ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Azure AD Security

Top-12 ways to troubleshoot common issues in Azure AD Tenant

In the business world, Azure Active Directory, also known as Azure AD, is a cloud-based service provided by Microsoft that manages the identity and access processes of an organization. Furthermore, it also offers a wide range of features and functionalities that can be used to manage and secure user identities, in addition to authentication, access control, and user provisioning. Despite Azure AD’s robust capabilities, there is still a possibility that Azure AD may encounter problems that will adversely affect the user experience or compromise the security of the system. As a result, troubleshooting is one of the key skills required for Azure AD administrators to be proficient in in this field. As we will explore in depth in this article, we will review the top 12 ways in which you can troubleshoot common problems within an Azure AD tenant.

1. Check the Azure AD service health  

You can check the health status of Azure services, including Azure AD, from the Azure portal. Monitoring the status of Azure AD will enable you to identify if there are any known issues with the service that may have an impact on your tenant.

  • From the Azure portal, click on “More Services” option in the left-hand menu and select “Health“.
  • In the Health pane, choose the “Service Health” option.
  • In the “Service Health” pane, select the “Azure Active Directory” option from the list of services.
  • The “Azure Active Directory” pane will display the current service health status, including any known issues or outages affecting the service.
  • If any service health notification or incident has been listed on the pane, you may want to review them to determine if they may have implications for your Azure AD tenant.
  • Microsoft will usually provide its customers with an estimate of the time it will take for the issue to be resolved and any recommendations that they should take. To mitigate the impact of the issue on your organization, follow the recommendations as appropriate and follow any steps that have been suggested.

2. Review Azure AD logs 

In Azure Active Directory, logs are generated that can provide detailed information about the activity of users, registration of devices, and application usage. It can be very helpful to review these logs in order to identify any problems that may exist related to authentication, authorization, or application access.

  • From the Azure AD pane, click on the “Diagnostic settings” option.
  • In the “Diagnostic settings” pane, click on the “Add diagnostic setting” button.
  • In the “Add diagnostic setting” pane, enter a name for the diagnostic setting and select the logs you want to collect, such as sign-in logs, audit logs, or directory logs.
  • Choose a destination for the logs, such as a storage account or event hub.
  • Select any additional settings you want to configure, such as retention period and log format.
  • Click the “Save” button to create the diagnostic setting.
  • As soon as the diagnostic setting is created, you will be able to view the collected log files by navigating to the destination you selected.
  • You will need to review the log files for any issues or errors related to authentication, authorization, or access to the application.
  • If any issues are identified, take action to resolve them, such as updating the policies governing access, revoking access to users, if necessary.

3. Check network connectivity 

Azure AD relies on network connectivity to function properly. If there are network issues, it can cause problems with authentication and application access.

  • Identify the affected users or devices: If there are reports of issues regarding authentication or application access, you need to identify the users or devices that are affected.
  • Check network connectivity between the affected users or devices and Azure AD: To check if there is connectivity between the affected users or devices and Azure AD, use network troubleshooting tools like ping or traceroute.
  • Check the firewall and proxy settings: Make sure that the firewall and proxy settings are configured properly to allow traffic to and from Azure AD. If required, add exceptions to the firewall or proxy settings to allow traffic to the following endpoints:
    1. login.microsoftonline.com
    2. login.windows.net
    3. graph.windows.net
  • Check the DNS settings: Ensure that the DNS settings for the affected users or devices are configured correctly to resolve Azure AD endpoints. The following DNS entries are required for Azure AD to function properly:
    1. Login.microsoftonline.com
    2. Login.windows.net
    3. graph.windows.net
  • Check the network infrastructure: Check the network infrastructure, including the endpoints like switches, routers, and gateways, to ensure that they are configured correctly and functioning properly.
  • Test authentication and application access: After checking network connectivity and resolving any issues, test authentication and application access to confirm that the issue has been resolved.

