User Diagnostics

Troubleshoot user access issues with comprehensive diagnostic tools. Analyze sign-in failures, Conditional Access policy evaluations, authentication methods, and account status to quickly resolve user problems.

Diagnostic Tools

Sign-In Diagnostics

Analyze recent sign-in attempts and identify why authentication failed or was interrupted.

• Authentication method used
• Error codes and descriptions
• Device and location info
• Risk detection details

Policy Evaluation

See which Conditional Access policies were applied during a sign-in and their evaluation results.

• Policies evaluated
• Grant/Block decisions
• Session controls applied
• Policy conflicts

Account Health

Check overall account status including password expiry, MFA registration, and risk state.

• Account enabled/disabled
• Password status
• MFA registration
• Risk level

App Access

Verify user access to specific applications and diagnose permission issues.

• App assignments
• Role assignments
• Consent status
• License requirements

Run Diagnostics

User

Diagnostic Type

Full DiagnosticSign-In IssuesMFA ProblemsApp Access

Diagnostic Results

john.doe@company.com

Last sign-in: 2 hours ago

Account Status

Healthy

Account enabledYes

Password expiredNo

Risk levelNone

Sign-in blockedNo

Authentication Methods

MFA Registered

✓Microsoft Authenticator (default)

✓Phone: +1 ***-***-4567

✓FIDO2 Security Key

Recent Sign-Ins

Last 7 days

Outlook Web2 hours ago

Success

Microsoft TeamsYesterday

Success

SharePoint3 days ago

Failed - Wrong password

Conditional Access

3 policies applied

Require MFA for all usersSatisfied

Block legacy authenticationNot applicable

Require compliant deviceSatisfied

Common Issues

AADSTS50076 - MFA Required

User needs to complete MFA but hasn't registered authentication methods.

Resolution: Guide user to register MFA at aka.ms/mfasetup

AADSTS50105 - User Not Assigned

User is not assigned to the enterprise application they're trying to access.

Resolution: Add user to app assignment or enable "User assignment required" = No

AADSTS53003 - Access Blocked by CA

Conditional Access policy blocked access due to unmet requirements.

Resolution: Check CA policy requirements (device compliance, location, etc.)

AADSTS50053 - Account Locked

Account is locked due to too many failed sign-in attempts.

Resolution: Wait for lockout to expire or reset password to unlock

API Reference

POST /api/identity/diagnostics/run

Run user diagnostics

GET /api/identity/users/:id/sign-ins

Get user sign-in history

GET /api/identity/users/:id/auth-methods

Get registered authentication methods

GET /api/identity/users/:id/ca-evaluation

Get CA policy evaluation results