How to Troubleshoot Microsoft Entra ID Sign-In & Access Errors
Why This Is Happening
I've seen this exact situation play out hundreds of times in enterprise environments: someone sits down Monday morning, fires up Teams or Outlook, and gets hit with a cryptic error like AADSTS50126, AADSTS53003, or the infuriating generic message "We couldn't sign you in." Microsoft Entra ID , the identity platform formerly known as Azure Active Directory , is powerful, but when it breaks, it breaks silently. The error messages are written for engineers reading log files, not for the person who just needs to send an email.
Microsoft Entra ID troubleshooting covers a surprisingly wide range of failure modes. You might be dealing with a simple password issue, or you could be blocked by a Conditional Access policy that was updated over the weekend without anyone telling the end-user team. You could have a token cache that's gone stale, a device compliance state that flipped to non-compliant after a missed Windows Update, or a user principal name (UPN) mismatch from an AD sync gone wrong.
Here's who typically sees these problems:
- End users who changed their password on a personal device but their work laptop still has the old credential cached
- IT admins dealing with Entra Connect (formerly AAD Connect) sync errors after an on-premises schema change
- Developers whose app registrations have expired client secrets or misconfigured redirect URIs
- Remote workers whose devices fell out of Intune compliance after a policy update
- Guest users invited from external tenants who can't get past the B2B redemption flow
The real frustration? Microsoft's own error messages rarely tell you which of these dozen possible causes you're actually dealing with. AADSTS50076 just says "multi-factor authentication required", but it doesn't tell you that your MFA method was disabled by an admin, or that your Authenticator app token is out of sync, or that your location triggered a Conditional Access block. You're left guessing.
That's what this guide is for. I'm going to walk you through every major Microsoft Entra troubleshooting scenario, from the five-second quick fix that solves 60% of cases to deep-dive Event Viewer and sign-in log analysis for the stubborn ones. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go digging through policies and log files, try this. It resolves the majority of Entra sign-in problems in under two minutes, and I mean that literally. Most Entra authentication failures on end-user machines come down to a stale token or a corrupted credential entry in Windows Credential Manager.
Open Control Panel → User Accounts → Credential Manager → Windows Credentials. Look for any entries starting with MicrosoftOffice, MicrosoftTeams, aadauth, or your organization's domain. Remove all of them. Yes, all of them. Then sign out of all Microsoft 365 apps completely, not just close the window, but sign out from the account switcher in each app.
Now restart the machine. On the next login, you'll be prompted to re-authenticate from scratch. This clears the token cache, drops any stale refresh tokens, and forces Entra to issue a fresh set of credentials against your current policy state.
If you're on a domain-joined machine and you want to do this faster via PowerShell, run this as administrator:
cmdkey /list | Select-String "microsoftoffice|aadauth|microsoft.com" | ForEach-Object {
$target = ($_ -split "Target: ")[1].Trim()
cmdkey /delete:$target
}
After the credential flush, open any Microsoft 365 app and sign in fresh. In about 70% of cases I've handled, this is all it takes. If you're still blocked after a clean re-auth, the problem is upstream, a policy, a sync issue, or a device state, and the steps below will find it.
The single most powerful thing you can do when troubleshooting Entra ID sign-in failures is read the actual sign-in logs before touching anything. Most people skip this and start randomly changing settings, which wastes time and can introduce new problems.
Go to portal.azure.com or entra.microsoft.com. In the left nav, expand Identity → Monitoring & health → Sign-in logs. You'll see three tabs: User sign-ins (interactive), User sign-ins (non-interactive), and Service principal sign-ins. For end-user problems, start with the first tab.
Filter by the affected user's UPN in the User field and set the date range to cover when they first saw the issue. Click any failed entry (Status = Failure) to open the details pane. The fields you care about most:
- Error code, the AADSTS number (e.g., AADSTS50126, AADSTS53003)
- Failure reason, a plain description of what failed
- Conditional Access tab, shows exactly which CA policies evaluated and whether they passed, failed, or weren't applied
- Device info tab, shows whether the device was recognized as compliant/managed
You can also pull these logs programmatically if you need to analyze patterns across many users. Run this in Azure Cloud Shell or a machine with the Microsoft Graph PowerShell module installed:
Connect-MgGraph -Scopes "AuditLog.Read.All"
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@yourdomain.com' and status/errorCode ne 0" -Top 20 |
Select-Object CreatedDateTime, AppDisplayName, @{N="ErrorCode";E={$_.Status.ErrorCode}}, @{N="FailureReason";E={$_.Status.FailureReason}} |
Format-Table -AutoSize
Once you have the error code, you know exactly which fix to apply. The rest of these steps map to the most common ones I see in the wild.
