Troubleshoot Azure AD authentication strength (Preview)

This topic covers errors you might see when you use Azure Active Directory (Azure AD) authentication strength and how to resolve them.

A user is asked to sign in with another method, but they don't see a method they expect

Users can sign in only by using authentication methods that they registered and are enabled by the Authentication methods policy. For more information, see How Conditional Access Authentication strengths policies are used in combination with Authentication methods policy.

To verify if a method can be used:

  1. Check which authentication strength is required. Click Security > Authentication methods > Authentication strengths.
  2. Check if the user is enabled for a required method:
    1. Check the Authentication methods policy to see if the user is enabled for any method required by the authentication strength. Click Security > Authentication methods > Policies.
    2. As needed, check if the tenant is enabled for any method required for the authentication strength. Click Security > Multifactor Authentication > Additional cloud-based multifactor authentication settings.
  3. Check which authentication methods are registered for the user in the Authentication methods policy. Click Users and groups > username > Authentication methods.

If the user is registered for an enabled method that meets the authentication strength, they might need to use another method that isn't available after primary authentication, such as Windows Hello for Business or certificate-based authentication. For more information, see How each authentication method works. The user will need to restart the session and choose Sign-in options and select a method required by the authentication strength.

Screenshot of how to choose another sign-in method.

A user can't access a resource

If an authentication strength requires a method that a user can’t use, the user is blocked from sign-in. To check which method is required by an authentication strength, and which method the user is registered and enabled to use, follow the steps in the previous section.

How to check which authentication strength was enforced during sign-in

Use the Sign-ins log to find additional information about the sign-in:

  • Under the Authentication details tab, the Requirement column shows the name of the authentication strengths policy.

    Screenshot showing the authentication strength in the Sign-ins log.

  • Under the Conditional Access tab, you can see which Conditional Access policy was applied. Click the name of the policy, and look for Grant controls to see the authentication strength that was enforced.

    Screenshot showing the authentication strength under Conditional Access Policy details in the Sign-ins log.

My users can't use their FIDO2 security key to sign in

An admin can restrict access to specific security keys. When a user tries to sign in by using a key they can't use, this You can't get there from here message appears. The user has to restart the session, and sign-in with a different FIDO2 security key.

Screenshot of a sign-in error when using a restricted FIDO2 security key.

A user can't register a new method during sign-in

Some methods can't be registered during sign-in, or they need more setup beyond the combined registration. For more information, see Registering authentication methods.

Screenshot of a sign-in error when they are unable to register the method.

Next steps