How to Diagnose Sign-in Issues in Microsoft Entra ID

Have you ever scrambled to pinpoint the exact cause when users complain about sign-in issues, feeling frustrated in the process? 😤 Sign-in issues in Microsoft Entra ID disrupt workflows and affect productivity, which makes quick resolution essential. This is where the sign-in diagnostic in Microsoft Entra saves the day! 🚀 Instead of manually sifting through countless log entries, you get an intuitive interface that helps you quickly identify and resolve authentication problems.

In this blog, we’ll explore how to use the Microsoft Entra sign-in diagnostic tool to troubleshoot sign-in related errors.

The Microsoft Entra sign-In diagnostic tool helps diagnose problems with user sign-ins and provides steps to resolve them. It specifically reviews the flagged sign-in events and all other sign-in activities that allow you to review the desired user’s or app’s login attempts.

For instance, if a user encounters an error while logging in for the first time, you can use this tool to pinpoint the error and its cause. This ensures users can access the required Microsoft resources with minimal downtime.

There are three ways to diagnose sign-ins in Entra ID.

1. Diagnose sign-ins from the Diagnose and Solve Problems section
2. Diagnose sign-ins from the sign-in logs
3. Diagnose sign-ins from the support request window

Before exploring each method clearly, ensure you’ve been assigned the Microsoft 365 role, Global Reader. Also, note that some sign-in log information might require other roles, such as Conditional Access Administrator.

The Entra admin center simplifies issue resolution with the Diagnose & solve problems section. Here you can find the different tools along with the Sign-in Diagnostic, which helps resolve all sign-in issues.

To troubleshoot sign-in problems in Microsoft Entra ID, follow the steps below.

1. Sign in to the Microsoft Entra admin center and navigate to the Diagnose & solve problems section in the left pane.
   📝Note: You can also find the Diagnose & solve problems section under the Users, Groups, Identity Protection, or other tabs.
2. Under the Troubleshooters section, click the Troubleshoot link on the Sign-in Diagnostic tile.

3. The tool automatically searches for flagged sign-in events in Microsoft 365. If no flagged events are detected, it redirects you to the All Sign-In Events tab.

4. Then, enter the user’s name or email and select a date and time range. It finds the sign-in events within 48 hours of the selected date.
5. Instead of providing user details, you can also provide details such as the application display name or ID to diagnose app sign-ins. Additionally, you can provide the correlation ID or request ID to identify the specific sign-in failure event.
6. Then, Click Next. Now, you can explore the Authentication Summary and Diagnostic Results to take appropriate action.

Unlike the Diagnose & solve problems section, which focuses on checking flagged events or all events, this method allows you to run diagnostics directly for a specific sign-in event. You can do this using the Microsoft Entra ID sign-in logs.

Let’s see how to diagnose a specific sign-in event directly from the sign-in log.

1. In the Entra admin center, navigate to Identity → Monitoring & health → Sign-in logs.
2. Filter and select the desired sign-in event you want to diagnose.
3. From the Activity details flyout pane, click the Launch the Sign-in Diagnostic link.

The diagnostic will start for the selected sign-in event. Once complete, it will return the summary and diagnostic result.

💡Tip: While sign-in logs offer granular details for troubleshooting user sign-in errors, you can also use the Entra workbook for login error analysis to identify trends and recurring sign-in issues.

In contrast to the previous methods, this one involves creating a support ticket for a sign-in issue. The system will then offer solution guidance based on the selected problem type or subtype and run diagnostics to identify the cause and resolution.

1. Head to New Support Request from anywhere in the Entra admin center and choose the Issue type as Technical.
2. Then, select the Service type as Microsoft Entra Sign-in and Multifactor Authentication.
3. Now, choose the Problem type and Problem subtype as necessary. Then, click Next.

The diagnostic will automatically start before proceeding with the support request and provide useful insights along with remediation steps.

In the Sign-in Diagnostic: Review Sign-ins page, you’ll see the respective sign-ins and the appropriate diagnostic steps.

There are two tabs: Flagged Sign-In Events and All Sign-In Events. If any sign-in events are flagged by the user for review, they will appear only in the Flagged Sign-In Events tab. All flagged or other sign-ins will be shown under the All Sign-In Events tab.

Authentication Summary
This section shows a summary of all the sign-ins within 48 hours of the selected date. It shows only the respective sign-in when you choose the correlation ID or the unique sign-in from the sign-in log. You can see the sign-in time, user details, app details, sign-in status, error code, whether the sign-in is flagged for review, and more information.

You can click on the respective column header to sort all the results based on the column’s ascending or descending order. Moreover, you can use the View Columns option to show more columns or hide existing ones.

Diagnostic Results
Clicking on the respective sign-in from the summary will give you the sign-in and authentication diagnosis result, describing what happened during the sign-in event. Scenarios could include MFA requirements from a Conditional Access policy or sign-in events that might require a Conditional Access policy to be applied.

Here, you might get related content and links to troubleshooting steps that can be provided. This helps identify any actions that you can take. Since it’s not always possible to resolve issues without more help, a recommended step might be to open a support ticket.

These are some common sign-in scenarios in Entra where sign-in diagnostics can provide helpful troubleshooting ideas.

Security Defaults:
The sign-in diagnostic helps identify when security defaults interrupt a sign-in, such as when a user hasn’t configured MFA or tries to use legacy authentication protocols.

Conditional Access:
This tool helps diagnose login issues caused by CA policies, such as sign-ins blocked due to risk, MFA is triggered by policy, or external users (B2B) being denied access. To avoid these issues, use the Conditional Access What-If tool to validate policies before applying them. You can also use the Conditional Access insights workbook in Entra ID to understand why users may have failed to comply with CA policies.

Multifactor Authentication:
In preventing unauthorized access, Multifactor Authentication plays a vital role by adding an extra layer of verification before granting access to critical resources. The diagnostic tool helps identify MFA sign-in issues, such as incomplete MFA setups (proof-up), incorrect credentials, or account lockouts due to the smart lockout configuration in Microsoft Entra.

Enterprise Apps:
Sign-in issues can occur due to problems with either the service provider (SaaS application) or the Microsoft Entra ID configuration. If the issue is on the service provider side, update the configuration there. If it’s on the Entra ID side, review and adjust the settings in Enterprise Applications.

Pass-through Authentication:
Pass-through authentication (PTA) can make it difficult to pinpoint sign-in issues, as this integrates on-premises and cloud authentication. However, this diagnostic helps identify PTA-specific errors. The diagnostic results highlight the failure, user details, possible reasons for the sign-in issue, and recommended actions for resolution.

Seamless Single Sign-on:
The integration of Kerberos and cloud authentication making SSSO issues harder to diagnose. This diagnostic helps identify the cause of the failure and provides context and recommended actions for resolution.

While the Microsoft Entra diagnostic setting helps admins address the cause and find the remediation action, the Error code lookup tool assists users in analyzing the causes of common errors. This reduces the admin’s workload by minimizing the need to dig into the issues, allowing users to fix the error based on the recommended actions. It also helps users understand the reason behind the error and determine whether they are violating any policies or making mistakes during sign-in.

Here, you can get the message (reason for the sign-in error) and the appropriate remediation for the error.

In conclusion, the Sign-in diagnostic in Microsoft Entra acts as a detective to uncover sign-in and authentication failures. It provides detailed insights to resolve issues and protect your organization. If you have any questions or need assistance, feel free to share them in the comments. We’re here to guide you every step of the way!