Help Center Home > Apps and Integrations > Troubleshoot: Resolve Federated Users in Entra ID Being Forced to Sign In Frequently

Troubleshoot: Resolve Federated Users in Entra ID Being Forced to Sign In Frequently

If you are using Microsoft 365 with JumpCloud SSO in your environment and your end users are frequently being prompted to log into local Microsoft apps or services, this is likely due to a known issue from Microsoft. This can be corrected by setting a date/timestamp for those users in Entra ID either individually or by looping over a CSV. The general command set is below and should be reviewed and tested on a user to validate that it resolves the issue. You can find an example of using PowerShell to loop through your users via the example below, but this should be tested on a small group of users first in case PS module syntax has changed, etc. 

Prerequisites

Refreshing the STS Token

  1. On a Microsoft Windows X86-based computer, run PowerShell as an administrator. 
  2. Install the Microsoft.Graph Module for Windows PowerShell, if it is not already installed:
    • Run Install-Module PowershellGet
    • Answer Y to install the NuGet Provider
    • Answer A to Answer Yes to All to install from PSGallery
    • Run Install-Module Microsoft.Graph
  3. Modify the PowerShell execution policy:
    1. Set the Execution Policy to Remote Signed by running Set-ExecutionPolicy RemoteSigned
    2. Answer A to confirm the change to the Execution Policy.
    3. Enter your M365 Global Administrator credentials.
  4. Get your M365 Tenant ID
  5. Run the following commands:

Connect-MgGraph -TenantId "" -Scopes
"User.ReadWrite.All”,"Directory.Read.All"

Get-MgUser -UserId <[email protected]> -Property
UserPrincipalName, SignInSessionsValidFromDateTime,
LastPasswordChangeDateTime| select-object UserPrincipalName, SignInSessionsValidFromDateTime, LastPasswordChangeDateTime | fl

If the SignInSessionsValidFromDateTime value is blank, run the following command:

Revoke-MgUserSignInSession -UserId [email protected]

Verify the SignInSessionsValidFromDateTime has the current date and time:

Get-MgUserGet-Msoluser -UserIdPrincipalName
[email protected] -Property UserPrincipalName, SignInSessionsValidFromDateTime, LastPasswordChangeDateTime|
select-object UserPrincipalName, SignInSessionsValidFromDateTime, LastPasswordChangeDateTime | fl

Important:

Time values are in UTC.

Testing the STS Token Modification

  1. Run the following commands:

Get-MgUser -all -Property UserPrincipalName, AssignedLicenses, SignInSessionsValidFromDateTime| where-object
{$_.SignInSessionsValidFromDateTime -eq $Null} | select UserPrincipalName,AssignedLicenses,SignInSessionsValidFromDateTime |
Export-Csv -Path "C:\PowerShellScripts\Office365\userswithoutSIS.csv"
-notypeinformation

$NoSISUsers = Import-Csv -Path "C:\PowerShellScripts\Office365\userswithoutSIS.csv"

$NoSISUsers | ForEach-Object{Revoke-MgUserSignInSession -UserId $_."userprincipalname"}

Back to Top

List IconIn this Article

Notebook IconLearn More

Federated users in Entra ID are forced to sign in frequently

Understand the Difference Between the M365 Directory Integration and SAML Connector

Enable Modern Authentication for M365

M365 Directory Integration Overview

Disable M365 Federation in Powershell

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case