You click "Sign In," wait a few seconds, and then, nothing. Or worse, you get a cryptic error message telling you your authentication request failed. Whether you're trying to log into your Microsoft account, an enterprise app, a VPN, or a third-party service that uses OAuth, a blocked or broken authentication request is one of the most frustrating problems you can run into. The good news? In the vast majority of cases, the fix is something you can handle yourself in under ten minutes.

In this guide, I'll walk you through exactly why authentication requests fail, how to diagnose what's going wrong on your specific system, and how to fix it step by step, whether you're on Windows 10, Windows 11, or dealing with a corporate environment that adds its own layer of complexity.

What Does "Authentication Request" Actually Mean?

Before we dive into fixes, it helps to understand what happens when you try to authenticate. When you log into any service, your Microsoft account, an Azure AD tenant, a work application, or even a gaming platform, your device sends a request to an authentication server. That server checks your credentials (password, token, certificate, or biometric data) and either grants or denies access.

That exchange sounds simple, but it involves a surprisingly long chain of components: your browser or app, your operating system, your network connection, DNS servers, authentication servers (like Azure Active Directory), and sometimes third-party identity providers. If any single link in that chain breaks, your authentication request fails, and you're locked out.

Common symptoms that tell you you're dealing with an authentication request problem include:

  • Error messages like "Your request could not be completed", "Authentication failed", "AADSTS" error codes, or "Invalid token"
  • The sign-in page loading but never completing after you enter credentials
  • Multi-factor authentication prompts that never arrive
  • Being repeatedly redirected back to the login page in a loop
  • API calls returning 401 Unauthorized errors
  • Windows Hello or PIN login suddenly failing at the lock screen

Why Authentication Requests Fail: The Most Common Causes

Understanding the root cause will save you from randomly trying fixes that don't apply to your situation. Here are the most common culprits, ranked roughly by how often I see them in support scenarios:

1. Expired or Corrupted Tokens

Authentication tokens, the digital passes your device receives after a successful login, have expiration times. If your system clock is wrong, if your device was offline for an extended period, or if a cached token was corrupted during a system update, you'll start seeing authentication failures even though your credentials are perfectly valid.

2. Clock Skew (Wrong System Time)

This one catches a lot of people off guard. Authentication protocols like Kerberos and OAuth are extremely time-sensitive. If your device's clock is off by more than five minutes from the authentication server's clock, the request will be rejected outright. Azure AD, Microsoft's cloud identity platform, enforces this strictly.

3. Network and Firewall Interference

Corporate firewalls, VPNs, overly aggressive DNS filtering (like Pi-hole), and even some home router security features can block the specific endpoints that authentication services need to reach. Microsoft authentication requires access to endpoints like login.microsoftonline.com, login.live.com, and various Azure AD endpoints.

4. Browser Cache and Cookie Conflicts

Your browser stores authentication cookies and cached credentials to speed up future logins. When those cached items become stale, corrupted, or conflict with a new session, your authentication request can loop, fail, or silently refuse to proceed.

5. Credential Manager Corruption on Windows

Windows stores saved credentials in a system vault called Credential Manager. If those stored entries are outdated (for example, your work password changed but Windows is still sending the old one), every authentication attempt will fail without giving you a clear prompt to update your credentials.

6. Multi-Factor Authentication (MFA) Issues

If your organization requires MFA, a failure in the second-factor step counts as an authentication failure. This includes situations where the Microsoft Authenticator app isn't receiving push notifications, your phone number for SMS codes has changed, or your TOTP (time-based one-time password) app is out of sync.

7. Azure AD Conditional Access Policies

If you're in a corporate environment, your IT department may have configured Conditional Access rules that block sign-ins from certain locations, devices that aren't enrolled in Intune, browsers that don't meet compliance requirements, or accounts that haven't completed security registration.

8. Account Lockout or Compromised Account Flags

After too many failed login attempts, Microsoft's systems will temporarily lock an account as a security measure. Similarly, if suspicious activity is detected, your account may be flagged, which blocks authentication requests until you verify your identity through account recovery.

Step-by-Step Fix: Resolving Authentication Request Failures

Work through these steps in order. Most people find their fix within the first three or four steps.

Step 1
Check and Correct Your System Clock

This is the fastest thing to check and eliminates one of the most common causes immediately.

