Forum Discussion

chrisnelmes's avatar
chrisnelmes
Tin Contributor
Jun 04, 2026

Prompted to sign in to Microsoft Defender Platform on W11/W2025 using Entra

Hi Microsoft Defender XDR community,

Since around May 18th, our users on devices that are onboarded to Microsoft Defender for Endpoint are being prompted to sign-in to the following application using Entra on login to Windows. 

Application

Microsoft Defender Platform

Application ID

cab96880-db5b-4e15-90a7-f3f1d62ffe39

Is anyone aware of a change that requires user sign-in to Entra as a requirement for Microsoft Defender for Endpoint? I have tried raising a support topic on this topic.

Regards

Chris

8 Replies

  • SelinaKnow's avatar
    SelinaKnow
    Tin Contributor

    We are seeing the same behavior in our environment as well. This does not appear to be a normal MDE onboarding requirement, since MDE is usually device/service based rather than an interactive user sign-in flow. Given that this started around the same time for multiple environments, it may be a Defender platform-side change or regression.

  • Has anyone found a solution for this issue? No luck with support so far. 

    • arjendereus's avatar
      arjendereus
      Copper Contributor

      Microsoft support told us that this issue happens because of a Microsoft backend update to Defender for Endpoint on Windows which now makes Defender require an Entra sign in token to work. This means for us the only available solution is to make all our devices Entra Hybrid Joined as they weren’t registered/joined to Entra at all.

  • Still no action from Microsoft Support unfortunately, they're stuck in a loop of asking when I'm available for a call, then not calling. 

    Has anyone found a fix?

  • arjendereus's avatar
    arjendereus
    Copper Contributor

    We are also experiencing this problem since the 28th of May in the afternoon. Any updates from the community yet? We have a long lasting ticket with Microsoft Support about this but no fix yet.

  • LilP77's avatar
    LilP77
    Copper Contributor

    We're getting this problem too since around May 18th. In my environment, our devices are Hybrid joined and the AzreADPrt is valid, but further down in the SSO section of the "dsregcmd /status" command, we have an error: MSIS9699. It may or may not be related, since most of us have that error, but even those without this error get prompted. One last note... they only get prompted if they left their device turned on over night. I can confirm from logs that this is Defender Platform authentication requests, I just don't know why it just started recently.

  • We have this prompts too. Since 1-2 weeks.
    The sign-in prompts seems to reoccure every hour or so.
    The clients are anboarded to MDE, joined to Active Directory only - not hybrid and not Entra ID registered.

    Proxy for MDE is configured via https://learn.microsoft.com/en-us/defender-endpoint/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy-setting

  • AladinH's avatar
    AladinH
    Iron Contributor

    Hi chrisnelmes​,

    The application itself is legitimate. While I haven’t seen any Microsoft announcement introducing a new Defender for Endpoint sign-in requirement, I’d also validate the device Entra registration and PRT status (dsregcmd /status) on affected devices. We’ve seen authentication prompts caused by token or device registration issues, Conditional Access evaluations, or service-side changes following platform updates. Interested to hear what Microsoft Support comes back with.