EAM Quick Troubleshooting Guide
EAM troubleshooting helps you fix common Microsoft Entra External Authentication Method problems when XFA is used as the device-security factor. Start here when the setup fails, users are not redirected correctly, or the expected device decision is not applied.
User cannot log in after domain transfer or UPN change
What You're Seeing
- User was transferred from one domain to another
- User receives authentication errors or "blocked" messages
- Login worked before the UPN (User Principal Name) change
Resolution Steps
Step 1: Verify the UPN Update in Entra ID
- Go to Entra ID > Users
- Search for and select the affected user
- Check the User principal name field
- Confirm the new UPN is correctly set
Step 2: Wait for Synchronization
- UPN changes take 15-30 minutes to propagate through all systems
- If the change is recent, wait and try again
Step 3: User Actions Required
Have the user perform these actions:
-
Clear browser data:
- Clear browser cache and cookies
- Close all browser windows completely
- Restart the browser
-
Re-authenticate with new credentials:
- Log out of all Microsoft services
- Log in again using the new UPN
-
Re-register device with XFA (if needed):
- User may need to re-register their device
- Follow the standard XFA registration process with new UPN
Step 4: Verify Access Policies
- Go to Entra ID > Conditional Access
- Check that policies are not blocking the user
- Verify the user is in the correct groups for XFA access
Step 5: Check Authentication Methods
- Go to Users > Select user > Authentication methods
- Verify XFA is properly registered
- Remove and re-add if necessary
Prevention
- Test UPN changes with a pilot group before organization wide rollout
- Communicate changes to users in advance
- Document the re-registration process for users
User sees "multiple active sessions" error
What You're Seeing
- User receives error about multiple active Microsoft sessions
- Authentication fails despite correct credentials
- User encounters error messages while authenticating
Resolution Steps
Option 1: IT Admin Revokes Sessions (Immediate)
- Go to Entra ID > Users
- Search for and select the affected user
- Navigate to Devices or Sign-ins section
- Click Revoke sessions to invalidate all active refresh tokens
- Have the user try logging in again immediately
Option 2: User Self-Service (User Can Do This)
- User visits https://account.microsoft.com
- Sign in with Microsoft credentials
- Go to Security > Sign-in activity
- Review and sign out of all active sessions
- Try logging in to XFA again
Option 3: Wait for Natural Expiration
- Active sessions expire based on your organizations token lifetime policies
- Default Microsoft session lifetimes: typically 24 hours for refresh tokens
- Use this option only if immediate access is not critical
Verification
After revoking sessions:
- Check Users > Select user > Authentication methods
- Verify XFA is properly registered
- Confirm other MFA methods are disabled if required by policy
Best Practice
- Educate users to sign out properly when switching devices
- Implement clear session management policies
- Document the self-service process for users
User authentication fails with no clear error
What You're Seeing
- User reports authentication issues but no clear error
- Need to understand why authentication is failing
- Want to see the full authentication flow
Resolution Steps
Step 1: Check XFA Activity Logs
- Open the XFA Dashboard
- Navigate to the Activity view
Step 2: Review Entra ID Sign-in Logs
- Go to Entra ID > Monitoring > Sign-in logs
- Filter by:
- User: Enter the affected user's UPN
- Date: Select time range
- Status: Filter to "Failure" if needed
- Click on individual sign-in events
- Review:
- Status column for outcome
- Failure reason for detailed error
- Authentication details for EAM events
- Export logs if needed for deeper analysis
Step 3: Correlate XFA and Entra ID Logs
- Match timestamps between XFA Activity and Entra ID Sign-in logs
- Look for EAM-related error codes in Entra ID
- Cross-reference to get complete authentication flow picture
Step 4: Common Error Patterns to Check
- Conditional Access blocks: User not meeting policy requirements
- Device compliance issues: Device not meeting requirements
- Authentication method problems: XFA not properly registered
- Network/location issues: Access from blocked location
- Token/session issues: Expired or invalid tokens
Next Steps Based on Findings
- Policy blocks → Review and adjust Conditional Access policies
- Registration issues → Have user re-register device
- Session problems → Expand "multiple active sessions" section above
- UPN issues → Expand "UPN change" section above
Still Need Help?
Before Contacting Support
- Check XFA Status Page: Verify there are no known service issues: https://xfa.statuspage.io/
- Gather diagnostics:
- User Principal Name (UPN) of affected user(s)
- Exact error messages or screenshots
- Timestamps of when issues occurred
- XFA Activity logs and Entra ID Sign-in logs
- Steps you've already tried
Contact XFA Support
Email: support@xfa.tech
Chat: Use the in-app support chat from the XFA Dashboard
Include in your message:
- Detailed description of the issue
- User Principal Name (UPN) of affected user(s)
- Screenshots or screen recording of the error messages
- Timestamps when the issue occurred
- XFA Activity log entries (if available)
- Entra ID Sign-in log entries (if available)
- Troubleshooting steps already attempted