Azure AD Windows Login failed, but cloud login works

@Utility: azure 1 Reputation point
2023-01-06T10:49:45.197+00:00

How do I contact a human at Microsoft for technical support?

,

I am having severe problems with my Azure AD cloud joined Windows 10 devices not logging in.

I can create accounts in the Azure Admin or M365 Admin Center, and then immediately go to office.com and sign in and change the password, so I know that much of it is working.

I then go to the Azure AD cloud joined Windows 10 laptop and enter the full username with domain and password, and it says Invalid Username and Password.

However user accounts that I created in the tenant about 6-12 months ago are able to successfully log in to the Windows 10 laptop.

,

I need a Microsoft engineer to remote into the Windows laptop and examine my tenant configuration, and analyze whatever it is doing.

I am absolutely pulling my hair out and I have managers breathing down my neck, why are you not deploying new devices to staff. I can't deploy devices that people cannot login and use at all.

,

Dell 3520 laptop, purchased in October 2022

  • MDT/WDS wipe and reimage with W10 Edu x64 v21H2 Upd2 2022-07-05
  • By default TPM and Secure Boot are enabled for the Dell 3520
  • No other software installed, just the bare image, Autopilot is not enabled for these devices
  • Using the local administrator account after MDT completion, sysprep back to OOBE
  • Join to Azure AD tenant, applies Microsoft MDM, applies Bitlocker, stores recovery in the join account, and reboots to the login screen

,

Test sign-in with newly created Azure AD user account that works on office.com

  • Windows 10 login screen: Invalid username or password
  • BUT the account sign-in logs in Azure AD console says Windows login was successful!
  • Date 1/6/2023, 3:08:05 AM
  • Request ID 51b16bda-d1d4-44a5-954e-308e5db05103
  • Correlation ID e1c5a7ce-abdf-4e0a-950e-d043b3e500d5
  • Authentication requirement Single-factor authentication
  • Status Success
  • Continuous access evaluation No
  • User ID 979ba6d3-07ea-4cde-adb8-a64802840c56
  • Sign-in identifier (blank)
  • User type Member
  • Cross tenant access type None
  • Application Windows Sign In
  • Application ID 38aa3b87-a06d-4817-b275-7a316988d93b
  • Resource Windows Azure Active Directory
  • Resource ID 00000002-0000-0000-c000-000000000000

,

Test sign-in with 6+ month old Azure AD account

  • Works fine, applies user group policies as expected.

,

I just upgraded to the $100 support plan, but still I can not find a way to submit a tech support ticket to speak to a human. What did I just pay for? I have no idea.

I am trapped in the robot self-support system that blithely claims to me All Azure services are working fine, yet the Windows 10 Azure AD cloud user login fails over and over.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-01-06T20:52:11.563+00:00

    Hi @@Utility: azure ,

    Thank you for sharing your detailed issue and I am sorry to hear that you are facing this problem. For your first problem of receiving the invalid username and password error when the cloud password works fine, there are several issues that could cause this:

    1) The can happen if the on-premises UPN does not match the cloud UPN.

    2) If you have not enabled modern authentication, users will log in with basic authentication and will be blocked if you have Conditional Access set up. You need to make sure modern authentication is enabled. https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

    3) The Azure AD Connect server needs to be properly joined to the domain and if there is an issue affecting the domain join, the "invalid username or password" error will occur.

    4) The Azure AD Authentication Agent needs to be active. (See troubleshooting.)

    5) There is a known issue that can cause this message to get triggered correctly if your domain is using third party MFA providers. If you are using the ROPC (Username/Password) flow for federated users, this error can occur when user get redirected to the federated identity provider for authentication. In this case, you need to follow the steps here to get around this issue.

    6) If the credentials are correct, there still might be a policy in place that is blocking the agent from verifying some of the users' credentials (for example, something limiting the users from being signed in on those machines). I have seen this error before in those scenarios where it gets triggered even though the username and password are correct, which could explain why you receive the message that the Windows login was successful.

    As you mentioned though, it would be easier to know for certain what is going on by taking a deeper look at your tenant. A tenant that is linked to an active subscription (not in a disabled state) is required in order to open any support case, and the tenant needs to have a credit card on file. The steps to open a support case are covered here, and we also have the global phone support lines listed here. If you are having issues creating a support case, I can attempt to enable one on your behalf, but your tenant does need to meet the prerequisites I mentioned. I'll leave an email in a private comment in case you would like to reach out.

    I've also reached out to some contacts on the authentication team to share your scenario with them, and if the troubleshooting steps I mentioned do not work, they may have additional suggestions.

    -
    If the information helped narrow down your issue, please Accept the answer. This will help us as well as others in the community who might be researching similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.