Sign-in & Authentication Errors — Troubleshoot Login, MFA, SSO, Token & Cookie Issues

Fixing Sign-in & Authentication Errors: Practical steps for login, MFA, SSO, token & cookie problems

A hands-on guide for IT pros and SREs: fix “We couldn’t sign you in” errors, MFA loops, SSO token failures and stale cookie/session issues with logs, PowerShell, and Microsoft Graph examples.

Keywords linked to cloudknowledge.in for deeper reading and resources.

Why sign-in errors happen (short primer)

Authentication is often the first visible surface for many systems — and that makes sign-in problems both highly visible and disruptive. Common root causes include:

Session expiry or misaligned session lifetimes between app and identity provider.
Invalid or stale browser tokens and cookies (old refresh tokens, blocked or cleared cookies).
MFA issues — not registered methods, expired authenticator, or repeated prompts due to missing claims.
SSO configuration problems: incorrect SAML assertion audience, broken RelayState, or clock skew.
Conditional Access or security policy preventing login (location, device compliance, risk policies).
Backend errors: throttling, expired certificates, or misconfigured token validation.

Pro-tip: Many “generic” errors like “We couldn’t sign you in. Please try again.” are deliberately generic — the real clue lies in diagnostic logs (identity provider sign-in logs, application logs, browser console, and network traces).

Common user-facing symptoms and what they typically mean

1. Generic "We couldn't sign you in. Please try again."

Likely causes: token rejection, expired refresh token, cookie domain mismatch, or CORS/proxy interference on web apps.

2. Browser loop: MFA keeps prompting repeatedly

Likely causes: missing or invalid session cookie, app not persisting refresh token, conditional access policy forcing new prompts, or the client rejecting returned cookies.

3. MFA not triggering

Likely causes: user not registered for MFA, authentication method policy blocking, Conditional Access excluding MFA prompt due to trusted IPs, or misconfigured authentication methods in the directory.

4. SSO failing with a SAML error

Likely causes: clock skew between IdP and SP, wrong certificate, incorrect Audience or Issuer, missing attributes or NameID mismatch.

First-response checklist for any sign-in complaint

Whenever a user reports a sign-in problem run a short, repeatable checklist — this quickly separates local/user issues from server-side problems.

Confirm the exact error text & screenshots. Ask for a screenshot, timestamp, and affected app or device.
Attempt to reproduce. Use an admin test account and the same app/browser to reproduce the issue.
Browser basics. Clear cookies for the domain, try private/incognito mode, test another browser or device.
Check service status. Confirm there are no active identity platform outages (vendor status pages).
Collect logs: sign-in logs (IdP), application logs, browser network trace (F12 → Network), and short HAR if needed.
Check policies: Conditional Access, authentication strength, token lifetime policies and federations (AD FS / SAML settings).

This checklist eliminates a large fraction of false alarms before deeper analysis.

How to read identity provider & sign-in logs

Identity provider logs contain the most actionable data. For Microsoft Entra (Azure AD) or similar IdPs, the key fields to examine are:

Timestamp — use absolute UTC timestamps to align signals across systems.
Correlation ID / Request ID — important to correlate logs across services and app backends.
IP/Location — can reveal conditional access triggers or blocked regions.
Failure reason / status code — e.g., invalid_grant, 401, 501, or SAML-specific failure codes.
Conditional Access evaluation — indicate whether CA blocked the request and which control failed.
Token details — token type (access/refresh/ID), expiry, and scopes requested.

Always capture the correlation ID from a failure — support with identity providers often requires that value to find the request in their internal logs.

Browser-token & cookie problems — common fixes

Many sign-in headaches are caused by browser state. These are quick checks.

Clear domain cookies & try private mode

Cookies from older sessions can be incompatible after configuration changes (new SSO certs, changed token lifetimes). Ask the user to try:

1. Open new private/incognito window
2. Attempt sign-in
3. If works, clear cookies for the application domain and retry in normal browser

Check cookie attributes and SameSite

If your application is embedded in an iframe or served across subdomains, SameSite and cookie domain/scoping must be correct. Examples:

Set-Cookie: id_token=...; Path=/; Domain=example.com; Secure; HttpOnly; SameSite=None
If SameSite defaults to Lax or Strict, cross-site SSO flows may be blocked by modern browsers.

