Hello @Justin Thomas ,
Thanks for reaching out.
Could you please confirm type of authentication used for working and non-working scenario ? Hybrid -federated
, Hybrid - managed (PHS or PTA)
or cloud only
?
Common reasons for this scenario are as follows:
- Federated sign-ins require your federation server to support WS-Trust endpoints that are enabled and accessible.
- You enabled pass-through authentication. So your temporary password needs to be changed when you sign in.
- User's UPN has changed recently: Currently, UPN changes are not fully supported on Azure AD joined devices. So their authentication with Azure AD fails after their UPN changes. As a result, users have SSO and Conditional Access issues on their devices. At this time, users need to sign in to Windows through the "Other user" tile using their new UPN to resolve this issue. We are currently working on addressing this issue. However, users signing in with Windows Hello for Business do not face this issue. (UPN changes are supported with Windows 10 2004 update. Users on devices with this update will not have any issues after changing their UPNs)
Looking at "AAD" and User "Device Registration" events under "Windows" could give you more insight:
Its worth to refer below articles:
https://learn.microsoft.com/en-us/azure/active-directory/devices/faq#azure-ad-join-faq
https://learn.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan#review-your-identity-infrastructure
Hope this helps.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.