This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 79%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
Hi,
Recently, we wanted to onboard users using Autopilot. Initially, we planned to use Hybrid Join instead of Entra Join. However, due to its complexity, we opted for Entra Join instead.
Our organization primarily relies on an on-premises server to grant access to shared drives, and most user accounts are created on this server. We have set up Azure AD Connect to synchronize existing on-premises objects with the cloud. For cloud sign-ins, we use DUO mfa, which is configured on our ADFS server.
Here's what happened:
However, after some time, when I locked the screen and tried to log back in, I received a "password is incorrect" error.
Interestingly, when I logged in using my Global Administrator account, I was able to access the device without any issues. Checking Settings > Accounts confirmed that the device was joined to the Entra ID domain but with the current admin credentials. The previous user credential, completely vanished. To test, I then locked the device and successfully unlocked it without encountering any errors from the admin account. I tried to log into the previous user credentials but it said "username or password is incorrect". I swear the credentials I entered is correct, i checked both the UPN on AD and Entra.
Despite this, I am still unable to log in with the original user account that was used during onboarding. The account appears in the Entra Admin Center when I search for users, but I just can't sign in with it on the device.
Can anyone help me understand what might be causing this issue? Your assistance would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Chadwick Jerington, Thanks for posting in Q&A. For Microsoft Entra joined device, it can allow any Microsoft Entra user to login. From the information you provided, I know global administrator can login successfully. But the user UPN can't login with "password incorrect error". I think the issue is with the user account.
To double confirm with this, please login the affected user account to Intune portal or Microsoft Entra portal to see if it will get the same error.
If it is failed, then please check the following information:
1, Check Account Synchronization: Ensure that the user account is properly synchronized between your on-premises AD and Entra ID. Sometimes, synchronization issues can cause login problems. You can verify this by checking the synchronization status in Azure AD Connect.
2, Check Password Hash Synchronization: Make sure that password hash synchronization is enabled and functioning correctly. If the password hashes are not synchronized, the user might not be able to log in
3, ADFS Configuration: Since you're using ADFS for federation, ensure that the ADFS configuration is correct and that the user account is allowed to authenticate via ADFS. Sometimes, issues with ADFS can cause login problems.
4, Account Lockout: Ensure that the user account is not locked out. This can happen if there are multiple failed login attempts
Please check the above information and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
pls refer the comment below
@Crystal-MSFT Thanks for responding quickly. I was able to log into both Intune and the Entra admin portal using that user account.
Yesterday, I did some testing by trying to add the user account to the device and removing the Global admin account. I attempted to remove the existing Global admin account, and it prompted me to create a local administrator account. So I created a local admin account and then removed the global admin account from the device.
After restarting the computer, I logged in using the local administrator account. I then added the user account again, and the device showed as Entra-joined with the email account listed. I successfully added the user account to the device. When I clicked "Sync," it got synced and showed a message to switch users since the user account had been added to the device. I clicked the profile icon and selected "Switch User," but only the local administrator account appeared under "Users," with "Other Users" listed below.
I clicked "Other User" and entered the UPN and password again, but it still displayed "Username or password is incorrect." I also tried different username formats, such as “[******@domain.com]” and “.\xxxxx,” but nothing worked so far.. (FYI, currently I'm testing this on a VM in Hyper-v and the OS is Windows 11 pro, Version : Win 11_24_H2)
@Chadwick Jerington, Thanks for the reply. To login Microsoft Entra user account, based as I know, we use the format "AzureAd******@domain.com". Please try this to see if it can work.
@Crystal-MSFT I still can't log in. After investigating, I found that the issue is related to the PRT (Primary Refresh Token).
Cloud user accounts don’t face any difficulties logging in because they authenticate with Entra ID with Azure PRT and their credentials gets cached on the device. However, for Hybrid user accounts, we have DUO MFA enabled. So, even though they log in using their cloud identity, the Azure PRT token doesn’t match the PRT token on the ADFS server. I believe this mismatch is causing the issue.
Do you have a fix for this? I’m not sure how to troubleshoot it. Any guidance would be appreciated.
@Crystal-MSFT I found the issue.
I checked the user's Authentication Methods and discovered that it was set to Windows Hello, which is why the account didn’t authenticate with DUO MFA. Additionally, the Proxy Address (SMTP) was set to a different address, so I corrected it on the Domain Controller.
After that, I assigned the device to a user in Intune under Devices > Enrollment > Windows Autopilot Devices. We also enabled PHS on AD Connect.
By fixing all these issues, I was able to successfully log in to the Autopilot device using the Hybrid Entra user account.