Check client clock & TLS interception

Clock skew on the client can cause tokens to appear expired. Corporate TLS proxies can also rewrite headers or interrupt secure cookies — temporarily test on an unproxied network or mobile tether.

MFA loops & repeated prompts — diagnostic steps

MFA loops are frequently caused by session persistence failures or conditional access policies requiring fresh authentication. Use this flow:

Confirm the user’s authentication methods are registered (Authenticator app, phone number, FIDO, etc.).
Check whether the application is requesting only openid or also offline_access. If offline tokens are blocked, the session may be forced to re-authenticate frequently.
Check Conditional Access: a policy that requires MFA on every request will create repeated prompts unless the app sets persistent cookies or uses refresh tokens correctly.
Inspect the browser network trace: is the IdP returning a 302 with Set-Cookie but the browser refusing it? Or is the application immediately redirecting to the IdP again?

If an authenticator app or phone number is not present in the user's authentication methods, prompt user to register. Provide registration links and guidance in the message to the user to reduce back-and-forth.

SSO & SAML failures — targeted checks

SAML errors are often deterministic — they point to a misalignment between the Service Provider (SP) and Identity Provider (IdP):

Check certs: were the signing certificate or token encryption certificates rotated recently?
Audience & EntityID: the Audience (or Recipient) URI in the assertion must match the SP configuration exactly (including trailing slashes).
Time skew: SAML assertions are time-limited — ensure server clocks are within a few minutes.
NameID & attributes: ensure the expected NameID format and required attributes (email, UPN) are present.

Use SAML tracer browser plugins or capture the SAML response to inspect the raw assertion.

Conditional Access & policy review

Conditional Access (CA) rules (for example in Microsoft Entra / Azure AD) can block access for reasons that look like generic sign-in failures.

When debugging CA:

Check the CA evaluation in the sign-in log — it usually shows which policy applied and which control failed.
Confirm the user's device compliance status (MDM/Microsoft Intune or other management), and MFA status.
Temporarily simulate the sign-in with a policy exclusion or test user to confirm whether CA is the root cause.

Never permanently disable policy for the sake of convenience — instead use targeted exclusions or break/fix windows for troubleshooting.

Using PowerShell for troubleshooting

Below are practical PowerShell snippets that help surface sign-in issues for Microsoft Entra / Azure AD environments. These use the modern Microsoft Graph PowerShell module and the AzureAD/AzureADPreview modules where appropriate.

Install & sign in with Microsoft Graph PowerShell

Install-Module Microsoft.Graph -Scope CurrentUser -Force
Import-Module Microsoft.Graph
# Sign in with an account that has AuditLog.Read.All or Directory.Read.All
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All"

Get recent sign-in failures (last 24 hours)

# Get sign-in logs in the last 24 hours (Graph)
$since = (Get-Date).ToUniversalTime().AddDays(-1).ToString("o")
Get-MgAuditLogSignIn -Filter "createdDateTime ge $since and status/errorCode ne 0" -All |
  Select-Object userDisplayName,userPrincipalName,createdDateTime,ipAddress,appDisplayName,status | 
  Format-Table -AutoSize

Note: If Get-MgAuditLogSignIn is missing in your module set, you may need to update Microsoft.Graph.Authentication or use the relevant preview cmdlets. Always ensure you have the required delegated or application permissions.

Find sign-ins blocked by Conditional Access

Get-MgAuditLogSignIn -Filter "conditionalAccessStatus eq 'failure' and createdDateTime ge $since" -All |
  Select userDisplayName,userPrincipalName,createdDateTime,conditionalAccessStatus,correlationId,deviceDetail |
  Format-Table -AutoSize

Get user's registered authentication methods (MFA methods)

# For a given user principal name (UPN)
$upn = "alice@contoso.com"
Get-MgUserAuthenticationMethod -UserId $upn | Format-List

Invalidate refresh tokens for a user (force re-authentication)

# Revoke refresh tokens (user will be forced to sign in again)
$upn = "alice@contoso.com"
Revoke-MgUserRefreshToken -UserId $upn
# Also optionally reset MFA registration (be careful)
Remove-MgUserAuthenticationMethod -UserId $upn -AuthenticationMethodId ""

Use token revocation carefully — inform the user before invalidating tokens because it will sign them out of active sessions.

