IT Connect
Your connection to information technology at the UW

Azure AD authentication troubleshooting: Known problems and solutions

You may be experiencing sign in or access issues related to Office 365 or other applications which leverage the UW Azure Active Directory (Azure AD).

This page is part of the Azure AD authentication troubleshooting guide — specifically the known problems and solutions page.

This troubleshooting guide provides:

Known problems and solutions

Contents:

Inactive MI user account

NETID Active Directory and UW Azure AD user accounts are subject to a lifecycle process which disables and deletes inactive accounts. You can check to see if your account has been disabled

Solution: If your account has been disabled or deleted, there is a documented solution.

Corrupt or incorrect identity token or stale browser cookie

To reduce the number of times you have to sign in to Microsoft products an identity token, refresh token or browser cookie may be stored on your device. In a variety of scenarios, these stored tokens can become a source of issues. Where they are stored is not well documented and will vary depending on your device platform, so the solutions here are unfortunately generic. 

Solution: Delete cached credentials and browser cookies.

Deleting browser cookies:

Deleting browser cookies is highly dependent on which browser you are using, so we can’t give you detailed directions on that, but you should be able to easily find directions online. To avoid deleting all browser cookies, you can just delete cookies with the following names:

  • account.activedirectory.windowsazure.com

Deleting cached credentials

Deleting cached credentials is also dependent on which platform your device is running:

Windows 10

There are two places to review:

  1. Windows Settings > Accounts > Email & accounts. Remove all accounts listed.
  2. Control Panel > User Accounts > Credential Manager > Windows Credentials. Remove any credential which begins with the following names:
    1. Microsoft
    2. MS.Outlook
    3. msteams
    4. OneDrive
    5. team:

NOTE: When Microsoft Office was previously installed on a device for another user it can leave a variety of detritus that can result in sign in issues for other users–see https://itconnect.uw.edu/wares/msinf/aad/authn/help/problems-and-solutions/#priorOffice if that sounds more like what you are experiencing.

macOS

  1. Open the Utilities folder on your Mac, by switching to the Finder, clicking on Go -> Utilities
  2. Open the “Keychain Access” application
  3. Select the login Keychain, then click on the search box in the upper right and type in Microsoft. Select all the search results and either hit Delete or right-click and select “Delete Items”. Click OK when prompted.

Microsoft product licensing

You may be trying to access a Microsoft product which requires your user account to have a license. Many Microsoft product licenses at the UW are based on your affiliation with the UW, so loss of student or employee status will result in loss of license. If your account was deleted due to inactivity (see Inactive MI user account), it may take up to 1 day to gain any licensing you are eligible for.

Solutions: 

Office installed previously for another user causes sign in issues

When Microsoft Office was previously installed on a device for another user it can leave a variety of detritus that can result in sign in issues for other users. You may experience errors such as:

  • pottery@uw.edu can’t be found in the blah-my.sharepoint.com directory.
  • Sorry, another account from your organization is already signed in on this computer.

The first error strongly indicates there is cached detritus from a prior installation–Office is trying to connect to a OneDrive in another tenant, which it should only do if someone from another organization has shared a document with you and you have initiated opening that document.

The prior Office installation detritus is usually in the form of registry keys that cache the Azure AD tenant, username, and profile information. Removing those registry keys can resolve those type of issues but can be challenging to find, even for an experienced IT professional–the most reliable solution in those cases is to rebuild the device. But rebuilding your device can be highly impactful, so we’ll attempt to provide some pointers on which registry keys might be causing the issues. Keep in mind that editing your registry can be dangerous, leading to instability and forcing you to rebuild the device.

Solutions: 

  1. The 1st error may be resolved with a OneDrive reset.
  2. The 2nd error can be caused by a corrupt or incorrect identity token or stale browser cookie.
  3. Registry key locations which may be causing these issues:
    1.  HKCU\Software\Microsoft\Office\15.0\Common\Identity\Identities
      1. NOTE: “15.0” may not be the version installed on your device–adjust this number for what you find
      2. Under this location, select the Office account that you want to delete, and then select Delete. There may be more than one you need to delete.
    2.  HKCU\Microsoft\Office\15.0\Common\Identity\Profiles
      1. NOTE: “15.0” may not be the version installed on your device–adjust this number for what you find
    3. Under this location, select the Office account that you want to delete, and then select Delete. There may be more than one you need to delete.
    4. After removing these registry keys, reboot, and see if that clears it up.
  4. Slightly more aggressive registry key removals:
    1.  HKCU\Software\Microsoft\Office\15.0\Common\Identity\
      1. NOTE: “15.0” may not be the version installed on your device–adjust this number for what you find
      2. Delete everything under this location.
    2. Reboot and try again.
  5. More aggressive registry key removal specific to 1st error:
    1. HKCU\SOFTWARE\Microsoft\OneDrive\Accounts\Business1
      1. Delete everything under this location
    2. HKCU\SOFTWARE\SyncEngines\Providers\OneDrive\Business1
      1. Delete everything under this location
    3. HKCU\SOFTWARE\SyncEngines\Providers\OneDrive\2ad64a9b31d24a538a5189f6f0fede98
      1. Note: the “2ad64a9b31d24a538a5189f6f0fede98” guid may differ on your device, adjust as needed
      2. Delete MountPoint & UrlNamespace under this location.
    4. Reboot and try again.
  6. If none of these solutions resolved your issues, then a device rebuild may be required. We recommend using UW Autopilot for this scenario.

