No EntraID configuration answers were given or referred to
Windows setup windows 11 Pro and using a work account. Upon reboot unable to login using email account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 45%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Mick Alvey
0
Reputation points
Windows password and authentication errors. I by passed the authentication method and then rebooted the computer. Screen comes up with workstation name and a password prompt which does not work. Setup computer using a corporate work email account.
We have an unconfigured AZURE AD account too, but this shouldn't make a difference?
Baffled - RESET computer three times and same every time. won't log into account after restart
says wrong password. I bypassed the forced authentication methods offered of auth app, hardware key, facial recognition/PIN, but actually no PIN option works or id offered for setting. This process just goes around in a circle offering the same options. Phone auth is not acceptable because different people use this workstation and this applies to the auth app instance as well, because different people and phones would be used. I need to be able to use just the email account login
Any advice here - this is a show stopper
We had been using standalone personal HOME setups previously and have just converted to Win 11 Prof...now the problems have started...no AD or windows server setup yet, But AZURE account was registered...
Windows for business | Windows Client for IT Pros | User experience | Other
2 answers
Sort by: Most helpful
-
Q&A Assist2026-04-07T17:04:56.37+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreFor a Windows 11 Pro device set up with a work account (Microsoft Entra/Azure AD) and then stuck at sign-in with “wrong password” and looping MFA options, there are two separate issues to handle:
- Regaining access to the device so it can be used.
- Choosing a sign-in model that works for a shared workstation without per‑user phone-based MFA.
Below are concrete steps based only on supported Windows and Microsoft Entra behavior.
1. Regain access to the device
Because the device is joined to a work account and MFA options were bypassed, repeated failed attempts can trigger Microsoft Entra multifactor authentication protections.
Microsoft Entra multifactor authentication:
- Detects unusual activity such as repeated sign-in attempts.
- May temporarily block additional attempts to protect the account.
Actions:
- Stop repeated attempts briefly
If there have been many failed sign-ins in a short time, wait before trying again. This reduces the chance that additional attempts are being blocked by Microsoft Entra MFA protections. - Try a different sign-in method if available
If the account has more than one MFA method configured (for example, phone call, SMS, or another method), use that alternative method when prompted. The documentation explicitly recommends switching MFA methods when one method is blocked or not working. - Use Windows sign-in troubleshooting if the password itself is not accepted
If Windows says the password is wrong even though the correct work account password is being entered, use the general Windows sign-in troubleshooting flow:- Restart the device fully.
- If still blocked, follow the guidance in Troubleshoot Problems Signing In to Windows:
- Use the password (not PIN/Hello) when possible.
- If Safe Mode sign-in is needed:
- From the sign-in screen, select Power > Restart while holding Shift.
- Choose Troubleshoot > Advanced options > Startup Settings > Restart.
- Select option 5 (Safe Mode with Networking) and sign in with the password.
Safe Mode uses only basic drivers and default settings and can help confirm whether the issue is caused by security software or configuration.
- If still unable to sign in
At this point, the situation is no longer just a local Windows issue; it is tied to the organization’s Microsoft Entra configuration. The documentation for two-step verification explicitly states:- If sign-in fails after multiple attempts and MFA is involved, the IT administrator must review Microsoft Entra sign-in logs and MFA settings.
- The error could be caused by malicious activity, misconfigured MFA settings, or other factors.
- Check Microsoft Entra sign-in logs for the affected user and device.
- Confirm whether the account is being blocked or challenged by conditional access or MFA policies.
- Unblock or adjust policies as needed.
If access is urgently needed and there is no way to sign in with the current work account, the admin can temporarily:
- Create a local administrator account during or after reset, and use that to sign in and configure the device.
- Then re-join or reconfigure the work account once policies are clarified.
2. Fix the sign-in model for a shared workstation
The described scenario is a shared workstation with multiple users and no dedicated phone or Authenticator app per user. The current configuration (work account with enforced MFA methods like phone, Authenticator app, or Windows Hello) is not aligned with that usage.
Key points from the documentation:
- For work or school accounts with two-step verification, if sign-in fails repeatedly or MFA is misconfigured, only the organization’s IT admin can properly investigate and fix it by reviewing Microsoft Entra sign-in logs and MFA settings.
- The guidance explicitly says to contact the IT administrator or Help desk when sign-in issues persist after trying the basic steps.
For a shared workstation, the IT admin needs to decide and configure one of these supported patterns:
- Use individual work accounts, each with their own MFA
- Each user signs in with their own work account and their own MFA method.
- This is the most secure and standard approach but requires each user to have a valid MFA method (phone, app, etc.).
- Use local accounts (or a shared local account) plus work account in apps only
- Sign in to Windows with a local account (no MFA), then sign in to Microsoft 365/Edge/Office apps with work accounts as needed.
- This avoids tying the Windows sign-in itself to MFA, which can be simpler for shared devices, but is less integrated with Microsoft Entra device management.
- Configure Microsoft Entra and MFA policies specifically for shared devices
- The admin can adjust conditional access and MFA requirements so that shared devices are treated differently (for example, not requiring per-user phone-based MFA at Windows sign-in, depending on organizational policy).
- Any such change must be done by the IT admin in Microsoft Entra; it cannot be bypassed from the device.
Because the question explicitly states that phone-based MFA and per-user Authenticator app are not acceptable, the only sustainable fix is for the organization’s IT admin to:
- Review and adjust Microsoft Entra MFA and device-join policies so that they match the intended shared-use scenario.
- Decide whether Windows sign-in should be:
- Per-user work account with MFA, or
- Local account with work accounts used only inside apps.
Until that is done, the device will continue to enforce the current MFA and Windows Hello requirements, and bypassing them will either fail or cause repeated sign-in loops.
3. When to escalate
Escalation to the organization’s Help desk or IT admin is required when:
- Sign-in fails after multiple attempts and MFA is involved.
- The device is joined to a work/school account and policies are enforced from Microsoft Entra.
- The sign-in model (shared workstation without per-user MFA) conflicts with current policies.
The official guidance is:
- If sign-in problems persist after trying the basic steps and alternative MFA methods, contact the organization’s Help desk.
- Admins should review Microsoft Entra sign-in logs and MFA configuration, and adjust as needed.
References: