This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   –> Identify the core security features of Microsoft 365 services
      –> Identify the appropriate tools to troubleshoot common sign-in issues (multifactor authentication [MFA], conditional access, and risky sign-ins)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub’s main page below the exam topics section.

Introduction

Identity security is one of the foundations of Microsoft 365. Users depend on secure and reliable access to services such as Outlook, Teams, SharePoint, OneDrive, and Microsoft 365 Copilot. When users cannot sign in, administrators must determine the cause and resolve the issue quickly.

Microsoft provides several tools within Microsoft Entra, Microsoft 365, and Microsoft Defender to diagnose and troubleshoot sign-in problems related to:

• Multi-Factor Authentication (MFA)
• Conditional Access policies
• Risky sign-ins
• Identity Protection alerts
• Account lockouts
• Authentication failures

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand which tools are used to investigate and resolve these common issues.

Common Causes of Sign-In Problems

Users may experience sign-in failures because of:

• Incorrect passwords
• Expired credentials
• Multi-Factor Authentication failures
• Conditional Access policies
• Blocked locations
• Device compliance requirements
• Risky sign-ins detected by Microsoft Entra
• Account lockouts
• Disabled user accounts

Troubleshooting begins by identifying which security control is preventing access.

Microsoft Entra Admin Center

The Microsoft Entra admin center is the primary location for troubleshooting identity-related problems.

Administrators can:

• View users and groups.
• Reset passwords.
• Review authentication methods.
• Investigate sign-in activity.
• Examine Conditional Access policies.
• Review risky users and risky sign-ins.

Many sign-in investigations begin here.

Sign-In Logs

One of the most important troubleshooting tools is the Sign-In Logs page in Microsoft Entra.

Sign-in logs provide information such as:

• User account involved
• Time of sign-in attempt
• Success or failure status
• IP address
• Location
• Device information
• Authentication method used
• Applications being accessed
• Conditional Access results

Example

A user reports they cannot access Teams.

The sign-in log may show:

Failure reason: Conditional Access policy requires a compliant device.

This immediately points administrators toward the root cause.

Authentication Methods

Administrators can review a user’s configured authentication methods.

Examples include:

• Microsoft Authenticator app
• SMS verification
• Phone calls
• FIDO2 security keys
• Passkeys

Problems may occur if:

• A user changes phones.
• The Authenticator app is deleted.
• Authentication methods are not registered.

Administrators can help users re-register their methods if necessary.

Troubleshooting Multi-Factor Authentication (MFA)

MFA issues commonly involve:

Missing Registration

The user never enrolled in MFA.

Lost Device

The user replaced or lost their phone.

Notification Problems

Push notifications are not being received.

Incorrect Verification Method

The user is attempting to use an outdated authentication method.

Blocked Authentication

Security policies may prevent certain authentication methods.

Authentication Methods Policy

Administrators can review authentication method policies to verify:

• Which methods are allowed.
• Which users are targeted.
• Whether a method has been disabled.

If SMS authentication has been disabled, users relying on text messages may be unable to complete MFA.

Conditional Access Troubleshooting

Conditional Access policies are a common source of access problems.

Examples include:

• Requiring MFA
• Blocking certain countries
• Requiring compliant devices
• Restricting specific applications

A user may have valid credentials but still be denied access because a policy condition is not satisfied.

Conditional Access Insights

The Conditional Access tab in sign-in logs helps administrators understand:

• Which policies were evaluated.
• Which policies applied.
• Why access was granted or denied.

Example

The log may indicate:

Access blocked because device is not compliant.

This allows administrators to identify the exact policy causing the issue.

What-If Tool

The Conditional Access What-If tool allows administrators to simulate access scenarios.

Administrators can test:

• User identity
• Device platform
• Location
• Application

The tool predicts which policies would apply without affecting production users.

This is extremely helpful when diagnosing policy conflicts.

Risky Sign-Ins

Microsoft Entra Identity Protection analyzes sign-in behavior and detects suspicious activity.

Examples include:

• Impossible travel
• Anonymous IP addresses
• Malware-linked addresses
• Unfamiliar locations

A sign-in may be blocked even when the password is correct.

Risky Users

A user may be flagged as risky because:

• Credentials were leaked.
• Suspicious activity was detected.
• Malware activity was associated with the account.

Risk levels include:

• Low
• Medium
• High

Administrators can review and remediate risky users.

Identity Protection Dashboard

The Identity Protection dashboard helps administrators investigate:

• Risky users
• Risky sign-ins
• Risk detections

Administrators can:

• Confirm compromise.
• Dismiss false positives.
• Require password resets.
• Restore access.

Password Reset Tools

Users who forget passwords can use:

Self-Service Password Reset (SSPR)

Allows users to reset passwords without contacting IT.

Benefits include:

• Faster recovery
• Reduced help desk workload
• Improved productivity

Administrators can also manually reset passwords when necessary.

Account Status

Administrators should verify whether:

• The account is enabled.
• The user license is assigned.
• The account has been deleted.
• Sign-in is blocked.

Sometimes the simplest explanation is the correct one.

Device Compliance Issues

Conditional Access often integrates with Microsoft Intune.