Microsoft Graph REST examples (useful in scripts or curl)

If you prefer REST calls or need to embed checks into automation, here are examples.

Get sign-in logs — Graph v1.0

GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2025-10-22T00:00:00Z&$orderby=createdDateTime desc
Authorization: Bearer <token>

Typical useful fields: userDisplayName, userPrincipalName, status, conditionalAccessStatus, correlationId, clientAppUsed, ipAddress.

Get a user's authentication methods

GET https://graph.microsoft.com/v1.0/users/alice@contoso.com/authentication/methods
Authorization: Bearer <token>

Revoke a user's refresh tokens via Graph

POST https://graph.microsoft.com/v1.0/users/alice@contoso.com/revokeSignInSessions
Authorization: Bearer <token>

Be sure your app or service principal has the correct application permissions (AuditLog.Read.All, User.Read.All, etc.).

Debugging SAML & OAuth flows — sample steps

When SAML or OAuth flows fail, gather these artifacts in parallel to troubleshoot efficiently:

SAML: raw SAMLResponse, decoded assertion, timestamps, audience, issuer, signature validation result.
OAuth: full redirect URIs, query parameters, token endpoint responses, and response codes (400/401/403).
Network traces: HAR files capture redirects and cookie headers; they reveal whether Set-Cookie was issued and accepted.

If signature verification fails, verify that the SP trusts the current IdP certificate (and that the certificate hasn't expired or been replaced).

Troubleshooting scenarios with step-by-step examples

Scenario A — User gets "We couldn't sign you in" after password change

Confirm password change timestamp — sometimes the user changed password on another device and a refresh token is invalidated.
Ask user to sign out completely from all devices and sign in again (or run a token revocation via PowerShell as admin):

Revoke-MgUserRefreshToken -UserId "alice@contoso.com"

Check sign-in logs for invalid_grant or interaction_required errors and use correlation ID to inspect the sequence.

Scenario B — MFA loop on web app after SSO config change

Reproduce in incognito to remove stale cookies.
Capture network trace; look for repeated 302s between app and IdP.
Check if app is requesting prompt=login repeatedly or if session cookie is not being set due to SameSite.
Fix by ensuring SameSite=None; Secure on cookies and that the app persists refresh tokens (if appropriate).

Scenario C — SSO SAML error after cert rollover

Fetch the SAML response and validation error (browser plugin or network capture).
Check IdP metadata vs SP metadata for current certificate thumbprints / expiry.
Confirm the new cert is uploaded to the SP configuration and that the SP trusts the new signing cert.

Automated runbook: quick sign-in diagnostics (PowerShell)

Drop-in script that runs several checks for a user and produces a short diagnostic report. Edit variables as needed before running.

# QuickSignInDiag.ps1 - Diagnostic checks for sign-in issues
# Requires: Microsoft.Graph module and appropriate permissions
param(
  [Parameter(Mandatory=$true)][string]$UserPrincipalName,
  [int]$HoursBack = 24
)

Import-Module Microsoft.Graph -ErrorAction Stop
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All" -ErrorAction Stop

Write-Host "Diagnostic start: $UserPrincipalName (last $HoursBack hours)" -ForegroundColor Cyan

$since = (Get-Date).ToUniversalTime().AddHours(-$HoursBack).ToString("o")

# 1. Recent sign-in failures
$failures = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$UserPrincipalName' and createdDateTime ge $since and status/errorCode ne 0" -All
Write-Host "Recent failures:" ($failures.Count) "records"

$failures | Select-Object createdDateTime,appDisplayName,ipAddress,status,correlationId | Format-Table

# 2. Conditional Access hits
$ca = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$UserPrincipalName' and createdDateTime ge $since and conditionalAccessStatus ne null" -All
Write-Host "Conditional Access entries:" ($ca.Count)
$ca | Select-Object createdDateTime,conditionalAccessStatus,correlationId | Format-Table

# 3. Registered authentication methods
Write-Host "`nRegistered authentication methods:"
Get-MgUserAuthenticationMethod -UserId $UserPrincipalName | Format-List

Write-Host "`nEnd diagnostic" -ForegroundColor Green

Use this as a foundation for runbooks in automation tools (Azure Automation, GitHub Actions, or runbooks in your ITSM platform).

