Entra ID authentication troubleshooting: How the technology works

Last updated: November 15, 2023
Audience: All UW

You may be experiencing sign in or access issues related to Office 365 or other applications that leverage the UW Entra ID (was Azure AD).

This page is part of the Entra ID authentication troubleshooting guide: How the technology works.

This troubleshooting guide provides:

Note: This document covers the basics related to Entra ID authentication. More information about our Entra ID architecture is available but is not directly relevant to this topic.

How the technology works

You likely do not know you use Entra ID , but you are familiar with Office 365 applications, like Exchange Online, Outlook, Teams, Sharepoint Online, or OneDrive for Business—all of which rely on Entra ID for authentication and access.

Entra ID sign in basics

Each of these applications requires an Entra ID sign in. For example, to get into your Exchange Online mailbox what happens is:

  1. Each user must get an Entra ID identity token for their UW NetID
  2. Use that identity token to get an Entra ID access token for Exchange Online
  3. Use that access token to get into their Exchange Online mailbox

Entra ID tokens have some standard behaviors which affect what you experience:

  1. Entra ID tokens are restricted to use from the device where they are obtained–they can’t be re-used on another device. Each time you use a new device, you will get the full interactive sign-in experience.
  2. In some cases, you may already have an identity token or a special token called a refresh token cached on your device. If this is the case, you won’t be prompted to interactively sign in with your UW NetID credentials.
  3. If the device is Entra ID registered, then an Entra ID refresh token will be issued. An Entra ID refresh token acts like the “UW Duo remember me” option–when present, the user is not prompted interactively to enter their credentials each time they want to access an application that requires a new Entra ID access token.
  4. Entra ID access tokens generally last 1 hour, but each application can change that length.
  5. Policy can be set which sets conditions for Entra ID access token issuance. Examples in use at the UW include:
    • Duo 2FA opt-in for the Web. If you choose to opt-in, all your Entra ID access tokens will additionally require Duo 2FA. Presence of a refresh token which indicates you have previously satisfied Duo 2FA will mean you do not have to interactively satisfy Duo 2FA every hour.
    • Compromised UW NetID or loss of Office 365 license. In these cases, no access token will be issued.

UW Entra ID sign in specifics

Our Entra ID uses password hash sync, which is Microsoft jargon that means your UW NetID password is not actually present in Microsoft’s cloud-based Entra ID, but a derived form of it which can be used to verify whether the password you provide to Microsoft sign in prompts is correct. You will have one of two sign-in experience based on whether your account is configured to require Duo 2FA:


Duo 2FA

Users who have chosen to ‘opt in to UW 2FA for the Web‘ will get 2FA prompts via the UW IdP and separately via Entra ID. Entra ID will require Duo 2FA when an access token is issued. 

Tokens issued by Entra ID have no relationship to the UW Duo remember me feature–the UW Duo remember me feature is *only* for tokens issued by the UW IdP.

If the device is registered with Entra ID, then you should not be interactively prompted by Duo for each access token. And the opposite should also be true, if the device is not registered with Entra ID, then the user should be interactively prompted by Duo for each access token.

Entra ID device registration

The device used with Entra ID sign in is very important, and depending on the configuration can either reduce interactive sign ins or entirely block sign ins.

Entra ID tokens are restricted to use from the device where they are obtained.

If the device is Entra ID registered, then an Entra ID refresh token will be issued when an identity token is obtained. An Entra ID refresh token will eliminate the need to interactively enter your credentials each time you want to access an application that requires a new Entra ID access token.

Most Office products (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office ProPlus) on supported Windows platforms require the device to be Entra ID registered in order to allow sign in. Office products often perform the registration silently, unknown to the user. 

There are other application experiences which require device registration. For example, users which use the Windows 10 Mail application to access Exchange Online will be asked to register via the ‘Access Work or School’ Windows setting.

Each device usually has one registration record per user, not necessarily a single device registration. The only exception to this is a hybrid joined device which does involve user interaction.

Because device registrations are per user, each user can review and manage the list of all their registered devices via https://myworkaccount.microsoft.com/device-list. Users should NOT disable any registered device. While you can disable the device, you can not re-enable it. If you disable your device, you then can’t sign in from that device. Only a small handful of people at the UW can re-enable a disabled device.

If the device registration is deleted, then any cached token on that device is now invalid. This includes the primary refresh token, which generally doesn’t expire and usually significantly reduces interactive sign ins. Because all the tokens on this device are invalid for that user, the user may see an error, and then must perform a fresh interactive Entra ID sign in. Depending on the scenario, that Entra ID sign in may require a fresh device registration. For this reason, it is best to not delete an Entra ID device registration unless that user will never sign in again from that device.

Most device platforms are supported for device registration, but Windows 7 is a notable exception. Windows 7 mainstream support ended in 2015 and extended support ended at the beginning of 2020. Windows 7 is insecure (because it is not actively getting security updates), and UW users should upgrade to Windows 10. This is why the Entra ID Duo 2FA experience from a Windows 7 device is very annoying — every access token will require a fresh interactive sign-in.

Office clients on non-Windows platforms sometimes have helper capabilities that allow an Entra ID refresh token to be maintained regardless of whether the device is registered with Entra ID or not.

If your Entra ID device registration experience is interactive, you may be asked whether you want the device to be managed. You should choose no. If you say yes, you are moving beyond a relatively benign Entra ID device registration to mobile device management (MDM), which in the case of the UW Entra ID tenant is provided by Intune. When you say “yes” to that management prompt you are saying “yes” to Intune enrollment. If successful, that potentially means a set of policies and settings will be deployed to the device, including these settings.