Thousands of sign-in errors in Entra ID

adv_kd 135

Hello,

I have problem with sign ins into Windows Sign In. Infra:

local AD synced into Entra ID
Windows 10/11 hybrid joined devices
only GPO managed, we don't have Intune yet

Problem is that I see THOUSANDS of failed sign ins into Windows.

Almost 50% of all sign ins into Windows are failures... OnlyWindowsSignins

Basically 90% of all my failures are about of those errors "Device auth failed for this user":

Failed_signins

Deep dive into one of affected user's sign ins:

User_signin

User_signin_failed

And successful sign in for the same user: User_signin_success

Funfact is that I'm not hearing of anyone having any issues related to this though. Any ideas why it is going like that?

1 answer

Domooney-MSFT 2,606 Reputation points Microsoft Employee Moderator

2024-04-16T08:22:24.4366667+00:00

Hi adv_kd,

Thank you for posting your query on Microsoft Q&A!

The most likely cause of these errors is a problem with your hybrid join config.

If you can get onto one of the devices throwing the error, run this command in cmd "dsregcmd /status"

We have a guide here on using this to diagnose these issues - https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-join-failures

It can also happen if the hybrid join failed, or if the domain is federated and the federation is not configured for Windows login.

Do let me know what the command shows up and if you have any further queries.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Kind Regards,

Donal
Please sign in to rate this answer.
adv_kd 135 Reputation points

2024-04-19T05:22:35+00:00

Hello @Domooney-MSFT ,
Do you have any hints where to search for problems with hybrid join config?

I know about "dsregcmd", but this problem is really hard to "track". Those failed sign ins occurs "in the background" so I can't event get information from users that something is not working.

And also they do not appear on every device, only on some of them...

Entra ID Connect was set by another person and I am wondering should I deep dive into it to search for any solution.

Domooney-MSFT 2,606 Reputation points Microsoft Employee Moderator

2024-04-19T09:19:54.2133333+00:00

Hi adv_kd,

The troubleshooting would start with connecting to one of the impacted devices and running "dsregcmd /status" it could be the device was deleted from Entra ID accidently, in that case you might need to leave and re-join the Entra ID domain.

It could be the device is not properly joined to Entra, perhaps there is no line of sight to a domain controller from the device to complete the join.

Hope this helps, if you share the error from dsregcmd I can take a look and suggest further.

Cheers,

Donal

adv_kd 135 Reputation points

2024-05-22T08:34:06.5566667+00:00

Hello,
Sorry for lack of answer. Basically this problem was because many of our devices were in "Pending" state. I was able to fix it for mostly all devices using Powershell.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Your answer