These two codes come up constantly. AADSTS50126 means the credentials were rejected, wrong password, locked account, or a UPN mismatch. AADSTS50034 means the account genuinely doesn't exist in the directory being targeted, which usually happens when a user types the wrong domain suffix or when a hybrid sync hasn't run yet.
For AADSTS50126, start with a password reset via Entra Admin Center → Users → [select user] → Reset password. If the account is locked out, look at the Sign-in logs, if you see a burst of failed attempts, the account protection policies may have auto-locked it. Unlock it via Users → [select user] → Properties → Settings → Unblock sign in.
For AADSTS50034 in a hybrid environment, the problem is almost always an on-premises AD sync issue. Check the UPN in on-premises AD:
Get-ADUser -Identity username -Properties UserPrincipalName | Select-Object UserPrincipalName
Compare that to what appears in Entra. If they don't match exactly, including the domain suffix, that's your problem. Update the on-prem UPN and force a delta sync:
Set-ADUser -Identity username -UserPrincipalName "correctupn@yourdomain.com"
# On the Entra Connect server:
Start-ADSyncSyncCycle -PolicyType Delta
Wait 2–5 minutes, then check Entra to confirm the UPN updated. The user should be able to sign in immediately after the sync completes. If the sync itself is failing, move to Step 5.
I genuinely believe AADSTS53003 is the most common Entra error that gets misdiagnosed as "the account is broken." It's not. It means a Conditional Access policy evaluated and blocked the sign-in. The account is fine. The policy said no.
Go to Entra Admin Center → Protection → Conditional Access → Policies. Identify which policy blocked the sign-in, this is shown clearly in the sign-in log entry under the Conditional Access tab. Click on the policy name to open it.
Common causes:
- Device compliance required, the device isn't registered to Intune or has fallen out of compliance
- Location-based block, the user is connecting from an IP not in the named location whitelist
- MFA required but not completed, see Step 4
- Legacy authentication blocked, the app is using basic auth (IMAP, SMTP, older Office clients)
For a device compliance issue, check the device state in Entra Admin Center → Devices → All devices. Find the device and check the Compliant and Managed by columns. If it says "Non-compliant," open Intune (intune.microsoft.com → Devices → [device name] → Device compliance) and check which specific policy check failed.
If you need to temporarily unblock a specific user while you fix the underlying issue, you can add them to an exclusion group on the Conditional Access policy. Go to the policy → Users → Exclude → Select users and groups and add a break-glass group. Document this clearly, exclusions left in place permanently are a real security risk.
Multi-factor authentication errors are a category unto themselves. AADSTS50076 means MFA is required by policy. AADSTS50074 means the user has MFA registered but the strong auth requirement wasn't satisfied, usually because the Authenticator app push notification timed out, or the user's phone number changed and wasn't updated in their profile.
First, check the user's authentication methods. Go to Entra Admin Center → Users → [select user] → Authentication methods. You'll see every registered method: Microsoft Authenticator app, phone number for SMS, FIDO2 keys, etc. If a method shows as registered but the user says it's not working, delete it and re-register. Click the method and select Delete.
If the user's Authenticator app shows "Account doesn't exist" or the codes are being rejected, the problem is almost always a time sync issue on the phone. Open the Microsoft Authenticator app → tap the account → tap the three-dot menu → Verify Codes. If it says the time is off, go to the phone's date/time settings and enable Set time automatically. The TOTP algorithm is time-sensitive to within 30 seconds.
For organizational-level MFA resets (e.g., after a user gets a new phone), run this via Microsoft Graph PowerShell:
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"
# List all auth methods for a user
Get-MgUserAuthenticationMethod -UserId "user@yourdomain.com"
# Remove a specific TOTP software token method
Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId "user@yourdomain.com" -MicrosoftAuthenticatorAuthenticationMethodId "[method-id-from-above]"
After the old method is removed, the user will be prompted to re-register MFA on their next sign-in, provided you have the MFA registration policy enabled under Entra Admin Center → Protection → Authentication methods → Authentication strengths.
If you're in a hybrid environment, on-premises Active Directory synced to Entra ID via Microsoft Entra Connect, sync errors are their own universe of pain. I've seen everything from simple attribute conflicts to full sync engine lockups after an AD schema extension. Here's how to methodically diagnose it.
