Skip to main content

EAM Quick Troubleshooting Guide

Find your issue below and click to expand for step-by-step solutions.

User cannot log in after domain transfer or UPN change

What You're Seeing

  • User was transferred from one domain to another
  • User receives authentication errors or "blocked" messages
  • Login worked before the UPN (User Principal Name) change

Resolution Steps

Step 1: Verify the UPN Update in Entra ID

  1. Go to Entra ID > Users
  2. Search for and select the affected user
  3. Check the User principal name field
  4. Confirm the new UPN is correctly set

Step 2: Wait for Synchronization

  • UPN changes take 15-30 minutes to propagate through all systems
  • If the change is recent, wait and try again

Step 3: User Actions Required

Have the user perform these actions:

  1. Clear browser data:

    • Clear browser cache and cookies
    • Close all browser windows completely
    • Restart the browser

  2. Re-authenticate with new credentials:

    • Log out of all Microsoft services
    • Log in again using the new UPN

  3. Re-register device with XFA (if needed):

    • User may need to re-register their device
    • Follow the standard XFA registration process with new UPN

Step 4: Verify Access Policies

  1. Go to Entra ID > Conditional Access
  2. Check that policies are not blocking the user
  3. Verify the user is in the correct groups for XFA access

Step 5: Check Authentication Methods

  1. Go to Users > Select user > Authentication methods
  2. Verify XFA is properly registered
  3. Remove and re-add if necessary

Prevention

  • Test UPN changes with a pilot group before organization wide rollout
  • Communicate changes to users in advance
  • Document the re-registration process for users
User sees "multiple active sessions" error

What You're Seeing

  • User receives error about multiple active Microsoft sessions
  • Authentication fails despite correct credentials
  • User encounters error messages while authenticating

Resolution Steps

Option 1: IT Admin Revokes Sessions (Immediate)

  1. Go to Entra ID > Users
  2. Search for and select the affected user
  3. Navigate to Devices or Sign-ins section
  4. Click Revoke sessions to invalidate all active refresh tokens
  5. Have the user try logging in again immediately

Option 2: User Self-Service (User Can Do This)

  1. User visits https://account.microsoft.com
  2. Sign in with Microsoft credentials
  3. Go to Security > Sign-in activity
  4. Review and sign out of all active sessions
  5. Try logging in to XFA again

Option 3: Wait for Natural Expiration

  • Active sessions expire based on your organizations token lifetime policies
  • Default Microsoft session lifetimes: typically 24 hours for refresh tokens
  • Use this option only if immediate access is not critical

Verification

After revoking sessions:

  1. Check Users > Select user > Authentication methods
  2. Verify XFA is properly registered
  3. Confirm other MFA methods are disabled if required by policy

Best Practice

  • Educate users to sign out properly when switching devices
  • Implement clear session management policies
  • Document the self-service process for users
User authentication fails with no clear error

What You're Seeing

  • User reports authentication issues but no clear error
  • Need to understand why authentication is failing
  • Want to see the full authentication flow

Resolution Steps

Step 1: Check XFA Activity Logs

  1. Open the XFA Dashboard
  2. Navigate to the Activity view

Step 2: Review Entra ID Sign-in Logs

  1. Go to Entra ID > Monitoring > Sign-in logs
  2. Filter by:
    • User: Enter the affected user's UPN
    • Date: Select time range
    • Status: Filter to "Failure" if needed
  3. Click on individual sign-in events
  4. Review:
    • Status column for outcome
    • Failure reason for detailed error
    • Authentication details for EAM events
  5. Export logs if needed for deeper analysis

Step 3: Correlate XFA and Entra ID Logs

  1. Match timestamps between XFA Activity and Entra ID Sign-in logs
  2. Look for EAM-related error codes in Entra ID
  3. Cross-reference to get complete authentication flow picture

Step 4: Common Error Patterns to Check

  • Conditional Access blocks: User not meeting policy requirements
  • Device compliance issues: Device not meeting requirements
  • Authentication method problems: XFA not properly registered
  • Network/location issues: Access from blocked location
  • Token/session issues: Expired or invalid tokens

Next Steps Based on Findings

  • Policy blocks → Review and adjust Conditional Access policies
  • Registration issues → Have user re-register device
  • Session problems → Expand "multiple active sessions" section above
  • UPN issues → Expand "UPN change" section above

Still Need Help?

Before Contacting Support

  1. Check XFA Status Page: Verify there are no known service issues: https://xfa.statuspage.io/
  2. Gather diagnostics:
    • User Principal Name (UPN) of affected user(s)
    • Exact error messages or screenshots
    • Timestamps of when issues occurred
    • XFA Activity logs and Entra ID Sign-in logs
    • Steps you've already tried

Contact XFA Support

Email: [email protected]

Chat: Use the in-app support chat from the XFA Dashboard

Include in your message:

  • Detailed description of the issue
  • User Principal Name (UPN) of affected user(s)
  • Screenshots or screen recording of the error messages
  • Timestamps when the issue occurred
  • XFA Activity log entries (if available)
  • Entra ID Sign-in log entries (if available)
  • Troubleshooting steps already attempted

Additional Resources