Azure Joined Device - User Cannot Log In

Justin Thomas 1 Reputation point
2021-07-01T12:42:40.46+00:00

I have a user that cannot log into a device after joining it to Azure - the device is marked as Azure Joined in Azure. I have tested with my account and and another account and they can log into the device just fine. I have also tested this same user logging into another device that is Azure joined and they cannot log into it.

The error I am getting is bad username or password.

I know that the password/username is not wrong because I can use them to log into the account via portal.office.com without any issues at all.

We also use OKTA as a third party MFA but they can log into that just fine for MFA.

I am not sure where else to go to troubleshoot - any help would be greatly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,388 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,546 Reputation points
    2021-07-02T18:16:05.06+00:00

    Hello @Justin Thomas ,

    Thanks for reaching out.

    Could you please confirm type of authentication used for working and non-working scenario ? Hybrid -federated , Hybrid - managed (PHS or PTA) or cloud only ?

    Common reasons for this scenario are as follows:

    • Federated sign-ins require your federation server to support WS-Trust endpoints that are enabled and accessible.
    • You enabled pass-through authentication. So your temporary password needs to be changed when you sign in.
    • User's UPN has changed recently: Currently, UPN changes are not fully supported on Azure AD joined devices. So their authentication with Azure AD fails after their UPN changes. As a result, users have SSO and Conditional Access issues on their devices. At this time, users need to sign in to Windows through the "Other user" tile using their new UPN to resolve this issue. We are currently working on addressing this issue. However, users signing in with Windows Hello for Business do not face this issue. (UPN changes are supported with Windows 10 2004 update. Users on devices with this update will not have any issues after changing their UPNs)

    Looking at "AAD" and User "Device Registration" events under "Windows" could give you more insight:

    111376-image.png

    Its worth to refer below articles:
    https://learn.microsoft.com/en-us/azure/active-directory/devices/faq#azure-ad-join-faq
    https://learn.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan#review-your-identity-infrastructure

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Parvez Gadhia 1 Reputation point
    2021-07-03T10:01:25.967+00:00

    Are you able to log in with different user in problematic device ? If no then disjoin the device, reboot and rejoin to azure ad.

    0 comments
  3. Justin Thomas 1 Reputation point
    2021-07-06T11:50:32.79+00:00

    This has been resolved - yes we would log in with a different user on that same device and the same user could not log into another device so we were pretty sure it was not the device.

    When the account was created there was a misspelling in their name and was corrected. The misspelling stayed on the .onmicrosoft account and when we tried to log in with their UPN including the misspelling in the name it worked.