Troubleshoot: Resolve Federated Users in Entra ID Being Forced to Sign In Frequently

If you are using Microsoft 365 with SSO in your environment and your end users are frequently being prompted to log into local Microsoft apps or services, this is likely due to a known issue from MS. This can be corrected by setting a date/timestamp for those users in Entra ID either individually or by looping over a CSV. The general command set is below and should be reviewed and tested on a user to validate that it resolves the issue. You can find an example of using PowerShell to loop through your users via the example below, but this should be tested on a small group of users first in case PS module syntax has changed, etc. 


Refreshing the STS Token

  1. Connect to your Microsoft Azure Active Directory Module for Windows via PowerShell.
  2. Run the following commands:

$UserCredential = Get-Credential


Get-Msoluser -UserPrincipalName [email protected] | select name,Stsrefreshtokensvalidfrom,LastPasswordChangeTimestamp | fl

$RefreshTokensValidFrom = Get-Date

Set-MsolUser -UserPrincipalName [email protected] -StsRefreshTokensValidFrom $RefreshTokensValidFrom


Time values are in UTC.

Testing the STS Token Modification

  1. Run the following commands:

Get-msoluser -all | where-object {$_.stsrefreshtokensvalidfrom -eq $Null} | select userprincipalname,islicensed,stsrefreshtokensvalidfrom | export-csv "C:\PowerShellScripts\Office365\userswithoutSTS.csv" -notypeinformation

$RefreshTokensValidFrom = Get-Date

$NoSTSUsers = Import-Csv "C:\PowerShellScripts\Office365\userswithoutSTS.csv" 

$NoSTSUsers | ForEach-Object{Set-msoluser -UserPrincipalName $_."userprincipalname" -StsRefreshTokensValidFrom $RefreshTokensValidFrom}

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case