4. Verify DNS configuration 

Azure AD requires DNS to function properly. Verify that the DNS configuration is correct and that the necessary DNS records are in place.

  • Check the DNS server settings: Verify the DNS server settings on the Azure AD domain controller(s) are configured correctly and point to a valid DNS server.
  • Verify DNS records: Make sure the Azure AD DNS records are correctly configured. A few of these records are:
    1. DNS record must point to the IP address of the Azure AD domain controller(s) for the Azure AD domain name.
    2. It is necessary to configure all the required Azure AD SRV records, including _tcp, _udp, and _ldap.
  • Test network connectivity: Ensure the domain controllers are connected to the DNS servers. It is important to make sure that DNS communication is enabled on the necessary ports.
  • Use DNS diagnostic tools: Make sure the DNS configuration is correct and the necessary DNS records are present using DNS diagnostic tools such as nslookup and dig.
  • Replication of DNS zone information: Verify that your Azure AD domain controllers and DNS servers are properly replicating DNS zone information. Look for DNS replication errors in the event logs.
  • Check Azure AD Connect: Verify that the DNS configuration is correct in the Azure AD Connect configuration if you are using Azure AD Connect to synchronize your on-premises Active Directory with Azure AD. Configuration can be verified using Azure AD Connect Health.

5. Review Azure AD Connect configuration:  

If you are using Azure AD Connect to synchronize on-premises identities with Azure AD, review the configuration to ensure that it is set up correctly.

  • Navigate to the configuration wizard for Azure AD Connect.
  • You can view the current configuration by selecting “View current configuration” on the first page. Click “Next“.
  • Verify the synchronization options to ensure they are configured correctly. This includes checking the source anchor attribute, filtering rules, and object types to synchronize.
  • To review any enabled features, such as password synchronization or hybrid Exchange deployment, click the “Optional features” tab.
  • Open the “Connectivity” tab and verify that the AD forest and Azure AD connections are healthy.
  • View any customizations made to the configuration on the “Pre-existing environment” tab, such as OU filtering, attribute transformations, and password write-backs.
  • Make sure that the sync interval and sync cycle are configured correctly under the “Sync” tab.
  • Ensure that the domains and OUs on the “AD Domain and OU” tab are correct and that the correct accounts have the required permissions.
  • Make sure that the correct domains and OUs are selected on the “Azure AD Domain and OU” tab.
  • Last but not least, ensure that the Azure AD tenant is selected correctly and that the account used to synchronize has the necessary permissions on the “Azure AD tenant” tab.

6. Check Azure AD authentication methods:  

Azure AD supports a variety of authentication methods, including password-based authentication and multi-factor authentication. Check the authentication methods that are enabled in your tenant to ensure that they are configured correctly.

  • Check the Azure AD authentication methods: Go to the Azure AD portal and navigate to the Authentication methods page to check the Azure AD authentication methods. Make sure password-based authentication, multi-factor authentication, and Azure AD Join are all enabled in your tenant.
  • Verify the configuration of each authentication method: Review each authentication method’s configuration to make sure it has been configured correctly. For example, check the settings for password complexity and expiration, multi-factor authentication settings, and Azure AD Join settings.
  • Check the Azure AD authentication logs: It is possible to obtain detailed information about authentication attempts through Azure AD’s logs, which can include details about successful and failed attempts. To identify authentication issues, review these logs.
  • Verify the configuration of third-party authentication providers: Make sure that the configuration of a third-party authentication provider is correct. For example, make sure SAML and OpenID Connect settings are correct.
  • Test the authentication methods: Verify that every authentication method works as expected. For example, by signing in with a user account and verifying the correct password, you can test password-based authentication. By completing the multi-factor authentication process, you can test the multi-factor authentication.

7. Monitor Azure AD sign-ins:  

Azure AD provides information on user sign-ins, including the time of sign-in, the user’s IP address, and the application that was accessed. Monitoring sign-ins can help identify potential security issues or anomalies.

