Staff Aug: 365

A user can’t access any M365 apps. What’s your Tier-3 triage flow?

Confirm scope (one user vs many) → check Microsoft Service Health → check Entra ID Sign-in logs → review Conditional Access result + MFA → verify account status/licenses → confirm device/time sync → isolate client vs identity vs service.

What’s the most important question before troubleshooting?

What changed recently (policy

Where do you start for most access failures?

Entra ID Sign-in Logs: look at status

How do you troubleshoot Conditional Access blocks quickly?

Identify user + app + time → sign-in log → Conditional Access tab to see which policy applied and what control failed → confirm exclusions (break-glass/admin) → validate named locations/device state.

What are common Conditional Access failure reasons?

MFA not satisfied

How do you confirm if MFA vs password is the issue?

Check Authentication Details in sign-in logs: “MFA required/satisfied”

User says MFA prompts loop or fail. What do you check?

Authenticator registration

How do you handle a multi-user outage due to policy change?

Stop/rollback recent change (or disable policy) → communicate status → validate sign-ins → reintroduce control with scoped pilot group and exclusions.

What’s a safe CA rollout approach?

Pilot group → monitor sign-in logs → expand in phases → keep break-glass accounts excluded → document rollback plan.

A user can access Outlook Web but not Outlook desktop. What do you suspect?

Client auth differences (modern auth vs legacy)

What’s your go-to for Outlook connectivity issues?

Microsoft Remote Connectivity Analyzer

Email not delivering to external recipients. What’s your Tier-3 flow?

Message trace → identify failure point → check connectors → transport rules → outbound spam policy/quarantine → DKIM/SPF/DMARC → check blocklists → verify accepted domains.

Internal user says “emails stuck in Outbox.” What do you check?

Client vs service: Outlook profile

How do you troubleshoot “NDR 550 5.7.1” rejected messages?

Check transport rule

What’s the fastest way to determine mail flow path?

Message trace with details: shows connector/rule actions

Phishing got through. What do you review in M365?

Defender quarantine policies

A mailbox has a suspicious auto-forwarding rule. What do you do?

Disable rule/forwarding

How do you revoke active sessions after suspected compromise?

Entra ID: revoke refresh tokens/sign out sessions; reset password; require MFA re-registration if needed; review sign-in logs after.

Teams: User can’t join meetings externally. What do you check?

Teams admin settings: external access/federation

Teams: Calls drop / audio issues for many users. What’s your approach?

Check Service Health + Teams admin center health

What is the quickest way to prove a Teams issue is network-related?

Teams Call Quality Dashboard/Call analytics showing packet loss/jitter correlated to a site/network.

Teams: User sees “We couldn’t sign you in.” What do you check?

Entra sign-in logs for Teams; Conditional Access blocks; device compliance; time sync; Office token refresh; clear Teams cache.

SharePoint: External user can’t access shared file. What do you check?

Sharing settings at tenant + site level

SharePoint: Users report “Access denied” after a change. What do you suspect?

Permission inheritance changes

OneDrive: Sync errors occur for one user. What’s Tier-3 flow?

Check client version

OneDrive: Sync failing for many users. What do you do first?

Check Service Health

Intune: Device shows compliant but access still blocked. What do you check?

Conditional Access requiring compliant device might be evaluating wrong device state; verify device in Entra (registered/joined)

What device states matter for CA “require compliant device”?

Device must be enrolled and reporting compliance to Intune

User can’t enroll device into Intune. What are common causes?

Enrollment restrictions

How do you confirm if a Windows device is Entra joined?

On device: dsregcmd /status → check AzureAdJoined/DomainJoined

What does “hybrid join issues” usually trace back to?

AAD Connect configuration

User is prompted to sign in repeatedly across apps. What do you suspect?

Token issues due to CA changes

How do you determine if it’s a licensing issue?

Confirm user has required service plan enabled (Exchange/Teams/SharePoint)

What’s the Tier-3 approach to “it worked yesterday” issues?

Ask what changed → check audit logs (CA/policy changes

Where do you look for “what changed” in Entra/365?

Audit logs in Entra

A policy broke access for a VIP. How do you respond?

Restore access safely (temporary exclusion or rollback) → communicate with director → root cause in sign-in logs → implement a phased fix.

How do you avoid becoming a bottleneck in escalations?

Resolve with the internal team present

What’s your default incident communication cadence?

Initial acknowledgement + impact

What makes a troubleshooting approach ‘senior’?

Hypothesis-driven

How do you know when to escalate to Microsoft Support?

When tenant config is verified

What evidence do you collect before engaging Microsoft Support?

Timestamps

What are top recurring causes of M365 incidents in SMB/midmarket?

Conditional Access mis-scoping

How do you validate a fix is stable?

Monitor sign-in logs/message trace/health for 24–48 hours

What is a “good rollback plan” for identity changes?

Document current policy state