You’d think why would I have trouble accessing Microsoft 365 applications! Opening a browser, entering the Microsoft 365 URL, and your credentials couldn’t be simpler right? Despite the simplicity, things can and do go wrong during the login process. This can be as simple as users muddling up their accounts to backend licensing issues. These challenges can have a massive impact on a business with an average helpdesk ticket costing around $70 per issue. Challenges can also occur during critical activities that disrupt a business’s workflow.
In this article, I want to show you several things that you can check when you have trouble with Microsoft 365 application login.
Let’s start with checking the basics first.
Check the Basics First
If you or any user have trouble with Microsoft 365 application login, then you should have a plan.
Your first action is to make sure the user’s account doesn’t have any problems. That means verifying the account isn’t locked out and the user is using the correct account for the login process.
Here you should never assume the user is competent or isn’t having a funny five minutes. That said, you need to approach the user with respect when broaching this. Failure to do so may tarnish your reputation as word spreads you’re condescending or elitist.
Is the User’s Account Valid?
In most cases, an account lockout probably isn’t going to cause user access issues with Microsoft 365 applications. After all, the user will normally receive a message telling them their password is incorrect versus unjustified access denial.
That said, this could theoretically happen if the user is trying to access an application through a URL rather than logging into Microsoft 365 and picking an application from the menus. This also depends on the device you’re using and the individual circumstances for a user not to see a lockout prompt.
To check the status of a user’s account, follow these steps:
- Use your administrator credentials for login and open the Azure Active Directory Admin Center.
- Click on the Users tab.
- Click on the user’s account.
- Verify that Block Sign In says No, otherwise you’ll need to reset the password and unlock the account.
If the resolution isn’t clear, then it’s time to check if the user is logging in the right account!
Is the User Signed in with the Correct Account?
If the user’s account isn’t locked out, then the next thing you should check for an unsuccessful login is if the user is signed in using the correct account. It’s becoming increasingly common for users to have multiple accounts and they can accidentally sign in with the wrong one.
Let’s assume a partner organization has given a user a set of credentials they can use for their SharePoint site login. If the user uses these credentials often then the browser may automatically attempt to use these. The browser won’t know the credentials are for the wrong organization.
The easiest way to fix this problem is to tell the user to log out of Microsoft 365 and to log back in. Be sure to tell the user to enter both their username and password versus using the cached username.
If this doesn’t solve the login issues, move on to more advanced testing procedures in the next section.
By far the most common cause for Microsoft 365 application login issues is if the user’s Microsoft 365 license has been accidentally removed. When this happens, the user will have a successful login, but won’t have access to any Microsoft 365 apps, as shown below.
It’s worth noting, in some cases, an unlicensed user may gain partial access to a Microsoft 365 application using a direct URL. In the below figure, for example, an unlicensed user managed to access Microsoft Planner through a direct URL.
To check a user’s licensing, follow these steps:
- Log in as an administrator and open the Azure Active Directory Admin Center.
- Click on the Users tab, followed by the user’s account.
- Click on the Licenses tab.
If you find no licenses, you’ve pinpointed your issue and can solve it. Simply input the license and the user will be able to sign in again.
The vast majority of the login issues I have seen in the real world stem from licensing problems. This is particularly true when you assign licenses to groups than users. If you remove that user from a licensed group then the user’s license will be revoked.
That said, you might not have a license. If that’s the case, continue to check other causes.
In other cases, security policies can prevent users from being able to access Microsoft 365 applications. A conditional access policy, for example, may block users based on their geographic location or based on the device they’re using.
One more potential cause may be an Azure AD Connect synchronization issue. The user may be logging in using an Active Directory domain account. That said they still face access denial to Microsoft 365 resources. In this case, the account synchronization process is failing.
You may need to troubleshoot problems with users not being able to access Microsoft 365 applications. You want to first make sure the user’s account is functioning properly. Assuming that the account is good, then the next logical step is to make sure the account isn’t missing any licenses. If everything checks out, then the problem is most likely tied to a security policy.
How many bad logins will trigger an account lockout?
By default, a user’s account will be locked out if they enter their password incorrectly 5 times within 2 minutes. When that happens, the user won’t be able to log back in before waiting for 30 minutes. That’s I recommend you stop trying to log in after a couple attempts, so you get to try the basic fixes. Otherwise, you’d lose 30 minutes waiting to try again.
Is the account Microsoft 365 lockout period customizable?
You can configure account lockouts through Azure AD’s password policies. This includes access to applications like Microsoft 365. That said, you need to ensure that you actually provide security when using this system. Do credible threats have attack vectors that you can implement in a shorter lockout period? This is the key question you should ask yourself when configuring this setting.
Why was the unlicensed user able to access Microsoft 365 Planner?
Some Microsoft 365 applications allow guest access. An unlicensed user can access the Planner application as well as any plans that you might’ve shared with them. Guest accounts and sharing is great for productivity but can cause a security risk. That’s why you may need to change guest accounts to permanent accounts you can remove later. This can be safer but requires more work from your end. You’ll also need to consider the business’s security policy.
Can multi-factor authentication cause problems with Microsoft 365 application access?
It can happen, but that’s relatively uncommon. Multi-factor authentication primarily becomes an issue if a user is trying to access a Microsoft 365 application programmatically. In that case, the user may not get a chance to provide the required multi-factor authentication due to automation. That’s why they may suffer access denial.
Some users don’t use any Microsoft 365 accounts, why can they still log in?
If the user is working from a personal Windows device, then the user likely configured the device to use a Microsoft account. That’s different from a Microsoft 365 account. It’s possible that Windows is trying to access Microsoft 365 applications using the user’s Microsoft account. The solution is to have the user sign out and then log in with the correct account.
Official Microsoft 365 Documentation
Get the official Microsoft 365 documentation here.
Problem Solving the Microsoft 365 Login to My Apps
Find reasons why users might not be able to access apps from the My Apps portal here.
Creating and Assigning Users
Get more insight into how to create and assign a user account here.
Microsoft 365 Security
Learn more about Microsoft 365 security here.
Adding Email Alias
Discover how to add an email address alias to Microsoft 365 accounts here.
Using Google with Microsoft
Take action and learn how to use Google as an identity provider for Microsoft 365 here.