  • Click on “Azure Active Directory” from the left-hand menu in the Azure portal.
  • Select “Sign-ins” from the “Monitoring” section.
  • Review the list of sign-ins to identify any suspicious activity. You can use the filter sign-ins option based on different parameters like date range, location, or user.
  • Investigate if you identify any suspicious sign-ins by reviewing details, like the IP address, location, and application used.
  • On the other hand, you can use the “Risk detections” tab to identify any sign-ins that have been flagged as high risk. These could be due to suspicious behaviour or arise from an unfamiliar location or device.
  • If you identify any sign-ins from unfamiliar locations or when there are multiple failed sign-in attempts, configure alerts to receive notifications.
  • Use Azure AD Identity Protection to analyze risk events and take appropriate actions, such as blocking access or requiring additional authentication steps.

8. Verify account permissions:  

Azure AD provides a variety of administrative roles that grant different levels of access to the tenant. If you are having issues accessing or managing the tenant, verify that you have the correct permissions assigned.

  • Navigate to the Azure AD pane and select the “Users” tab.
  • Search for the user account that you want to verify and select it.
  • In the user’s properties, navigate to the “Directory role” tab.
  • Check the user’s assigned directory role and ensure that it is configured to grant the appropriate level of access to the tenant.
  • If the user does not have the appropriate role assigned, select “Add role assignment” and choose the appropriate role from the list.
  • If the user has the correct role assigned, check if there are any permissions conflicting with one another. To do this, navigate to “Azure Active Directory“, then to “Roles and administrators” and review the assigned roles and their permissions.
  • If the user’s assigned role is not listed or you are not sure if it grants the necessary permissions, create a new custom role and assign it to the user.
  • Finally, log out and log back in using the account with the updated role assignments to ensure that the changes have taken effect.

9. Check Azure AD application registrations:  

If you are having issues with a specific application, verify that it is registered correctly in Azure AD and that it is configured with the correct permissions and settings.

  • From the Azure portal, click on “App registrations” in the left-hand menu.
  • Locate the application that you are having issues with and expand it to view its settings.
  • Review the “Overview” tab to ensure that the application is registered correctly with Azure AD.
  • Check the “Authentication” tab to ensure that the authentication settings are correct.
  • Review the “API permissions” tab to ensure that the application has the necessary permissions to access Azure AD resources.
  • Check the “Certificates & secrets” tab to ensure that any required certificates or secrets are set up correctly.
  • If necessary, update the application’s settings and save the changes.
  • Test the application to verify that the issue has been resolved.

10. Review Azure AD conditional access policies:  

If you have configured conditional access policies in Azure AD, review them to ensure that they are set up correctly and that they are not causing issues with user authentication or application access.

  • From the Azure portal, in the left navigation pane, click on “Azure Active Directory“.
  • In the Azure Active Directory pane, click on “Conditional access” under the “Security” section.
  • Review the list of conditional access policies configured in your tenant. Click to open the details, if you suspect that a policy may be causing issues.
  • While reviewing them, pay attention to the following settings:
    1. Assignments: Check the groups or users that the policy applies to, as well as the conditions that must be met for the policy to take effect.
    2. Access controls: Check the controls that the policy enforces, such as requiring multi-factor authentication or blocking access from specific locations.
    3. Session controls: Check the settings that control user sessions, such as requiring users to re-authenticate after a certain period of inactivity.
  • If you suspect that a policy is causing issues, you can disable it temporarily by toggling the switch to “Off”. This will allow you to test if it really is that policy that is causing the issues.
  • If you find that a policy is causing issues, you can modify its settings or delete it entirely to resolve the problem.
  • Word of caution: Be sure to test any changes or deletions thoroughly before deploying them to production.
  • If you are unable to identify the cause of the issue using the Azure portal, you can use Azure AD PowerShell cmdlets to further troubleshoot conditional access policies. The cmdlets allow you to retrieve policy information, view policy logs, and perform other troubleshooting tasks.

