Skip to Content
IdentityUser DiagnosticsUser Diagnostics

User Diagnostics

Troubleshoot user access issues with comprehensive diagnostic tools. Analyze sign-in failures, Conditional Access policy evaluations, authentication methods, and account status to quickly resolve user problems.

Diagnostic Tools

Sign-In Diagnostics

Analyze recent sign-in attempts and identify why authentication failed or was interrupted.

  • Authentication method used
  • Error codes and descriptions
  • Device and location info
  • Risk detection details

Policy Evaluation

See which Conditional Access policies were applied during a sign-in and their evaluation results.

  • Policies evaluated
  • Grant/Block decisions
  • Session controls applied
  • Policy conflicts

Account Health

Check overall account status including password expiry, MFA registration, and risk state.

  • Account enabled/disabled
  • Password status
  • MFA registration
  • Risk level

App Access

Verify user access to specific applications and diagnose permission issues.

  • App assignments
  • Role assignments
  • Consent status
  • License requirements

Run Diagnostics

To run diagnostics, enter a user email or UPN and select a diagnostic type:

  • Full Diagnostic — Comprehensive check of all areas
  • Sign-In Issues — Focus on authentication problems
  • MFA Problems — Focus on MFA registration and challenges
  • App Access — Focus on application access issues

Diagnostic Results

When diagnostics complete, results are organized into the following sections:

Account Status

Checks whether the account is healthy:

  • Account enabled: Yes/No
  • Password expired: Yes/No
  • Risk level: None/Low/Medium/High
  • Sign-in blocked: Yes/No

Authentication Methods

Shows registered MFA methods and their status:

  • Microsoft Authenticator (default method)
  • Phone number for SMS/voice
  • FIDO2 Security Key
  • Email OTP

Recent Sign-Ins

Displays recent sign-in attempts with status:

  • Application name and timestamp
  • Success or failure with error details
  • Device and location information

Conditional Access

Shows which CA policies were evaluated:

  • Policy name and evaluation result (Satisfied, Not applicable, Failed)
  • Grant controls required
  • Session controls applied

Common Issues

AADSTS50076 - MFA Required

User needs to complete MFA but hasn’t registered authentication methods.

Resolution: Guide user to register MFA at aka.ms/mfasetup

AADSTS50105 - User Not Assigned

User is not assigned to the enterprise application they’re trying to access.

Resolution: Add user to app assignment or enable “User assignment required” = No

AADSTS53003 - Access Blocked by CA

Conditional Access policy blocked access due to unmet requirements.

Resolution: Check CA policy requirements (device compliance, location, etc.)

AADSTS50053 - Account Locked

Account is locked due to too many failed sign-in attempts.

Resolution: Wait for lockout to expire or reset password to unlock

API Reference

  • POST /api/identity/diagnostics/run — Run user diagnostics
  • GET /api/identity/users/:id/sign-ins — Get user sign-in history
  • GET /api/identity/users/:id/auth-methods — Get registered authentication methods
  • GET /api/identity/users/:id/ca-evaluation — Get CA policy evaluation results
Last updated on
MFA Status CheckAdd Group