Sign In Error 90072 with On Prem Accounts - How to mitigate?

hi ryanboudreaux1​ try below options and see if it works

Check AAD Connect Sync

Ensure the impacted on-prem accounts are properly synced to Azure AD (matching UPN and ImmutableID).

Run Start-ADSyncSyncCycle and confirm accounts exist in Entra.

Review UPN Suffixes

On-prem users should have a UPN suffix that matches the verified domain in Azure AD.

If they log in with @sparkle.local but tenant only knows @healthy.org, they’ll trigger error 90072.

Office Profile Cleanup

Old Office apps may keep cached credentials for the wrong tenant.

Clearing Windows Credential Manager or running Office sign-out / sign-in often reduces noise.

 Conditional Access / Exclusions

If these are “false positives” from legacy clients, you can scope them out of certain CA policies to prevent excessive logging.

 Noise Reduction in Reports

In Sentinel/Entra logs, filter 90072 events where Application = Office and the UPN suffix is not in your accepted domains.

These can be suppressed or routed to a separate "informational" bucket rather than security noise.

Fix identity alignment → make sure all on-prem accounts have valid UPNs synced to Entra.

Educate users → ensure they log in with the correct domain account (@healthy.org vs legacy).

Clean cached credentials → remove old Office sign-ins pointing to invalid tenants.

Tune monitoring → filter out error 90072 noise from reports if accounts are confirmed non-threat.

this error is usually benign noise from legacy on-prem accounts with mismatched UPNs. The fix is to align UPNs and sync properly, and filter out the noise in reporting.