Skip to main content

EAM Quick Troubleshooting Guide

EAM troubleshooting helps you fix common Microsoft Entra External Authentication Method problems when XFA is used as the device-security factor. Start here when the setup fails, users are not redirected correctly, or the expected device decision is not applied.


User cannot log in after domain transfer or UPN change

What You're Seeing

  • User was transferred from one domain to another
  • User receives authentication errors or "blocked" messages
  • Login worked before the UPN (User Principal Name) change

Resolution Steps

Step 1: Verify the UPN Update in Entra ID

  1. Go to Entra ID > Users
  2. Search for and select the affected user
  3. Check the User principal name field
  4. Confirm the new UPN is correctly set

Step 2: Wait for Synchronization

  • UPN changes take 15-30 minutes to propagate through all systems
  • If the change is recent, wait and try again

Step 3: User Actions Required

Have the user perform these actions:

  1. Clear browser data:

    • Clear browser cache and cookies
    • Close all browser windows completely
    • Restart the browser
  2. Re-authenticate with new credentials:

    • Log out of all Microsoft services
    • Log in again using the new UPN
  3. Re-register device with XFA (if needed):

    • User may need to re-register their device
    • Follow the standard XFA registration process with new UPN

Step 4: Verify Access Policies

  1. Go to Entra ID > Conditional Access
  2. Check that policies are not blocking the user
  3. Verify the user is in the correct groups for XFA access

Step 5: Check Authentication Methods

  1. Go to Users > Select user > Authentication methods
  2. Verify XFA is properly registered
  3. Remove and re-add if necessary

Prevention

  • Test UPN changes with a pilot group before organization wide rollout
  • Communicate changes to users in advance
  • Document the re-registration process for users

User sees "multiple active sessions" error

What You're Seeing

  • User receives error about multiple active Microsoft sessions
  • Authentication fails despite correct credentials
  • User encounters error messages while authenticating

Resolution Steps

Option 1: IT Admin Revokes Sessions (Immediate)

  1. Go to Entra ID > Users
  2. Search for and select the affected user
  3. Navigate to Devices or Sign-ins section
  4. Click Revoke sessions to invalidate all active refresh tokens
  5. Have the user try logging in again immediately

Option 2: User Self-Service (User Can Do This)

  1. User visits https://account.microsoft.com
  2. Sign in with Microsoft credentials
  3. Go to Security > Sign-in activity
  4. Review and sign out of all active sessions
  5. Try logging in to XFA again

Option 3: Wait for Natural Expiration

  • Active sessions expire based on your organizations token lifetime policies
  • Default Microsoft session lifetimes: typically 24 hours for refresh tokens
  • Use this option only if immediate access is not critical

Verification

After revoking sessions:

  1. Check Users > Select user > Authentication methods
  2. Verify XFA is properly registered
  3. Confirm other MFA methods are disabled if required by policy

Best Practice

  • Educate users to sign out properly when switching devices
  • Implement clear session management policies
  • Document the self-service process for users

User authentication fails with no clear error

What You're Seeing

  • User reports authentication issues but no clear error
  • Need to understand why authentication is failing
  • Want to see the full authentication flow

Resolution Steps

Step 1: Check XFA Activity Logs

  1. Open the XFA Dashboard
  2. Navigate to the Activity view

Step 2: Review Entra ID Sign-in Logs

  1. Go to Entra ID > Monitoring > Sign-in logs
  2. Filter by:
    • User: Enter the affected user's UPN
    • Date: Select time range
    • Status: Filter to "Failure" if needed
  3. Click on individual sign-in events
  4. Review:
    • Status column for outcome
    • Failure reason for detailed error
    • Authentication details for EAM events
  5. Export logs if needed for deeper analysis

Step 3: Correlate XFA and Entra ID Logs

  1. Match timestamps between XFA Activity and Entra ID Sign-in logs
  2. Look for EAM-related error codes in Entra ID
  3. Cross-reference to get complete authentication flow picture

Step 4: Common Error Patterns to Check

  • Conditional Access blocks: User not meeting policy requirements
  • Device compliance issues: Device not meeting requirements
  • Authentication method problems: XFA not properly registered
  • Network/location issues: Access from blocked location
  • Token/session issues: Expired or invalid tokens

Next Steps Based on Findings

  • Policy blocks → Review and adjust Conditional Access policies
  • Registration issues → Have user re-register device
  • Session problems → Expand "multiple active sessions" section above
  • UPN issues → Expand "UPN change" section above

Still Need Help?

Before Contacting Support

  1. Check XFA Status Page: Verify there are no known service issues: https://xfa.statuspage.io/
  2. Gather diagnostics:
    • User Principal Name (UPN) of affected user(s)
    • Exact error messages or screenshots
    • Timestamps of when issues occurred
    • XFA Activity logs and Entra ID Sign-in logs
    • Steps you've already tried

Contact XFA Support

Email: support@xfa.tech

Chat: Use the in-app support chat from the XFA Dashboard

Include in your message:

  • Detailed description of the issue
  • User Principal Name (UPN) of affected user(s)
  • Screenshots or screen recording of the error messages
  • Timestamps when the issue occurred
  • XFA Activity log entries (if available)
  • Entra ID Sign-in log entries (if available)
  • Troubleshooting steps already attempted

Additional Resources