IT Connect
Your connection to information technology at the UW

Azure AD authentication troubleshooting: Known problems and solutions

You may be experiencing sign in or access issues related to Office 365 or other applications which leverage the UW Azure Active Directory (Azure AD).

This page is part of the Azure AD authentication troubleshooting guide–specifically the known problems and solutions page.

This troubleshooting guide provides:

Known problems and solutions

Contents:

Inactive MI user account

NETID Active Directory and UW Azure AD user accounts are subject to a lifecycle process which disables and deletes inactive accounts. You can check to see if your account has been disabled

Solution: If your account has been disabled or deleted, there is a documented solution.

Corrupt identity token or browser cookie

To reduce the number of times you have to sign in to Microsoft products an identity token, refresh token or browser cookie may be stored on your device. In a variety of scenarios, these stored tokens can become a source of issues. Where they are stored is not well documented and will vary depending on your device platform, so the solutions here are unfortunately generic. 

Solution: Delete browser cookies. To avoid deleting all browser cookies, you can just delete cookies with the following names:

  • account.activedirectory.windowsazure.com
  • idp.u.washington.edu
  • sts.netid.washington.edu

ADFS (sts.netid.washington.edu) issues

The UW Azure AD currently leverages the UW IdP for sign in. To do this, it requires a product called ADFS in the middle. ADFS can introduce a variety of issues. All users will transitioned to a cloud-based authentication experience in the near future, which does not rely on ADFS.

Solution: Opt-in to the cloud-based authentication experience. To do so:

Microsoft product licensing

You may be trying to access a Microsoft product which requires your user account to have a license. Many Microsoft product licenses at the UW are based on your affiliation with the UW, so loss of student or employee status will result in loss of license. If your account was deleted due to inactivity (see Inactive MI user account), it may take up to 1 day to gain any licensing you are eligible for.

Solutions: 

User disabled registered device

Some Office clients require Azure AD device registration to enable sign-in. Azure AD device registration enables a refresh token which significantly reduces the number of interactive sign ins required. Users can disable any device they have registered, but can not re-enable devices they disable. When they disable a device, all ability to sign in to Azure AD from that device is blocked. UW-IT recommends that users never disable a registered device

Users can review their registered devices via https://myworkaccount.microsoft.com/device-list to verify the device is improperly disabled and this is the source of the problem.

Solution: There is no action the user can take to resolve this problem. Contact UW-IT via help@uw.edu for assistance in re-enabling the registered device.

UW Remember Me doesn’t work with Azure AD; I have to sign in to Azure AD a lot

Per https://itconnect.uw.edu/security/uw-netids/2fa/remember-me/, “the ‘remember me’ option is a feature of the UW Identity Provider.” Azure AD is not the UW Identity Provider, so this feature is not expected to work.

Azure AD authentication tokens generally last indefinitely except in risky conditions. If you are constantly being asked to sign in, you are likely using the technology in a way it isn’t designed for. 

Solutions:

  • A simple way to reduce Azure AD sign ins is to register your device with Azure AD. Note that only devices with the following platforms can register: Windows 10, iOS, Android, and MacOS. Windows 7 is not supported, and should be upgraded to Windows 10.

  • There are other possible solutions and you may need to contact UW-IT via help@uw.edu for additional assistance

UW NetID compromise

UW NetIDs sometimes are compromised. When this happens, they are put into a special non-functional state to prevent improper use until the account can be reinstated. This will prevent all authentications, Azure AD or otherwise, and all Azure AD access token issuance.

Solution: Contact UW-IT via help@uw.edu for assistance in re-enabling UW NetID.

Conditional Access policy from another tenant

When you access an application from another organization’s Azure AD tenant, you are subject to any Conditional Access policies they may have. Policies which may be impactful are usually security related. As an example, if you join a Microsoft Team hosted by Microsoft, you will be asked to register for Azure MFA via Microsoft Authenticator in order to sign in to that specific Microsoft Team.

Solution: There is no single solution for all scenarios, and because the policy is not owned by the UW, UW-IT can’t assist you either.

Last reviewed March 1, 2021