Users may be blocked because:

• Device encryption is disabled.
• Operating systems are outdated.
• Antivirus requirements are unmet.
• Devices are unmanaged.

Administrators can review compliance status in Intune.

Common Troubleshooting Workflow

Step 1: Verify User Account

• Is the account active?
• Is the correct license assigned?

Step 2: Review Sign-In Logs

• Determine why authentication failed.

Step 3: Check MFA

• Verify authentication methods.

Step 4: Review Conditional Access

• Identify policies that blocked access.

Step 5: Review Risk Detections

• Investigate risky users or risky sign-ins.

Step 6: Remediate

• Reset password.
• Re-register MFA.
• Update device compliance.
• Modify policy if appropriate.

Microsoft 365 Copilot Sign-In Issues

Microsoft 365 Copilot uses the same identity infrastructure as Microsoft 365.

Therefore, problems involving:

• MFA
• Conditional Access
• User permissions
• Risky sign-ins

can also affect access to Copilot.

Copilot does not bypass Microsoft Entra security controls.

Best Practices

Enable Self-Service Password Reset

Reduce support calls and improve user productivity.

Require MFA

Protect accounts from password theft.

Review Sign-In Logs First

They often reveal the root cause quickly.

Test Policies Before Deployment

Use the What-If tool to avoid accidental lockouts.

Monitor Risk Detections

Respond quickly to compromised accounts.

Apply Least Privilege

Avoid overly broad permissions and exceptions.

Exam Tips

Remember these AB-900 concepts:

• The Microsoft Entra admin center is the primary identity troubleshooting portal.
• Sign-in logs provide detailed authentication information.
• MFA problems often involve authentication methods.
• Conditional Access policies can block otherwise valid sign-ins.
• The What-If tool simulates policy results.
• Risky sign-ins are detected by Identity Protection.
• Risky users may require password resets.
• Self-Service Password Reset helps users recover accounts.
• Device compliance can affect access.
• Microsoft 365 Copilot relies on the same identity controls as Microsoft 365.

Practice Exam Questions

Question 1

A user reports they cannot access Microsoft Teams even though their password is correct. Which tool should an administrator review first?

A. Microsoft Planner
B. SharePoint recycle bin
C. Exchange message trace
D. Sign-in logs in Microsoft Entra

Correct Answer: D

Explanation: Sign-in logs provide details about authentication attempts and often reveal the reason access failed.

Question 2

Which Microsoft portal is the primary location for investigating identity-related sign-in problems?

A. SharePoint admin center
B. Microsoft Entra admin center
C. Teams admin center
D. Exchange admin center

Correct Answer: B

Explanation: Microsoft Entra provides identity management and troubleshooting capabilities.

Question 3

A user receives an MFA prompt but no longer has their old phone. Which area should an administrator review?

A. Distribution groups
B. Shared mailboxes
C. Authentication methods
D. Mail flow rules

Correct Answer: C

Explanation: Authentication methods determine which MFA options are available to users.

Question 4

Which feature allows administrators to simulate how Conditional Access policies would affect a user?

A. Risk detections dashboard
B. Sign-in diagnostics
C. Password reset portal
D. Conditional Access What-If tool

Correct Answer: D

Explanation: The What-If tool predicts policy outcomes without affecting users.

Question 5

Which Microsoft capability identifies suspicious activities such as impossible travel?

A. Exchange Online Protection
B. Microsoft Lists
C. Identity Protection
D. SharePoint Syntex

Correct Answer: C

Explanation: Identity Protection analyzes sign-in behavior and detects potential compromises.

Question 6

A sign-in log shows that access was denied because the device is not compliant. Which Microsoft service commonly provides compliance information?

A. Microsoft Intune
B. Outlook
C. Planner
D. Word

Correct Answer: A

Explanation: Intune manages devices and reports compliance status used by Conditional Access.

Question 7

Which feature allows users to reset their own passwords without contacting IT?

A. Password Protection
B. Self-Service Password Reset (SSPR)
C. Secure Score
D. Message Encryption

Correct Answer: B

Explanation: SSPR enables users to recover access independently.

Question 8

Which information can administrators view in sign-in logs?

A. Printer serial numbers
B. Monitor resolutions
C. CPU temperatures
D. Authentication success or failure details

Correct Answer: D

Explanation: Sign-in logs contain information about sign-in attempts and their outcomes.

Question 9

Which type of event may cause Microsoft Entra to classify a sign-in as risky?

A. Impossible travel between locations
B. A full mailbox
C. Duplicate Teams channels
D. Deleted SharePoint folders

Correct Answer: A

Explanation: Impossible travel is one of the risk signals analyzed by Identity Protection.

Question 10

How are Microsoft 365 Copilot sign-in problems typically investigated?

A. Copilot uses a separate identity system.
B. Copilot bypasses Conditional Access.
C. Copilot relies on the same Microsoft Entra identity controls as Microsoft 365.
D. Copilot does not use MFA.

Correct Answer: C

Explanation: Copilot uses the same authentication and security infrastructure as other Microsoft 365 services.

Go to the AB-900 Exam Prep Hub main page