Under some conditions Microsoft login might not work as expected. Issues can be categorized to be one of the three following types:
- Nepton app installed through Microsoft Endpoint Manager to device can lead to confusion in case the person is using non-default browser
- There is a configuration mistake in personnel or organization information.
- The organization-wide security rules in Azure AD might be misconfigured.
Guidance below allows administrator to investigate and solve issues regarding Microsoft login. You should perform the troubleshooting actions in the following order.
Review Microsoft Endpoint Manager settings
This only applies to organizations using Microsoft Endpoint Manager
In case your organization has made Nepton app -style installation to device and person is using non-default browser, certain devices and operating systems can lead to situation in which person must login to Nepton service twice. This is not a feature or issue with the Nepton service, but a property of the device operating system instead. Solution is to instruct person to use Nepton service through the device installed app link, instead of the browser.
Review Nepton Service log
Service log shows failed Microsoft login attempts. It is possible that the reason for the failed login can be seen from the log. Reason for failed login can be for example missing email address on persons information or multiple persons sharing one email address. Fixing the indicated issue can solve the login problem.
Service log can be seen in Nepton in following way.
Navigate to Employees, Admistration, Service Log and review the notes in the SSO area of the service log.
Review Azure AD Log
Azure AD collects log of failed login attempts. Review Azure AD log to see if it explains the reason for the problem. Login problem can be solved by fixing the problem indicated in this log.
Azure AD log can be seen by performing following actions:
- Login as administrator to Azure service
- Navigate to Azure AD, Monitoring, Signs-Ins section
- Add Status = Failure filter
- Add Application, SSO for Nepton v2 filter
- Review the contents of failure messages
Review Azure AD Conditional Access configuration
Azure AD is possible to set to have conditional access for example regarding devices that can be used in the login. Take following actions if the issue happens only on some persons or on some devices. By performing these actions it is possible to ensure if the conditional access is configured in Azure AD.
We recommend not using Device State (beta). Disabling this can solve the failed login. Similar protection can often be implement by combining certain Assignments, Conditions, Client Apps and Access Controls, Grants -configurations.
Azure AD Device state settings can be seen by performing following actions:
- Login as administrator to Azure service
- Navigate to Azure AD, Manage, Enterprise Applications, SSO for Nepton v2, Security, Conditional Access section
- Review conditional access -configuration
- If Device State (beta) is enabled, please try disabling this and implementing protection in some other way. Similar protection can often be implement by combining certain Assignments, Conditions, Client Apps and Access Controls, Grants -configurations.
Replace client secret created with Powershell
This only applies to organizations which created client secret with Powershell
Long-term client secret created with Powershell might not work properly. Reason for this is currently under investigation. This issue does not affect all customer environments.
You can create new short-term client secret with Azure Portal. Please see Setup Nepton in Azure AD steps 12B - 14.
Enforce Microsoft Logout for selected person
If person has multiple Microsoft login credentials, browser or device might get "stuck" with wrong credentials. Person can logout from such wrong credentials with following actions:
- Open the (correct) web browser on your computer or phone
- Go to address https://mysignins.microsoft.com
- On top right, select My Account -> Sign Out
Detailed troubleshooting
If failed login is not solved by performing the actions above or your organization uses InTune, please contact your solution provider to initiate technical troubleshooting.