  1. Press Windows + I to open Settings.
  2. Go to Time & Language > Date & Time.
  3. Make sure Set time automatically and Set time zone automatically are both toggled ON.
  4. Click Sync now under "Synchronize your clock."
  5. If the sync fails, open Command Prompt as Administrator and run: w32tm /resync /force
Pro tip: If you're on a domain-joined machine and the time sync keeps failing, the issue may be with your domain controller's NTP configuration. Contact your IT admin if w32tm /resync returns an error.
Step 2
Clear Browser Cache and Authentication Cookies

If your authentication failure is happening in a browser (signing into Microsoft 365, Azure Portal, a web app), stale cookies are a very likely culprit.

  1. In Microsoft Edge: Press Ctrl + Shift + Delete, set the time range to "All time," check Cookies and other site data and Cached images and files, then click Clear now.
  2. In Chrome: Press Ctrl + Shift + Delete, same process.
  3. After clearing, close the browser completely (not just the tab), reopen it, and try the authentication again.
  4. Alternatively, try opening an InPrivate/Incognito window first, if authentication works there, it's definitely a cached data problem.
Step 3
Remove Stale Entries from Windows Credential Manager

Windows Credential Manager silently reuses saved credentials. If your password or account settings changed, you need to remove the old entries.

  1. Press Windows + S, search for Credential Manager, and open it.
  2. Click on Windows Credentials.
  3. Look for any entries related to your Microsoft account, work account, Office, Teams, OneDrive, or the service you're having trouble with.
  4. Click on each relevant entry and select Remove.
  5. Restart your application or browser and attempt to sign in fresh.
Important: Only remove entries you recognize. Deleting unrelated credential entries (like saved Wi-Fi passwords or VPN credentials) could cause other issues.
Step 4
Sign Out and Sign Back Into the Windows Account

For Windows 10 and 11 users where the failure involves Microsoft apps like Teams, OneDrive, or Office, the access token tied to your Windows account sign-in is often the issue.

  1. Go to Settings > Accounts > Your Info.
  2. Click Sign in with a local account instead and follow the prompts (don't worry, this is reversible).
  3. Once signed in with a local account, go back to Settings > Accounts > Your Info and click Sign in with a Microsoft account instead.
  4. Enter your credentials fresh. This forces Windows to request a new authentication token.
Step 5
Check and Troubleshoot Your Network Connection

Authentication services require access to specific internet endpoints. A VPN, firewall, or DNS filter might be blocking them without you realizing it.

  1. Try temporarily disabling your VPN (if you use one for personal or work use) and attempt authentication again.
  2. Open Command Prompt and run: nslookup login.microsoftonline.com, if this returns an error or unexpected IP, your DNS is likely filtering or blocking the request.
  3. Try switching your DNS temporarily to Google's public DNS: open Network adapter settings > IPv4 Properties and enter 8.8.8.8 as the preferred DNS server.
  4. If you're on a corporate network, check with your IT team whether a recent firewall policy change may have blocked authentication endpoints.
Quick test: Try authenticating from your mobile phone on a completely different network (mobile data, not Wi-Fi). If it works there, the problem is definitely network-side on your PC.
Step 6
Fix Microsoft Authenticator or MFA Issues

If authentication fails at the MFA step specifically, here's how to resolve the most common MFA problems:

  1. Open the Microsoft Authenticator app on your phone and make sure notifications are enabled for it in your phone's settings.
  2. If you're using TOTP codes and they're not working, your phone's time might be off. Go to the Authenticator app's settings and look for a Time Correction for Codes or sync option.
  3. If MFA push notifications aren't arriving, check that your phone has an active internet connection.
  4. As a backup, use a different verification method: go to the sign-in page, click "Having trouble? Use a different method" or "Sign in another way."
  5. If you're completely locked out of MFA, go to aka.ms/mfasetup from a browser where you're still signed in to manage your MFA methods.
Step 7
Check for Account Lockout or Security Flags

If all of the above fails, there may be an account-level issue that's blocking authentication at the server side.

  1. Visit account.live.com/password/reset for personal Microsoft accounts. Even if you know your password, going through the reset flow can unlock a temporarily locked account.
  2. Check your email for any security alerts from Microsoft about suspicious activity or required verification steps.
  3. For work or school accounts, you'll need to contact your IT administrator, they can check Azure AD sign-in logs to see exactly why your authentication request is being rejected.
Step 8
Re-register Your Device in Azure AD (Work Accounts)

If you're in a corporate environment and other fixes haven't worked, your device's registration with Azure AD may be stale or broken.

