, and all matching policies are combined, if two policies both apply to a sign-in, the user must satisfy both grant controls.
The most common production configuration is a three-policy stack: (1) Require MFA for all users on all cloud apps, (2) Block access from legacy authentication protocols, and (3) Require a compliant or hybrid-joined device for access to sensitive apps. For policy (2), set the condition Client apps to check "Exchange ActiveSync clients" and "Other clients", these are the legacy protocols that don't support MFA and are exploited constantly. Set the grant to Block access.
For risk-based policies (requires Entra ID P2 and ID Protection), add a fourth policy: IF sign-in risk is Medium or High, THEN require MFA. Go to Conditions > Sign-in risk and select "Medium and above." This is the policy that catches credential stuffing attacks in real time, the attacker has the password but can't pass MFA, and the risky sign-in gets flagged automatically. Combined with Microsoft Entra ID Protection's automatic remediation, the user gets prompted to prove their identity before access is granted.
Always keep a break-glass admin account, a cloud-only Global Administrator account with a very long, randomly generated password stored in a physical safe, excluded from all Conditional Access policies. If your policies ever get misconfigured, this account is your recovery path. Name it something obvious like breakglass@yourdomain.onmicrosoft.com and monitor it with an alert in the sign-in logs.
User management in Microsoft Entra ID is more nuanced than it looks. Getting it wrong causes licensing waste, access gaps, and orphaned accounts that become security liabilities.
To create a new user, go to Identity > Users > All users > New user > Create new user. Fill in the User Principal Name (UPN), this is their sign-in address and must match a verified domain in your tenant. Set a strong temporary password and check Require this user to change their password when they first sign in. Under Properties, fill in the Job title, Department, and Manager fields, these are used by ID Governance automated access reviews and by Entra ID's dynamic group rules.
Dynamic groups are something every admin should know about. Instead of manually adding users to groups, you define a membership rule like (user.department -eq "Sales") and (user.accountEnabled -eq True) and the group populates automatically based on user attributes. Go to Identity > Groups > New group, set type to "Security" or "Microsoft 365," set membership type to Dynamic User, and click Add dynamic query. Dynamic groups update within minutes of an attribute change.
For bulk user creation, use the Bulk create option which accepts a CSV file. The template is downloadable from the bulk create wizard. Required columns are Name, User name, Initial password, and Block sign in (Yes/No). After upload, monitor the operation result under Bulk operation results, any row with an error code will tell you exactly what attribute was invalid.
When an employee leaves, don't just delete the account immediately. Go to their user profile, click Revoke sessions first, this invalidates all active tokens. Then disable the account by setting Block sign in to Yes. Wait 30 days for any data recovery or mailbox access needs, then delete. Deleted accounts stay in the recycle bin for 30 days and can be restored from Identity > Users > Deleted users. After 30 days they're gone for good along with their license assignment, so set a calendar reminder.
License assignment is where a lot of small and mid-size organizations get into trouble. They buy Microsoft Entra ID P2 licenses but only half the users get them applied, so ID Protection and ID Governance features behave inconsistently across the tenant. Here's the clean way to manage it.
Microsoft Entra supports two license assignment methods: direct (per-user) and group-based. Group-based licensing is the right approach for any organization with more than 20 users. Go to the group you want to license (or create one specifically for licensing purposes), click Licenses in the sidebar, then Assignments, and select the product. Every member of that group will receive the license. When you add a new employee to the group, the license is assigned automatically within minutes.
To check for license conflicts or assignment errors, go to Billing > Licenses > All products, click your product, then click Licensed users. Users with assignment errors appear with a warning icon. Click the user to see the specific error, common ones are "Not enough licenses" (you've run out of seats) or "Conflicting service plans" (two products in the same group have service plans that can't coexist).
For role assignment, the principle of least privilege applies hard here. Don't assign Global Administrator to people who only need to manage user accounts, give them User Administrator instead. For Conditional Access management, Conditional Access Administrator is the right scoped role. Go to Identity > Roles & admins > All roles and search for the role by name. Click it, then Add assignments. If you have Entra ID P2, use Privileged Identity Management (PIM) to make roles time-limited and require justification, this is accessed under Identity governance > Privileged Identity Management. With PIM, nobody holds a powerful role permanently; they activate it for a window of time and the activation is logged.
After assigning roles, verify them by switching to the user's perspective using the My Access portal at myaccess.microsoft.com. This shows what the user can actually see and access, a fast reality check before you tell them everything is set up.