On the server running Entra Connect (typically a dedicated server or a domain controller in smaller orgs), open Synchronization Service Manager, you'll find it in the Start menu under Microsoft Entra Connect. Check the Operations tab. Any red or yellow entries indicate sync failures. The most common ones:
- export-attribute-flow, attribute write-back failed
- stopped-server, the connector can't reach Entra ID (check connectivity and service account permissions)
- object-typemismatch, on-prem object type doesn't match cloud object type
- AttributeValueMustBeUnique, UPN or ProxyAddress conflict between two objects
Run the built-in diagnostics first:
Import-Module ADSync
Start-ADSyncDiagnostics
For duplicate attribute errors (the most common sync blocker after a user account restructure), use the IdFix tool from Microsoft to scan for and fix directory attribute conflicts before they hit the sync engine. Also check the Entra Admin Center → Identity → Monitoring & health → Provisioning logs for cloud-side sync failure details, which often have more actionable descriptions than what the on-premises sync engine shows. After fixing the underlying attribute issue, force a full sync with Start-ADSyncSyncCycle -PolicyType Initial and monitor the Operations tab to confirm clean export runs.
Advanced Troubleshooting
The steps above cover the majority of real-world Entra ID issues. But sometimes you're dealing with something deeper, a Group Policy conflict, a corrupted device join state, a misconfigured app registration, or a tenant-level configuration that's affecting a class of users rather than one person. Here's how to handle the harder cases.
Diagnosing Device Join State Problems
On Windows 10/11 devices, run this command as the affected user (not as admin) and read every line carefully:
dsregcmd /status
The three lines that matter most are AzureAdJoined, DomainJoined, and DeviceAuthStatus. If AzureAdJoined : YES but DeviceAuthStatus : FAILED, the device's certificate used for Primary Refresh Token (PRT) acquisition has likely expired or been revoked. You'll need to re-join the device. For Entra-joined (formerly AAD-joined) devices: Settings → Accounts → Access work or school → Disconnect, then rejoin. For hybrid-joined devices, run dsregcmd /leave and trigger a new device registration via Group Policy refresh (gpupdate /force).
Group Policy and Registry Conflicts
In enterprise environments, local Group Policy settings can override or conflict with Entra Conditional Access policies, particularly around credential handling and modern authentication. Check for conflicting registry values at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity
Under the Office Identity key, look for EnableADAL, it should be set to 1 (DWORD) to enable modern authentication. If it's 0 or missing, older Office clients fall back to basic auth which may be blocked by your Conditional Access policies. Set it to 1 and restart Office applications.
App Registration Issues
If the Entra sign-in failure is for a specific application (error code AADSTS700016, application not found in tenant), go to Entra Admin Center → Applications → App registrations and verify the Application (client) ID in the app's configuration matches exactly what's registered. Check that the app's redirect URI exactly matches what the application sends in the auth request, a trailing slash difference will cause a 700016. Also confirm the app hasn't been disabled: App registrations → [app] → Properties → Enabled for users to sign in should be Yes.
Event Viewer Analysis
On the client machine, check Event Viewer → Applications and Services Logs → Microsoft → Windows → AAD → Operational. Event ID 1098 indicates a failed token acquisition. Event ID 1104 is a successful PRT refresh. Event ID 1081 with error 0xCAA2000C means the device certificate is expired. These IDs give you hardware-level authentication failure data that the Entra portal sign-in logs don't always capture, especially for silent (non-interactive) token refreshes that happen in the background.
dsregcmd /status shows TenantId pointing to the wrong tenant after a tenant migration, or if Entra Connect shows a stopped-server state that persists after credential refresh and connectivity verification. Check the Microsoft Support portal for current service health status first, many "mysterious" Entra failures are actually regional outages that clear on their own within hours.
Prevention & Best Practices
Most Microsoft Entra troubleshooting calls I've handled were preventable. Not with complex tooling, with a few consistent operational habits. Let me share what actually works in production environments of all sizes.
First: monitor your Entra sign-in health proactively, not reactively. Set up a Workbook in Entra Admin Center under Monitoring & health → Workbooks. The built-in "Sign-in Analysis" workbook will show you failure rate trends before individual users start reporting problems. Pair this with an alert rule in Azure Monitor that fires when sign-in failure rate for any application exceeds 10% over 15 minutes.
Second: keep your Conditional Access policies documented and version-controlled. Every CA policy change should be logged, who changed it, what they changed, and why. The built-in audit log at Entra Admin Center → Monitoring → Audit logs captures this, but export it to a Log Analytics workspace so you have more than the default 30-day retention. When you know "Policy X was modified at 2:47pm Tuesday," you can instantly correlate it with a spike in AADSTS53003 errors that started at 3:00pm.
Third: test CA policy changes with the What If tool before deploying to production. It's right there in Entra Admin Center → Protection → Conditional Access → What If. Simulate a sign-in as a specific user, from a specific IP, on a specific device, the tool tells you exactly which policies would apply and what outcome they'd produce. I've seen CA misconfigurations that would have locked out an entire department get caught by a two-minute What If test.