  1. Open Command Prompt as Administrator.
  2. Run dsregcmd /status and look at the output. Check AzureAdJoined and WorkplaceJoined values.
  3. If the device is joined but showing errors, run: dsregcmd /leave followed by dsregcmd /join.
  4. Restart your device and test authentication again.
Important: Leaving and rejoining Azure AD will remove your work account from this device. Make sure you have your credentials ready before doing this, and check with your IT admin first if your device uses BitLocker or other compliance tools that depend on the device enrollment state.

Advanced Troubleshooting

If you've gone through all eight steps and still can't get your authentication request to go through, it's time to dig deeper. Here are advanced diagnostic techniques that will either solve the problem or give you exactly the information you need to escalate to Microsoft Support.

Reading Azure AD Sign-In Logs (Admins and Enterprise Users)

If you have access to the Azure Portal (portal.azure.com), navigate to Azure Active Directory > Sign-in logs. Filter by the affected user and look at the failure reason. Azure AD provides very specific error codes (AADSTS codes) that tell you exactly what went wrong. Common ones include:

  • AADSTS50126, Invalid username or password
  • AADSTS50079, MFA required but not configured
  • AADSTS53003, Access blocked by Conditional Access policy
  • AADSTS70011, Invalid OAuth scope
  • AADSTS700016, Application not found in the tenant

Each of these has a specific resolution path. You can search the exact AADSTS code on Microsoft's documentation at learn.microsoft.com for detailed guidance.

Using the Microsoft Support and Recovery Assistant

Microsoft offers a free tool called SaRA (Support and Recovery Assistant) that automatically diagnoses and fixes authentication problems for Microsoft 365 apps, Outlook, Teams, and OneDrive. Download it from the Microsoft website, run the tool, and select the product you're having issues with. SaRA will check your configuration against known good states and attempt automated repairs.

Checking Token Cache with Windows Token Broker

On Windows 10 and 11, the Web Account Manager (WAM) handles token caching for apps that use Windows integrated authentication. If it has a corrupted cache, you can reset it by following these steps:

  1. Open Settings > Accounts > Access work or school.
  2. Click on any connected work or school account and select Disconnect.
  3. Open Credential Manager and remove all related entries as described in Step 3.
  4. Navigate to %localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState in File Explorer and delete the contents of that folder (the folder itself should remain).
  5. Reconnect your work account under Access work or school.

Fiddler or Network Trace for API Authentication

If you're a developer dealing with API authentication failures (OAuth 2.0, client credentials flow, etc.), capturing a network trace using Fiddler or Wireshark will show you the exact HTTP request and response. Pay attention to the WWW-Authenticate response header and the error and error_description fields in the JSON response body, they'll tell you exactly why the token endpoint is rejecting your request.

Enterprise Proxy Configurations

Many corporate environments route all internet traffic through a proxy server. If the proxy isn't configured to pass authentication traffic correctly (especially TLS inspection that can break certificate validation), your authentication requests will silently fail. Check your proxy settings under Settings > Network & Internet > Proxy and confirm the proxy is correctly configured with your IT team's settings. You can also test authentication by temporarily bypassing the proxy with a direct connection.

How to Prevent Authentication Request Failures

Most authentication problems are avoidable with a few good habits. Here's what I recommend:

Keep Your MFA Methods Current

Review your security info at account.microsoft.com/security at least every six months. Make sure your backup email, phone number, and authenticator app registrations are all up to date. Having a backup method prevents being locked out entirely when one method fails.

Enable "Stay Signed In" Where Appropriate

On trusted personal devices, allowing applications to maintain a longer session reduces how often they need to re-authenticate and therefore reduces the chance of hitting a transient authentication failure.

Keep Windows Updated

Authentication infrastructure, especially Windows Hello, the Web Account Manager, and the Authentication Broker, receives important fixes through Windows Update. Falling behind on updates can leave you with known bugs that Microsoft has already patched.

Use a Password Manager with Proper Copy-Paste

A surprising number of authentication failures happen because a password was typed incorrectly or had an invisible character pasted in. Using a proper password manager that fills credentials directly eliminates this class of problem entirely.