Advanced Troubleshooting
When the basics don't resolve the issue, these are the tools and techniques I go to for harder Microsoft Entra ID problems.
Event Viewer and Azure AD Connect Health
For hybrid environments where you sync on-premises Active Directory to Microsoft Entra ID using Azure AD Connect (now called Microsoft Entra Connect), most sign-in problems originate on-premises, not in the cloud. On the Entra Connect server, open Event Viewer and navigate to Applications and Services Logs > Microsoft > AzureADConnect > Health Agent > Operational. Event ID 2001 indicates a password hash sync failure. Event ID 6100 points to a connectivity issue between Entra Connect and the Microsoft Entra service endpoint. For sync errors, run Start-ADSyncSyncCycle -PolicyType Delta in PowerShell on the Entra Connect server to force a delta sync and watch the output for attribute-level errors.
Diagnosing AADSTS Error Codes
The most actionable information in a failed sign-in is the AADSTS error code appended to the redirect URL or shown on the error page. Here are the ones I see most frequently and what they mean:
- AADSTS50076, MFA required but not completed. The user needs to register or satisfy the MFA prompt.
- AADSTS53003, Access blocked by a Conditional Access policy. Check the policy name in sign-in logs.
- AADSTS50105, User not assigned to the application. Go to Enterprise applications > Users and groups and add the user.
- AADSTS700082, Refresh token expired due to inactivity. User must sign in fresh; this is expected behavior and not a bug.
- AADSTS50126, Invalid credentials. Usually a wrong password, but also fires when a user's on-prem password hasn't synced yet after a reset.
- AADSTS900382, Confidential client not supported in cross-cloud requests. Usually an app registration pointing at the wrong national cloud endpoint.
Group Policy and Registry for Hybrid Scenarios
In domain-joined environments, the way Windows handles token caching and Workplace Join can interfere with Microsoft Entra ID SSO. If users on domain-joined machines keep getting re-prompted for credentials, open Registry Editor (regedit.exe) and check the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoinThe value autoWorkplaceJoin should be set to 1 to enable seamless SSO via Windows Hello for Business or Primary Refresh Token (PRT). If it's missing or 0, the machine won't request a PRT at sign-in, and the user will be prompted repeatedly. This is typically configured via Group Policy under Computer Configuration > Administrative Templates > Windows Components > Workplace Join > Automatically workplace join computers.
PowerShell Diagnostics
The Microsoft Graph PowerShell SDK is the right tool for bulk diagnostics. Install it with:
Install-Module Microsoft.Graph -Scope CurrentUserThen connect and pull sign-in logs programmatically:
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All"
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@domain.com' and status/errorCode ne 0" -Top 50 | Select-Object CreatedDateTime, AppDisplayName, Status, ConditionalAccessStatusThis gives you a clean table of failed sign-ins for a specific user across the last 30 days, much faster than clicking through the portal for bulk analysis.
Prevention & Best Practices
The best Microsoft Entra ID troubleshooting session is the one you never have to have. These are the practices I recommend building into your tenant from day one, or retrofitting as soon as possible if you're already in production.
Maintain an always-current named location list. Conditional Access named locations let you define trusted IP ranges for your office networks. If you set up a "Block access from risky locations" policy, you need to keep this list up to date whenever you move offices or add remote sites. An outdated named location list is a sneaky source of phantom lockouts. Review it quarterly at Protection > Conditional Access > Named locations.
Run access reviews regularly. Microsoft Entra ID Governance includes access review capabilities that automatically ask managers or resource owners to confirm whether users still need their access. Set these up for your most sensitive groups and applications, typically anything with access to financial data, HR systems, or admin portals. Go to Identity governance > Access reviews > New access review. I recommend a 90-day review cycle as a starting point. Users who are not confirmed get their access removed automatically when the review closes.
Monitor for stale guest accounts. External B2B collaboration creates guest accounts in your tenant. These accumulate over time, contractors who left, partners from old projects, test accounts nobody remembers creating. Stale guests are a real security risk. Pull a list with PowerShell: Get-MgUser -Filter "userType eq 'Guest'" | Where-Object { $_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90) } and review them quarterly.
Use Microsoft Entra ID Protection's risky user reports. Even if you don't have automated remediation configured, check Protection > Identity Protection > Risky users once a week. Any user showing as "At risk" has had suspicious activity on their account, leaked credentials, impossible travel, or other signals. Dismiss false positives, and for real risks, use the Confirm user compromised action which revokes all sessions and requires password reset.