Logging & observability best practices

Make sign-in problems easier to troubleshoot by improving logs and observability:

Collect correlation IDs at every layer and pass them through headers to backends and frontends.
Centralize audit logs (SIEM) with automated alerts for repeated failure spikes or unusual IPs.
Log token errors with low-sensitivity details — do not log full tokens or PII.
Instrument SSO endpoints to record latency, redirect counts, and cookie set failures.

Good telemetry lets you detect and fix regressions quickly after config changes (certificate rollover, policy modifications, or app updates).

Practical communication templates for support teams

Use clear templates when asking users to perform checks — this reduces back-and-forth and speeds resolution.

Support message example:
Hi  — thanks for reporting the issue. To help troubleshoot quickly, please:
1) Send a screenshot of the error (including the browser address bar and timestamp).
2) Try signing in from a private/incognito browser window and let us know the result.
3) If possible, try from a different network (mobile hotspot).
4) If we need to force-signout, reply 'OK' and we'll proceed (note: this will sign you out from all devices).

Always confirm whether it's OK to revoke sessions before doing destructive actions like token revocation or MFA reset.

Preventive measures and engineering controls

To reduce recurrence of sign-in issues, apply these engineering best practices:

Staged certificate rollovers — support old certs for overlap periods and test with a small user group.
Token lifetime strategy — balance security and user convenience with reasonable refresh token lifetimes.
Graceful error surfaces — show meaningful messages and guidance rather than a generic failure phrase.
Automated monitoring — detect authentication failure spikes and auto-notify the identity team.
Self-service MFA recovery — allow users safe ways to recover access (backup codes, helpdesk escalation workflows).

Advanced diagnostics: when to escalate to vendor support

Escalate to the identity provider or application vendor when:

You have a correlation ID and sign-in log entries and vendor support asks for them.
Evidence of backend token-signing failure or provider-side service errors (500-series errors with correlation IDs).
Outages correlated across many users and regions where your configuration changes do not explain the issue.

Before calling support, collect the following: correlation IDs, timestamps, affected user list, sample HAR file (redact personal data), and recent changes (cert rollovers, policy changes).

Checklist: Rapid mitigation actions (one-page for on-call)

Confirm error text and capture screenshot + timestamp.
Reproduce in incognito; if works, ask user to clear cookies for the domain.
Check sign-in logs for recent failures (use PowerShell or Graph).
Temporarily exclude the user from Conditional Access policy or create test user to isolate policy impact.
If certificate or federated metadata changed in last 24–48 hours, validate that metadata across SP/IdP matches.
If suspect tokens, revoke refresh tokens for user and instruct them to sign in again.

Resources, links & keywords

cloudknowledge.in

authentication troubleshooting, MFA loop fix, SSO troubleshooting, token cookie issues, expired session, conditional access, Microsoft Graph, PowerShell sign-in logs, SAML assertion, cookie SameSite

AD FS troubleshooting authentication errors authentication token expired Azure AD PowerShell Azure AD sign-in logs Azure AD SSO error browser cookie problem cloud authentication problem conditional access block conditional access policy cookie SameSite issue Entra ID sign-in error Entra ID troubleshooting expired session fix federated login error identity provider troubleshooting invalid refresh token invalid_grant error login audit logs login failed error login redirect loop MFA loop fix MFA not triggering MFA registration issue Microsoft 365 login error Microsoft Entra ID Microsoft Graph API scripts Microsoft Graph PowerShell multi-factor authentication problem OAuth login issue SAML authentication error sign-in correlation ID sign-in session expired sign-in troubleshooting SSO troubleshooting stale session token token cookie issues token revocation PowerShell user authentication issues user unable to sign in