Don't Rely on Saved Browser Passwords for Critical Work Accounts

Browser-saved passwords can be a source of stale credential problems. For work accounts especially, let your corporate SSO or authenticator app handle credentials rather than relying on browser autofill.

Monitor for Suspicious Activity Alerts

Enable email notifications for sign-in activity on your Microsoft account. If an unusual sign-in triggers a security lock on your account, you'll get an email immediately and can address it before it becomes a prolonged lockout situation.

Frequently Asked Questions

Why does my authentication request keep failing even though my password is correct?
A correct password is only one part of a successful authentication request. The failure could be caused by a wrong system clock (clock skew), a cached expired token, a Conditional Access policy block, an MFA step that isn't completing, or a network/firewall issue blocking the authentication endpoint. Work through Steps 1–3 in this guide first, they resolve the majority of cases where the password is correct but authentication still fails.
What does AADSTS error mean and how do I look it up?
AADSTS stands for Azure Active Directory Security Token Service. These error codes appear in the URL or on-screen when Azure AD rejects an authentication request. Each code maps to a specific reason. You can look up any AADSTS code by searching "AADSTS" followed by the number on learn.microsoft.com. For example, AADSTS50079 means MFA is required but not configured for your account, and AADSTS53003 means a Conditional Access policy is blocking your sign-in.
My Microsoft Authenticator push notifications stopped arriving. What should I do?
First, check that notifications are enabled for the Authenticator app in your phone's system settings, these can get disabled by battery optimization features or system updates. Next, make sure your phone has an active internet connection (not just Wi-Fi, try switching to mobile data briefly). If notifications still don't arrive, open the Authenticator app and use the time-based OTP (the rotating 6-digit code) as an alternative method. You can also sign in using a backup method by clicking "Sign in another way" on the login page.
Can a VPN cause authentication request failures?
Yes, absolutely. VPNs can cause authentication failures in several ways: they may route your traffic through an IP address that's in a different geographic region than expected (triggering Conditional Access location-based policies), they may interfere with DNS resolution for authentication endpoints, or they may block specific ports or protocols required for the authentication flow. As a diagnostic step, always try temporarily disabling your VPN and test authentication directly. If it works without the VPN, the problem is in the VPN configuration.
How do I fix authentication failures for a work account when I can't contact my IT admin immediately?
There are a few self-service options. First, try the Microsoft Self-Service Password Reset (SSPR) portal if your organization has it enabled, your IT admin can give you the URL, or it's often at passwordreset.microsoftonline.com. Second, use the Microsoft Support and Recovery Assistant (SaRA) tool to run an automated diagnosis. Third, try authenticating from a different device, if it works there, the issue is specific to your PC's configuration rather than your account. Document the exact error message and code you're seeing so you can give your IT admin precise information when you do reach them.
Why does authentication work in an Incognito window but not in my regular browser?
This is almost always a cached data problem. Your regular browser profile has accumulated cookies, cached credentials, or stored tokens that have become stale or corrupted and are interfering with the fresh authentication handshake. The Incognito window doesn't use any of that cached data. The fix is to clear your browser's cookies and cached files (use Ctrl + Shift + Delete, select "All time," and clear cookies and cached images). After clearing, restart the browser completely before trying again.
I'm a developer and my API authentication requests are returning 401 Unauthorized. Where should I start debugging?
Start by verifying the token you're sending is actually valid and not expired. Decode your JWT at jwt.ms or jwt.io and check the exp (expiration) claim and the aud (audience) claim, the audience must match the API you're calling exactly. Next, check the scp or roles claims to verify the token has the required scopes for the operation you're attempting. If the token looks correct, enable detailed logging on your HTTP client to capture the full request and response, paying close attention to the WWW-Authenticate header in the 401 response, which often contains a specific error description. For Azure AD specifically, the Azure AD sign-in logs will show you exactly why the token request was rejected.
How long does a Microsoft account lockout last?
Microsoft uses a smart lockout policy that scales with the perceived threat level rather than a fixed timer. For personal Microsoft accounts, a temporary lockout after repeated failed attempts typically lasts between 1 and 30 minutes. However, if suspicious activity flags your account for a security review, it can remain restricted until you complete identity verification. For Azure AD accounts in a business tenant, admins can configure custom lockout durations. The fastest way to resolve any lockout is to go through the account recovery flow at account.live.com/password/reset rather than waiting for the timer to expire.