- Enable Security Defaults immediately if you haven't deployed Conditional Access, it's free and takes 30 seconds to turn on
- Create a named "Break Glass" group excluded from all Conditional Access policies and put only your emergency admin account in it
- Set up an alert rule in Microsoft Entra ID that emails you when any Global Administrator role is assigned, go to Monitoring > Diagnostic settings and route audit logs to a Log Analytics workspace
- Switch from per-user MFA enforcement (the old Azure AD method) to Conditional Access MFA, the old per-user method conflicts with Conditional Access and produces confusing behavior
Frequently Asked Questions
What exactly is Microsoft Entra ID and how is it different from Azure Active Directory?
Microsoft Entra ID is the new name for Azure Active Directory, Microsoft renamed it in 2023 as part of launching the broader Microsoft Entra product family. The product itself is the same cloud-based identity and access management service that handles authentication, authorization, and policy enforcement for users, devices, and applications. If you were using Azure AD before, you're already using Microsoft Entra ID. Nothing about your configuration changed; only the branding and the admin portal URL (now entra.microsoft.com) shifted. Microsoft Entra as a whole also includes newer products like Private Access, Internet Access, and Agent ID, but Entra ID is the foundational piece that everything else builds on.
What is the Microsoft Entra admin center and how do I access it?
The Microsoft Entra admin center is the web-based management portal for all Microsoft Entra products, and you reach it at entra.microsoft.com. Sign in with your admin account and you'll see a unified sidebar covering Identity, Protection, Identity Governance, and Monitoring, all the areas you need to manage users, groups, applications, Conditional Access policies, and sign-in logs. It replaced the old Azure AD blade inside the Azure portal, though that blade still exists and redirects to the same backend. If you're used to the Microsoft 365 admin center, the Entra admin center is more powerful but specifically focused on identity and access tasks rather than the broader M365 service management.
Why is MFA not prompting users even though I turned it on?
The most common reason is a session token that was issued before MFA was enforced. When you enable a Conditional Access policy requiring MFA, it only applies at the next sign-in, existing authenticated sessions continue until they expire, which can be hours or days. Ask affected users to sign out of all sessions (they can do this at myaccount.microsoft.com > Security info > Sign out everywhere) and then sign back in. The second common cause is that the user is excluded from the policy scope, check the Users assignment in your policy and make sure there's no explicit exclusion for that user or a group they're in. Use the Conditional Access What If tool to confirm the policy would actually apply to that specific user.
How do I fix AADSTS53003, access blocked by Conditional Access?
Error AADSTS53003 means a Conditional Access policy evaluated to Block access for that sign-in. Go to Monitoring > Sign-in logs, find the failed sign-in, and click the Conditional Access tab in the detail pane. This shows exactly which policy blocked the sign-in and which condition triggered it. The fix depends on the cause: if the user signed in from a non-compliant device, they need to enroll the device in Intune. If they signed in from a blocked country or IP range, and that's a legitimate business need, update the named locations or create a policy exception for their specific scenario. Never just delete the blocking policy without understanding why it exists first, it may be blocking for a real security reason.
Can I use Microsoft Entra ID for free, or do I need a paid license?
Microsoft Entra ID Free is included with any Microsoft 365, Azure, or Dynamics CRM Online subscription, you're already paying for it as part of those plans. The free tier covers user and group management, basic SSO (up to 10 apps in the My Apps gallery), and self-service password change. To unlock risk-based Conditional Access, MFA with granular controls, dynamic groups, and hybrid identity features, you need Microsoft Entra ID P1. For ID Protection (risky sign-in detection), Privileged Identity Management, and access reviews, you need P2. Both P1 and P2 are also included in Microsoft 365 Business Premium and Enterprise E3/E5 plans respectively, so check what your existing Microsoft 365 subscription includes before buying standalone Entra licenses.
My users can't do self-service password reset, what's wrong?
Self-Service Password Reset (SSPR) requires explicit enablement and at least one registered authentication method per user. Go to Protection > Password reset > Properties and make sure SSPR is set to "Selected" or "All", it defaults to off. Then check Authentication methods to confirm you've enabled at least two methods (mobile app, email, phone). The user also needs to have registered those methods, check their registration status at Protection > Password reset > Registration. For hybrid environments, you also need to enable Password writeback in the Entra Connect configuration wizard, without it, password resets in the cloud won't sync back to on-premises Active Directory and the user will see a confusing error after a seemingly successful reset.