Finally: maintain at least two Break Glass accounts, cloud-only, no MFA requirement, excluded from all Conditional Access policies, with strong 20+ character random passwords stored in a physical safe. These are your emergency access accounts. The day your MFA system has an outage and your only Global Admin accounts require MFA, you'll be very glad you have them. Store the credentials offline, audit them monthly, and document their existence in your runbook.
- Enable Self-Service Password Reset (SSPR) in Entra so users can unblock themselves for credential issues without an IT ticket
- Set Sign-in risk policies to require MFA step-up (not block) for medium-risk sign-ins, blocking causes lockouts; step-up gives users a path forward
- Keep Microsoft Entra Connect updated, run the health check at Entra Admin Center → Identity → Hybrid management → Entra Connect monthly
- Review the Stale devices report quarterly (Entra Admin Center → Devices → All devices → filter by activity date) and disable devices inactive for 90+ days to avoid compliance state confusion
Frequently Asked Questions
Why does Microsoft Entra keep asking me to sign in every time I open an app?
This is almost always a persistent token or PRT (Primary Refresh Token) problem. Run dsregcmd /status as the affected user and check whether AzureAdPrt shows YES. If it's NO, the device isn't successfully acquiring a PRT, which means every app has to do a full interactive authentication. Common causes: device left a Conditional Access exclusion group, device certificate expired, or the user's account has a new sign-in frequency policy set to a short interval. Check Entra Admin Center → Protection → Conditional Access → Session controls for any "Sign-in frequency" settings applied to the user's apps.
How do I fix "Your organization has deleted this device" error in Microsoft Entra?
This error means the device record was removed from Entra ID, but the device-side join state still thinks it's enrolled. Go to Settings → Accounts → Access work or school, click the connected account, and select Disconnect. This clears the stale device-side state. Then re-join the device to Entra ID using the same menu, for Entra-joined devices, click Connect → Join this device to Microsoft Entra ID. For hybrid-joined devices, run dsregcmd /leave followed by a Group Policy refresh and automatic re-registration. The device should appear back in Entra Admin Center within 15 minutes.
What does AADSTS700003 mean and how do I fix it?
AADSTS700003 means "Device object was not found in the tenant's directory." This happens when the device ID sent in the authentication request no longer exists in Entra. It's effectively the same as the "deleted device" scenario above, but it surfaces more often in silent/non-interactive auth flows for apps like Teams running in the background. The fix is the same: disconnect and re-join the device. If you're an admin seeing this for multiple devices after a tenant migration or device management switch, check whether a bulk delete operation was accidentally run against device objects in Entra Admin Center, the Audit logs will show this under the Device category.
Can I fix Entra sign-in problems without being a Global Admin?
Yes, for most end-user scenarios. The Authentication Administrator role can reset passwords and authentication methods for non-admin users, that covers the majority of helpdesk scenarios. The Conditional Access Administrator role can view and modify CA policies. For read-only sign-in log access to diagnose issues, assign the Reports Reader role, which is much safer to give to tier-1 support staff. You only need Global Admin for tenant-level configuration changes, emergency break-glass scenarios, and Entra Connect service account management. Follow the principle of least privilege, don't hand out Global Admin for what is effectively a helpdesk task.
Entra Connect sync is failing, it shows "stopped-extension-dll-exception". What does that mean?
This error means the sync engine threw an unhandled exception in one of its connector extension DLLs, usually the Active Directory or Entra connector. Open Synchronization Service Manager → Operations tab, click the failed run, and read the details pane carefully. Look for the specific connector name and the exception type. The most common cause I've seen is a corrupted connector space, fix it by running Start-ADSyncSyncCycle -PolicyType Initial after verifying the sync service account hasn't lost permissions on the AD connector. If the exception persists, check Event Viewer → Applications and Services Logs → Microsoft → AzureADConnect for the detailed exception stack trace, which will tell you exactly which DLL and operation failed.
A guest user I invited can't access our SharePoint site after accepting the invitation, what's wrong?
Guest access problems after invitation acceptance are almost always a Conditional Access or cross-tenant access setting issue, not a permissions problem on the SharePoint site itself. First, check Entra Admin Center → External Identities → Cross-tenant access settings and confirm that inbound access from the guest's home tenant is allowed. Then check your Conditional Access policies, if you have a policy requiring compliant devices or hybrid join, guest users from external tenants will be blocked because their devices aren't managed by your Intune. Either exclude guests from that policy (using the "Guest or external users" condition in CA) or configure a Trust settings rule to accept compliance claims from the guest's home tenant under Cross-tenant access settings. Finally, verify the user's redemption state in Entra Admin Center → Users → [guest user] → Properties, the User type should be "Guest" and there should be no error in the Identities section.