Common issues when using Office 365 (Entra) for authentication with Microix Workflow Modules

Common issue when integrating third-party applications (Microix Workflow Modules) with Office 365 / Microsoft Entra ID (formerly Azure AD) authentication. If some users can log in while others cannot, it’s almost always due to differences in permissions, user configurations, or consent scopes. Here’s a detailed breakdown of possible causes:

🔑 1. Consent and Permission Scopes

• Issue: Microix require users to grant specific permissions (e.g., “Read user profile”, “Sign in and read user profile”). If one user grants consent but others haven’t, they’ll see an error.

• Fix:

  • Have an Azure admin consent to the Workflow Modules Modern on behalf of all users:

    1. Go to Azure Portal → Entra ID → Enterprise Applications.

    2. Select the app "Microix Workflow Modules Modern".

    3. Under Permissions, choose “Grant admin consent for all users”.

  • Check if the error mentions missing permissions (like AADSTS65001 or invalid_client).

👤 2. User Account Type and Licensing

• Issue: Some users might have accounts not licensed for Microsoft 365, or they belong to a different directory (e.g., guest users, personal Microsoft accounts).

• Fix:

  • Confirm users are signing in with work accounts (@yourcompany.com) and not personal Outlook/Hotmail accounts.

  • Check if the user exists in the same Entra directory.

  • Ensure users have valid Microsoft 365 licenses assigned.

🧱 3. Conditional Access or MFA Policies

• Issue: Conditional access or MFA (multi-factor authentication) might block the app for certain users or conditions (like unmanaged devices or external networks).

• Fix:

  • Check Azure → Conditional Access Policies.

  • Look for policies targeting the app or specific users/groups.

  • Test whether affected users can sign in via another device/network.

🔒 4. Tenant Restrictions and External App Access

• Issue: Your organization might restrict sign-in to apps not approved by IT.

• Fix:

  • Go to Entra ID → Enterprise Applications → User Settings.

  • Check if “Users can consent to third-party apps"

  • If disabled, only admins can approve third-party apps.

✅ Recommended Next Steps

1. Gather the exact error message or code
   Ask one affected user to provide the full error message or code (e.g., AADSTSxxxx). This will helpidentify whether the issue is related to permissions, tenant configuration, or conditional access.

2. Compare user account settings
   Check the affected user’s account against one that works successfully. Pay attention to:

   • Domain: Is the user in the same domain (e.g., @microix.net)?

   • License: Do they have the same Microsoft 365 license assigned?

   • Group Membership: Are they part of the same Azure AD groups or access policies?

3. Verify admin consent for the application
   Confirm that admin consent has been granted for the app within Azure AD. Without this, some users may be unable to authenticate.

4. Review Conditional Access and Sign-in Logs
   In the Azure Portal → Entra ID → Sign-in Logs, review failed login attempts to identify any conditional access or MFA policies that may be blocking authentication.

5. Configure MFA option after successful Entra sign-in
   Once users are able to log in successfully through Entra, set the Microix MFA option to “Entra”.

   ⚠️ Important: Do not enable this setting until the user has confirmed successful authentication with Entra. Enabling it too early will remove the local password option and force Entra authentication exclusively.