![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 73%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
Hi Kristin,
Since this affects only specific users and not all accounts, the loop is almost certainly being driven by a Conditional Access policy that applies to those users but not others, or a difference in how those users' authentication methods are registered.
When the OTP is accepted but the user is sent back to sign-in, it typically means Entra completed one authentication step but a policy requirement was not satisfied — so the auth flow restarts rather than completing.
Here is how to diagnose this from the admin side:
Step 1 — Check the sign-in logs for an affected user.
In the Entra admin center go to Monitoring and health, then Sign-in logs. Filter by one of the affected users and look at the sign-in attempts from the time of the loop. Click into each entry and open the Conditional Access tab. This will show you every policy that evaluated, whether it passed or failed, and why. A policy showing as Failure or Not satisfied is likely the cause.
Step 2 — Look for policy differences between affected and unaffected users.
Since only specific accounts are impacted, check whether the affected users share any common group membership, license, or department attribute that might place them under a different
Conditional Access policy. Pay particular attention to policies that set Authentication strength, Device compliance requirements, or Sign-in frequency set to Every time — any of these
can create a loop if the user cannot satisfy the requirement after OTP.
Step 3 — Check per-user MFA state.
If legacy per-user MFA is enabled for some accounts and Conditional Access MFA is also in play, conflicts between the two can cause re-authentication loops. In the Entra admin center go to Users, search for an affected user, and check their Multi-Factor Authentication status. If they show as Enforced under the legacy setting while CA is also enforcing MFA, there can be state conflicts. Microsoft recommends disabling per-user MFA when using Conditional Access MFA.
Step 4 — Check the affected users' registered authentication methods.
Go to the Entra admin center, open the affected user, and select Authentication methods. Verify they have methods registered that actually satisfy the policy requiring OTP. If a policy requires a specific authentication strength (for example phishing-resistant MFA) and the user only has email OTP registered, the loop will persist because OTP does not satisfy that strength requirement.
Step 5 — Rule out browser and cookie issues.
Ask an affected user to try signing in using InPrivate or Incognito mode in their browser. Some browsers block third-party cookies by default and Entra relies on cookies to maintain session state across authentication steps. If the loop resolves in private mode, the issue is cookie or cached session related and clearing browser data will fix it for that user.
The Conditional Access What If tool (in the Entra admin center under Conditional Access) is also useful — run it for an affected user vs a working user with the same app and conditions, and compare which policies apply. That will surface any policy targeting difference quickly.
I hope that helps.