This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 8%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hello, We have a group of devices that are experiencing excessive 2FA prompts , i.e. When logging into their laptop in the morning, a windows 10 notification appears suggesting there is a problem with their “work and school account”. Edge and OneDrive will not be logged in , however Outlook would normally be online. Once they click on the “FIX NOW” prompt, the laptop doesn’t prompt 2FA again for that day. However they will likely experience the same problem with their “work and school account” the following day. The same users will not experience this behaviour on their mobile device, where Microsoft authentication caching and SSO works smoothly.
It's quite frustrating for them to keep authenticating on their laptop each morning. Not all devices in our 100 device estate is experiencing this issue – this is regardless of working from home or in the issue. There is no clear pattern to what could be triggering, apart of the errors in the AAD logs (see below)
We use the same AV products across our device estate and do not believe this is causing the issue This happens pretty much every day. We have exhausted all troubleshooting. E.g...
Can anyone advise what could be causing this problem and the fix, as its been going on for a while, and about 50% of our device estate is suffering.
@Mario Marrese
Hope you got a chance to review the action plan suggested . Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Hello,
In response to your comments;
Windows Hello PIN is disabled for all users. We don't think it's related as I do not experience the daily 2FA prompts and I do not have PIN enabled on my Windows 10 laptop . Here is a screenshot of my Hello PIN settings. It isn't convenient for users to create a "PIN" to login to their device and easier for them to authenticate onto their device using their Entra AD credentials .
Based upon above error it seems like user authentication is successful but device authentication is not happening. Kindly try the following steps and let me know the status:
Thanks
Akshay Kaushik
@Akshay-MSFT many thanks for taking the time to investigate our on-going issue.
in response to your comments.
This is set to disabled account our estate of devices - see screenshot. We would prefer that users login with their AD credentials when logging into Window's than users defining their own PIN etc.
**I have inspected the registry and the first registry entry seems to look fine.
however the second registry entry mentions "Match the SID reported for the user in event ID 1098 to the path under HKEY_USERS"**
1098 does appear to reference the SID, so i ran the below command to obtain SID of current user experiencing the issue. That SID number doesn't match against the permissions, but instead the permissions is referencing "Unknown Account" could this be a problem?
Kindly send an email at "azcommunity@microsoft.com",
Thanks,
Akshay Kaushik
Hello. I have sent the email as requested.
This has been acknowledged and responded.