Forum Discussion
Prompted to sign in to Microsoft Defender Platform on W11/W2025 using Entra
Hi Microsoft Defender XDR community,
Since around May 18th, our users on devices that are onboarded to Microsoft Defender for Endpoint are being prompted to sign-in to the following application using Entra on login to Windows.
Application
Microsoft Defender Platform
Application ID
cab96880-db5b-4e15-90a7-f3f1d62ffe39
Is anyone aware of a change that requires user sign-in to Entra as a requirement for Microsoft Defender for Endpoint? I have tried raising a support topic on this topic.
Regards
Chris
8 Replies
- SelinaKnowTin Contributor
We are seeing the same behavior in our environment as well. This does not appear to be a normal MDE onboarding requirement, since MDE is usually device/service based rather than an interactive user sign-in flow. Given that this started around the same time for multiple environments, it may be a Defender platform-side change or regression.
- chrisnelmesTin Contributor
Has anyone found a solution for this issue? No luck with support so far.
- arjendereusCopper Contributor
Microsoft support told us that this issue happens because of a Microsoft backend update to Defender for Endpoint on Windows which now makes Defender require an Entra sign in token to work. This means for us the only available solution is to make all our devices Entra Hybrid Joined as they weren’t registered/joined to Entra at all.
- chrisnelmesTin Contributor
Still no action from Microsoft Support unfortunately, they're stuck in a loop of asking when I'm available for a call, then not calling.
Has anyone found a fix? - arjendereusCopper Contributor
We are also experiencing this problem since the 28th of May in the afternoon. Any updates from the community yet? We have a long lasting ticket with Microsoft Support about this but no fix yet.
- LilP77Copper Contributor
We're getting this problem too since around May 18th. In my environment, our devices are Hybrid joined and the AzreADPrt is valid, but further down in the SSO section of the "dsregcmd /status" command, we have an error: MSIS9699. It may or may not be related, since most of us have that error, but even those without this error get prompted. One last note... they only get prompted if they left their device turned on over night. I can confirm from logs that this is Defender Platform authentication requests, I just don't know why it just started recently.
- Thilo LangbeinIron Contributor
We have this prompts too. Since 1-2 weeks.
The sign-in prompts seems to reoccure every hour or so.
The clients are anboarded to MDE, joined to Active Directory only - not hybrid and not Entra ID registered.Proxy for MDE is configured via https://learn.microsoft.com/en-us/defender-endpoint/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy-setting
- AladinHIron Contributor
Hi chrisnelmes,
The application itself is legitimate. While I haven’t seen any Microsoft announcement introducing a new Defender for Endpoint sign-in requirement, I’d also validate the device Entra registration and PRT status (dsregcmd /status) on affected devices. We’ve seen authentication prompts caused by token or device registration issues, Conditional Access evaluations, or service-side changes following platform updates. Interested to hear what Microsoft Support comes back with.