You may be experiencing sign in or access issues related to Office 365 or other applications that leverage the UW Entra ID (was Azure AD).
This page is part of the Entra ID authentication troubleshooting guide: Known problems and solutions.
This troubleshooting guide provides:
To reduce the number of times you have to sign in to Microsoft products an identity token, refresh token or browser cookie may be stored on your device. In a variety of scenarios, these stored tokens can become a source of issues. Where they are stored is not well documented and will vary depending on your device platform, so the solutions here are unfortunately generic.
Deleting browser cookies is highly dependent on which browser you are using, so we can’t give you detailed directions on that, but you should be able to easily find directions online. To avoid deleting all browser cookies, you can just delete cookies with the following names:
Deleting cached credentials is also dependent on which platform your device is running:
There are two places to review:
NOTE: When Microsoft Office was previously installed on a device for another user it can leave a variety of detritus that can result in sign in issues for other users—see /tools-services-support/it-systems-infrastructure/msinf/aad/authn/help/problems-and-solutions/#priorOffice if that sounds more like what you are experiencing.
During Microsoft sign in, you may encounter this error:
This error is very generic–it can be produced by something as simple as going to the URL shown without any application generating the challenge, so it isn’t terribly helpful by itself.
You may see an email in your UW inbox like this:
While the email message says it was sent by your IT department, it was not. This email message wasn’t actually sent–it only exists on your mobile device and was created to alert you to the fact that your client application can’t sign into your account. Your email access has not been blocked–it is only that this client application is broken. You can verify for yourself that your email access was not blocked by going to Outlook on the Web. And the reason the client application is broken is because it can only do legacy authentication OR it only has cached credentials which are based on legacy authentication.
One of three things likely happened to cause this error message:
You may be trying to access a Microsoft product which requires your user account to have a license. Many Microsoft product licenses at the UW are based on your affiliation with the UW, so loss of student or employee status will result in loss of license. If your account was deleted due to inactivity (see Inactive MI user account), it may take up to 1 day to gain any licensing you are eligible for.
When Microsoft Office was previously installed on a device for another user it can leave a variety of detritus that can result in sign in issues for other users. You may experience errors such as:
The first error strongly indicates there is cached detritus from a prior installation–Office is trying to connect to a OneDrive in another tenant, which it should only do if someone from another organization has shared a document with you and you have initiated opening that document.
The prior Office installation detritus is usually in the form of registry keys that cache the Entra ID tenant, username, and profile information. Removing those registry keys can resolve those type of issues but can be challenging to find, even for an experienced IT professional–the most reliable solution in those cases is to rebuild the device. But rebuilding your device can be highly impactful, so we’ll attempt to provide some pointers on which registry keys might be causing the issues. Keep in mind that editing your registry can be dangerous, leading to instability and forcing you to rebuild the device.
In rare cases, if you have opted into ‘UW Duo for the web’ you may experience a Duo prompt during the interactive Windows sign in. There are two scenarios where this may occur—one that is expected and another where it is unusual.
Windows sign in generally has nothing to do with Entra ID . However, there are a couple scenarios where it is related:
Some Office clients require Entra ID device registration to enable sign-in. Entra ID device registration enables a refresh token which significantly reduces the number of interactive sign ins required. Users can disable any device they have registered, but can not re-enable devices they disable. When they disable a device, all ability to sign in to Entra ID from that device is blocked. UW-IT recommends that users never disable a registered device .
Users can review their registered devices via https://myworkaccount.microsoft.com/device-list to verify the device is improperly disabled and this is the source of the problem.
This Entra ID error message is the result of your NETID AD computer object being deleted by your delegated OU administrators. UW-IT generally is not involved. You’ll need to work with your local IT unit to address this issue. Point them to the following information: They should review Microsoft’s guidance for troubleshooting hybrid Entra ID joined devices and UW-IT’s guidance for Hybrid Entra ID join with delegated OU.
There is a certificate issued by the Entra ID Device Registration Service. If that certificate is deleted, the device registration is broken without the registration being removed. Processes or people who are “cleaning up” can inadvertently break the device registration. If the device registration is broken, then Entra ID sign ins will fail and the UW doesn’t actually get a failed sign in logged when this is the case.
The private key for the certificate issued by Entra ID Device Registration Service is typically stored in the TPM for a device. If your TPM needs to be replaced, the device registration is broken. Entra ID sign ins will fail and the UW doesn’t actually get a failed sign in logged when this is the case.
To fix this issue, you can remove your device registration and re-add it. Removal works the same as documented at Windows 10 registration via the ‘Access Work or School’ Windows setting.
Note: Technically this is not an Entra ID authentication failure, but it is closely related, so we've included it.
If you get an error message that includes “Error Code 80180014” along with “”Something went wrong. Your account was not set up on this device because device management could not be enabled. This device might not be able to access some resources, such as Wi-Fi, VPN, or email.”, you may have encountered this known problem.
Entra ID device registration is an important element which affects the Entra ID authentication experience, as explained as part of this overall guide.
This error happens due to an undocumented design on Microsoft’s part in combination with the UW configuration required to support Autopilot.
To resolve this problem, contact help@uw.edu with subject “Device registration failure due to Intune device restriction policy” — we’ll manually add you to the workaround solution.
The remember me option is a feature of the UW (Shibboleth) Identity Provider. Entra ID is not the UW Identity Provider, so this feature is not expected to work.
Entra ID authentication tokens generally last indefinitely except in risky conditions. If you are constantly being asked to sign in, you are likely using the technology in a way it isn’t designed for.
UW NetIDs sometimes are compromised. When this happens, they are put into a special non-functional state to prevent improper use until the account can be reinstated. This will prevent all authentications, Entra ID or otherwise, and all Entra ID access token issuance.
When you access a resource owned by another organization, i.e. it resides in another organization’s Entra ID tenant, you are subject to any Conditional Access policies they may have. Policies which may be impactful are usually security related. Azure MFA is a common additional security expectation. As an example, if you join a Microsoft Team hosted by Microsoft, you will be asked to register for Azure MFA via Microsoft Authenticator in order to sign in to that specific Microsoft Team.
If the Conditional Access policy requires Azure MFA, then you can enable Azure MFA on your account by adding Additional Verification methods.
You may receive the error message:
“Your account is blocked. We’ve detected suspicious activity on your account. Sorry the organization you are trying to access restricts at-risk users. Please contact your UW admin.” (sign in error code 530032)
When you access a resource owned by another organization, i.e. it resides in another organization’s Entra ID tenant, you are subject to any Conditional Access policies they may have. Policies which may be impactful are usually security related. Risk-based policies are a common additional security expectation. For example, if you join a Microsoft Team hosted by another organization, you may not be allowed to access that specific Microsoft Team if you are considered high risk by Microsoft.
Your UW Entra ID user account can be marked high risk by Microsoft due to some combination of activities associated with the account. What are considered risky event indicators are described at What is risk? Entra ID Identity Protection | Microsoft Docs, and it is usually a combination of events which results in a high risk determination for a user account.
The UW has no control over what policies other organizations choose to enforce on access to their services and data, so we can not remove those policies.
UW-IT can review the Microsoft determined risk events associated with your account and we may choose to clear them if there is no indication of compromise or other concern. This should allow you to access the resource. But the risk level could return, if there are further indicators.