11. Test Azure AD application integrations:  

If you are integrating applications with Azure AD, test the integration to ensure that it is functioning properly. This can include verifying that users can sign in to the application using their Azure AD credentials and that the application is able to access the necessary Azure AD resources.

  • Verify if the application is registered correctly in Azure AD. Check if the application is configured with proper permissions and settings.
  • Verify that the application is able to communicate with Azure AD. Check the connection between the application and Azure AD and verify that the necessary authentication and authorization protocols are supported.
  • Verify that users can sign in to the application using their Azure AD credentials. Test the sign-in process for the application to ensure that users can authenticate using their Azure AD credentials.
  • Verify if the application can access the necessary Azure AD resources. Test the application’s ability to access Azure AD resources such as user profiles and groups.
  • Check if there are any errors or issues reported by the application. Review the logs and error messages reported by the application to identify any issues with the integration.
  • Try testing the integration with different user accounts and scenario too. Test the integration with different user accounts and scenarios to ensure that it is functioning properly across all use cases.
  • Check for any issues with the application’s configuration or settings. Review the application’s configuration and settings to identify any issues that may be impacting the integration with Azure AD.
  • If the above troubleshooting failed, consult with the application vendor or support team for assistance.

12. Check Azure AD device registration 

If you are having issues with device registration, verify that the devices are registered correctly in Azure AD and that they are able to authenticate successfully.

  • Verify that the device is compatible with Azure AD device registration. It is prescribed by Microsoft that only devices that are running Windows 10 or later, iOS 10 or later, or Android 5.0 or later are compatible.
  • Check if the device is joined with Azure AD. To verify this, go to the Azure portal and navigate to Azure Active Directory > Devices. If it is not listed in the registered list of devices, it may not be joined to Azure AD.
  • Check that the device is enrolled in Intune (if applicable). If you are using Intune to manage devices, verify that the device is enrolled correctly. To do this, go to the Azure portal and navigate to Microsoft Intune > Devices > All devices. If it is not listed in the list of enrolled devices, it may not be enrolled correctly.
  • Verify that the device has a valid certificate. Azure AD device registration uses certificates to authenticate devices. Ensure that the device has a valid certificate that has not expired or been revoked.
  • Check that the device can connect to Azure AD. If the device has trouble connecting to Azure AD, it may not be able to register with Azure AD. Verify that the device can connect to the internet and if it can reach the Azure AD endpoint.
  • Check that the device is configured for automatic registration (if applicable). If you are using automatic registration, ensure that the device is configured correctly. To do this, go to the Azure portal and navigate to Azure Active Directory > Devices > Device settings. Ensure that the setting for “Users may register their devices with Azure AD” is set to “Yes.”
  • Verify if the device meets the Azure AD registration requirements. Azure AD device registration has specific requirements that must be met for registration to succeed. Check that the device meets these requirements, such as having a supported operating system version and being joined to a valid domain.
  • Check for any Azure AD device registration errors. If the device is having trouble registering with Azure AD, there may be error messages in the Azure AD logs. Check the logs for any errors related to device registration and troubleshoot them accordingly.

As Azure AD plays a crucial role in identity and access management, troubleshooting is a critical skill for administrators. As a result of the 12 ways listed in this article, you can troubleshoot common Azure AD Tenant issues in a comprehensive manner. By following these steps, admins can make sure their Azure AD environment is functioning correctly and users can safely and efficiently access resources.

Related posts
Azure Active DirectoryAzure AD Security

How to monitor and report security events in Microsoft Entra ID

Azure Active DirectoryAzure AD FundamentalsAzure AD Security

How to protect confidential data using Azure Information Protection

Azure AD FundamentalsAzure AD Security

Simplify data classification using Azure Information Protection

Azure Active DirectoryAzure AD Security

How to use AIP scanner to discover sensitive data

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.