Unexpected Duo prompt during Windows sign in

In rare cases, if you have opted into ‘UW Duo for the web’ you may experience a Duo prompt during the interactive Windows sign in. There are two scenarios where this may occur–one that is expected and another where it is unusual.

Windows sign in generally has nothing to do with Azure AD. However, there are a couple scenarios where it is related:

  1. If you have joined your device to Azure AD. In that case, your interactive Windows sign in is to Azure AD. Azure AD device join is not recommended at the UW, but in that case, a Duo prompt would be expected as interactive Windows sign in.
  2. If your device has a client application installed which starts at Windows sign in that interacts with an Azure AD application AND that client application behaves poorly by deleting or disregarding existing Azure AD tokens it has previously gotten, then a Duo prompt is a valid but disappointing result. The client application should not behave in this manner as it violates the expected behavior of honoring the full lifetime of the Azure AD token. We are aware of one known instance of this, but there may be others.
    Known instances:

    1. The Universal Store Native Client, which accesses the Windows Store for Business (Azure AD) application. Note: this is not predictable and would appear to happen semi-randomly based on an unknown algorithm in the code of this client application. We have no solutions for this problem at this time.

User disabled registered device

Some Office clients require Azure AD device registration to enable sign-in. Azure AD device registration enables a refresh token which significantly reduces the number of interactive sign ins required. Users can disable any device they have registered, but can not re-enable devices they disable. When they disable a device, all ability to sign in to Azure AD from that device is blocked. UW-IT recommends that users never disable a registered device

Users can review their registered devices via https://myworkaccount.microsoft.com/device-list to verify the device is improperly disabled and this is the source of the problem.

Solution: There is no action the user can take to resolve this problem. Contact UW-IT via help@uw.edu for assistance in re-enabling the registered device.

Device registration failure due to Intune device restriction policy

Note: Technically this is not an Azure AD authentication failure, but it is closely related, so we've included it.

If you get an error message which includes “Error Code 80180014” along with “”Something went wrong. Your account was not set up on this device because device management could not be enabled. This device might not be able to access some resources, such as Wi-Fi, VPN, or email.”, you may have run into this known problem.

Azure AD device registration is an important element which affects the Azure AD authentication experience, as explained as part of this overall guide.

This error happens due to an undocumented design on Microsoft’s part in combination with the UW configuration required to support Autopilot.

To resolve this problem, contact help@uw.edu with subject “Device registration failure due to Intune device restriction policy” — we’ll manually add you to the workaround solution.

UW Remember Me doesn’t work with Azure AD; I have to sign in to Azure AD a lot

Per https://itconnect.uw.edu/security/uw-netids/2fa/remember-me/, “the ‘remember me’ option is a feature of the UW Identity Provider.” Azure AD is not the UW Identity Provider, so this feature is not expected to work.

Azure AD authentication tokens generally last indefinitely except in risky conditions. If you are constantly being asked to sign in, you are likely using the technology in a way it isn’t designed for. 

Solutions:

  • A simple way to reduce Azure AD sign ins is to register your device with Azure AD. Note that only devices with the following platforms can register: Windows 10, iOS, Android, and MacOS. Windows 7 is not supported, and should be upgraded to Windows 10.

  • There are other possible solutions and you may need to contact UW-IT via help@uw.edu for additional assistance

UW NetID compromise

UW NetIDs sometimes are compromised. When this happens, they are put into a special non-functional state to prevent improper use until the account can be reinstated. This will prevent all authentications, Azure AD or otherwise, and all Azure AD access token issuance.

Solution: Contact UW-IT via help@uw.edu or by calling 206-221-5000 for assistance in re-enabling UW NetID.

Conditional Access policy from another tenant

When you access an application from another organization’s Azure AD tenant, you are subject to any Conditional Access policies they may have. Policies which may be impactful are usually security related. As an example, if you join a Microsoft Team hosted by Microsoft, you will be asked to register for Azure MFA via Microsoft Authenticator in order to sign in to that specific Microsoft Team.

Solution: There is no single solution for all scenarios, and because the policy is not owned by the UW, UW-IT can’t assist you either.

If the Conditional Access policy requires Azure MFA, then you can enable Azure MFA on your account by adding Additional Verification methods.

Last reviewed June 29, 2021