Skip to main content

Fix Azure AD Login Problems with Profile Mismatches

Angus
Updated

This article provides a comprehensive guide to resolving user profile mismatch issues in Azure Active Directory (Azure AD) environments. It focuses on scenarios where a username change in Azure AD leads to sign-in problems on Azure AD-joined devices, offering step-by-step instructions to diagnose and fix the issue while maintaining device compliance with Intune policies.

Overview

When a user's username (User Principal Name or UPN) is updated in Azure AD, it can cause a mismatch between the local user profile on a device and the updated Azure AD account. This mismatch often results in sign-in failures or device compliance issues. This guide outlines a process to reassign the local profile to the updated username using tools like ProfWizard by ForensIT, verify the fix, and ensure continued Intune compliance.

Prerequisites

  • Administrative access to the affected device via a local admin account.
  • Access to the Microsoft 365 admin center or Azure AD portal with user and device management permissions.
  • ProfWizard by ForensIT installed on the device or available as a portable tool.
  • PowerShell with the AzureAD module installed (version 5.1 or later recommended).
  • An active internet connection for Azure AD and Intune interactions.

Issue Description

A common issue in Azure AD environments occurs when a username is changed (e.g., due to a typo correction or rebranding), but the local profile on an Azure AD-joined device retains the old username. This mismatch can prevent users from signing in with their updated credentials, disrupt device compliance in Intune, or cause authentication errors.

Symptoms

  • Inability to sign in with the updated Azure AD username.
  • Sign-in attempts stalling at the "welcome" screen.
  • Temporary sign-in success with the old username, followed by failures after updates or reboots.
  • Intune reporting device compliance errors.

Affected Systems

- Windows 10 or Windows 11 devices joined to Azure AD.
- Devices managed by Intune with active compliance policies.
- Systems where the Azure AD username was modified after initial device setup.

Resolution Steps

Screenshot 2025-03-14 131356.png

  1. Verify the Username in Azure AD

    Log in to the Microsoft 365 admin center or Azure AD portal. Navigate to Users Active Users, locate the affected user, and confirm their updated email and User Principal Name (UPN). Take note of the new username for later use.

  2. Check the Local Profile

    Sign in to the device with a local admin account. Open File Explorer and go to C:\Users. Identify the folder name tied to the old username and confirm it doesn’t match the updated Azure AD username.

  3. Reassign the Profile with ProfWizard

    Launch ProfWizard with admin privileges. Select the local computer, choose the profile linked to the old username, and update the "User Account Information" section: set the domain to your Azure AD tenant, check the Azure AD box, and input the updated username. Ensure Join Domain is selected if applicable. Run the migration and restart the device.

  4. Generate User Data for ProfWizard

    Download the Save-AzureADUser.ps1 script from ForensIT’s GitHub repository. In an elevated PowerShell session, navigate to the script directory and run:

    .\Save-AzureADUser.ps1

    Sign in with an Azure AD account that can read user data. The script generates ForensITAzureID.xml, which ProfWizard uses to map users correctly.

  5. Test the Sign-in

    Sign out of the admin account and attempt to sign in with the updated Azure AD username and password. If unsuccessful, check the Event Viewer under "User Device Registration" for error details.

  6. Verify Intune Enrollment and Compliance

    In the Microsoft Endpoint Manager admin center, go to Devices Windows, select the device, and confirm its enrollment and compliance status. Force a sync from the device if needed via Settings Accounts Access work or school Info Sync.

Additional Information

  • The local profile folder name (e.g., C:\Users\OldName) may not change after reassignment. ProfWizard can rename it, but this might impact applications tied to the original path.
  • Confirm the device remains Azure AD-joined in Settings Accounts Access work or school.
  • Review Conditional Access policies in Azure AD if sign-in issues persist, as they may restrict access.

Troubleshooting Tips

  • If ForensITAzureID.xml isn’t generated, verify PowerShell execution policies and the AzureAD module installation.
  • Run dsregcmd /status in a command prompt to check Azure AD join status and Primary Refresh Token (PRT) issuance.
  • For ongoing Intune compliance issues, ensure policies are correctly assigned and configured in the admin center.

Was this helpful?

If you've followed this guide, we'd love to hear about your experience. Please leave a comment below to share whether this guide helped you achieve your goal. If you found an alternative approach that worked, we encourage you to share that as well. Your feedback helps us improve our documentation and assists others in the community.

Need Further Assistance?

If you need additional support or would like personalized guidance, we're here to help. Check out our dedicated support plans at IT Solver Support Plans for expert assistance tailored to your needs.

Related articles

Comments

0 comments

Please sign in to leave a comment.