Entra M365 JIT Re-Enable - Password Incorrect

Incident Report for CyberQP

Postmortem

Although the root cause was not within our platform, the impact was material and we recognize the additional operational overhead this created for your team.

We have now released an enhancement to the Microsoft Entra ID / Microsoft 365 Just in Time (JIT) integration that successfully works around the issue observed beginning February 26 at approximately 12:00 PM EST.

What This Means for You

‌

Currently Enabled Entra/M365 JIT Accounts

No action is required. These accounts will function normally moving forward.

‌

Currently Disabled Entra/M365 JIT Accounts

Action is required:

Re-enable the JIT account.
Using either the Chrome extension or the QTech Mobile application, extend the JIT duration.

After this step is completed, all subsequent disable/re-enable cycles for that account will function normally without additional intervention.

Alternative Option
You may delete and recreate the JIT account. However, this will require the user to re-register MFA and may introduce additional administrative effort and delay.

Posted Mar 03, 2026 - 11:32 PST

Resolved

We’ve completed our review of the reported login delays impacting Just-in-Time (JIT) accounts.

Our investigation, including comparison of our activity logs with Microsoft Entra Audit Logs, confirms that credentials are being generated and delivered correctly at the time of activation. The delay is occurring between the password reset event and when the updated credentials become active within Entra/M365.

We are continuing to monitor this behavior and will provide a further update once latency returns to expected levels.

Posted Feb 26, 2026 - 17:18 PST

Identified

We have identified the likely cause: a synchronization delay on the Microsoft Entra/M365 side.

Waiting approximately 5 minutes after re-enabling a Just in Time account will allow login with the supplied password.

We are continuing to investigate whether this delay can be reduced on our end, or whether it is inherent to Microsoft's platform.

Further updates to follow.

Posted Feb 26, 2026 - 16:20 PST

Investigating

We are currently investigating an issue affecting Entra/M365 Just in Time (JIT) accounts that have been re-enabled after a period of being disabled.

In this state, the password displayed by the Dashboard and Chrome Extension does not match the active credential, preventing successful login.

Active Directory and Local JIT accounts are not affected.

New Entra/M365 JIT account creation also continues to function normally.

Workaround: Deleting the affected JIT account and recreating it from scratch will resolve the issue. Please note this will require the end user to re-register MFA. We recommend evaluating the impact of MFA re-registration in your environment before proceeding.

Our team is treating this as the highest priority and is actively working toward a resolution.

Posted Feb 26, 2026 - 14:57 PST

This incident affected: EU (Just In Time/Passwordless Functionality), US (Just In Time/Passwordless Functionality), and CA (Just In Time/Passwordless Functionality).