Azure Single Sign On (SSO) can streamline access across cloud and SaaS apps—but when it breaks, it breaks at scale. Whether users are getting unexpected sign in prompts, looping redirects, or mysterious “AADSTS” error codes, Azure SSO issues can disrupt productivity and erode trust quickly.
In this post, we’ll walk through common root causes, actionable steps for troubleshooting, and best practices to ensure your identity layer stays resilient.
First, Understand the Flow
Before jumping into logs, it helps to understand the basic Azure AD SSO handshake:
- User accesses an application (like Salesforce, Teams, or a custom app).
- The app redirects the user to Azure AD to authenticate.
- Azure AD validates the user via their credentials or existing session (e.g., Windows Integrated Auth or PRT).
- If successful, Azure AD issues a token and redirects the user back to the application.
If any one of these steps fails—due to misconfigurations, expired tokens, or conditional access policies—SSO breaks.
Common Symptoms and Root Causes
| Symptom | Likely Root Cause |
|---|---|
| Users get prompted to sign in again | Incorrect SSO mode (password-based vs federated), or domain not added to Azure AD |
| AADSTS error messages | Misconfigured app registration, certificates, or permissions |
| Conditional Access errors | Policies that block sign-in based on location, device, or risk |
| Looping redirects | Token not recognized or misaligned reply URLs |
| SSO only works on-network | PRT or hybrid join misconfigured |
| SSO fails for specific users only | UPN mismatch, license misassignment, or stale identity tokens |
How to Troubleshoot Azure SSO Step-by-Step
1. Check Sign-in Logs
Start in the Azure AD Sign-in logs:
- Filter by user, app, and timestamp
- Look for AADSTS error codes like:
AADSTS50107– Missing MFAAADSTS50020– User not in tenantAADSTS700016– App/client not foundAADSTS50105– User blocked by Conditional Access
2. Review Enterprise App Settings
Navigate to Azure Active Directory → Enterprise Applications:
- Make sure SSO mode matches what the app expects (e.g., SAML vs OAuth2)
- Validate:
- Reply URLs (redirect URIs)
- Identifiers (Entity ID, App ID URI)
- Certificates (expiration and thumbprint match)
Apps like Workday or ServiceNow often require certificate updates every year.
3. Use the MyApps Test Tool
Have the user go to myapps.microsoft.com, click the app, and review the real-time authentication flow. This helps isolate whether the issue is user-specific, app-specific, or tenant-wide.
4. Validate Conditional Access
Check for policies in Azure AD → Security → Conditional Access that may:
- Block sign-in by location
- Require compliant or hybrid-joined devices
- Trigger unexpected MFA prompts
Tip: Use Report-only mode to test new policies before enforcing them.
5. Inspect Domain and User Settings
- Verify the user’s UPN matches the expected domain suffix (e.g., [email protected])
- Check that the domain is verified and federated if needed
- For Hybrid setups, confirm Seamless SSO is enabled and GPOs are configured properly
Hybrid Azure AD Join & PRT Issues
In hybrid environments, SSO often relies on Primary Refresh Tokens (PRTs) issued when a device is Azure AD joined or hybrid joined. If devices aren’t joined correctly, or if the user signs into a local account, SSO won’t work.
Check device status via:
- dsregcmd /status on Windows
- Azure AD portal → Devices
A healthy device should show:
- AzureADJoined = YES
- PRT = YES
Best Practices to Prevent Future Issues
- Renew certificates proactively for SAML-based SSO apps
- Document app configs—including reply URLs, identifiers, and roles
- Monitor logs continuously using Azure Monitor or Sentinel
- Use groups for access control, not individual users
- Automate testing with tools like Microsoft Graph or Playwright if you manage many apps
Need Help Managing Azure Identity?
Exodata specializes in designing, securing, and supporting enterprise identity environments on Microsoft Azure. Whether you’re integrating SSO for hundreds of SaaS apps or troubleshooting hybrid join problems across your fleet, our team can help ensure your users get seamless, secure access—every time.
