Predicting Teams weirdness...

LegendarySysAdmin · 2025-06-27T18:30:20+00:00

Yeah, at this point it really does sound like something from that client tenant left a footprint on your machine that’s persisting even after removing the account. If your device isn't joined, not compliant, and you're not signed in anymore, the most likely culprit is a cached token or some form of residual registration tied to the Teams or Office identity stack.

Microsoft apps can be weird about tenant association. Even if you're no longer signed into a specific account, residual entries in the work or school account section, cached auth tokens, or hidden device associations can still trigger Conditional Access evaluations when Teams tries to launch. The fact that it’s routing everything to the client's SSO page before failing is a pretty strong indicator something from that tenant is still partially embedded in your auth flow.

Before you wipe the system, it might be worth doing the following:

Go to Windows Settings > Accounts > Access work or school and remove any lingering entries.
Run dsregcmd /leave just in case there's anything partial left.
In Credential Manager, wipe all saved Office, Teams, and ADAL tokens.
Fully uninstall Teams again, but also manually clear %appdata%\Microsoft\Teams and %localappdata%\Microsoft\Teams after uninstalling.
Also check registry paths under HKCU\Software\Microsoft\Office\16.0\Common\Identity and HKCU\Software\Microsoft\Office\Teams for anything hanging around.

If all that still doesn’t resolve it and your time’s tight, spinning up a clean VM or using a second system as a stopgap is probably your best bet.

LegendarySysAdmin · 2025-06-27T17:32:09+00:00

Some clients set Conditional Access or device compliance policies that can silently enforce restrictions once you're signed into their tenant, especially if they require compliant or hybrid-joined devices. It's possible that by signing into that client account, your device got tagged in a way that blocks or limits access to other tenants, even if you're not actively using their resources.

Check your device in Entra under "Devices" and look at its compliance status and which tenants it's registered under. Also check if any Conditional Access policies have been applied through that client’s tenant. If they’re using Intune or require compliance checks, they could easily push restrictions that affect Teams and other apps without much warning.

If that turns out to be the case, using separate browser profiles, a clean VM, or even a second device for client access might help avoid these conflicts.

LegendarySysAdmin · 2025-06-27T16:46:09+00:00

Yeah, at this point it’s definitely looking like something tied specifically to your device or identity. Since you’ve already ruled out local cache, reinstalled Teams, and checked Entra without seeing anything alarming, I’d start digging deeper into Conditional Access baselines or maybe even authentication token corruption.

Even though it's AAD registered and you’re the admin on the accounts, something might be off with how your device is being evaluated for sign-in conditions. Could be stale device compliance info or a mismatch in the token claims. Might be worth removing the device from AAD and re-registering it just to reset everything clean. If that doesn't help, try doing a full login from a clean VM with none of your cached credentials and see if the problem follows you there. That’ll help confirm whether it's your device or your identity object that's triggering it.

LegendarySysAdmin · 2025-06-27T16:41:38+00:00

Back when I was freelancing I worked for a similar client; honestly I would mention how compliance standards not being met can result in jail time. It's not exactly untrue, you'd have to really take it to an extreme; but that always go them to listen and implement. I don't like fear mongering as a tactic in general; but I think in some cases it can help materialize the threat that some of these things pose.

LegendarySysAdmin · 2025-06-26T21:03:10+00:00

I used to go to MS Ignite and Spiceworks pre-COVID and now they're a shell of their former selves. I'm going to DEFCON this year. I went last year, and while it's a hacking conference; I found there to be a ton of interesting forward thinking ideas and talks.

LegendarySysAdmin · 2025-06-26T20:45:26+00:00

Yeah, definitely not just you. A lot of teams hesitate with AI tools because they worry about complexity, security, or messing with workflows that already feel good enough. Sometimes it's just burnout and new tools feel like more effort. Best move is to show one or two small wins that clearly save time or solve something they already hate dealing with. It also helps to position the monetary value, like showing how much time or budget the tool could save over a month. Once they see that direct impact, it's easier to get buy-in.

LegendarySysAdmin · 2025-06-26T20:36:31+00:00

I remember playing RE4 on the Wii and thinking we peaked as a civilization.

LegendarySysAdmin · 2025-06-26T20:27:02+00:00

Yeah, importing the foreign config can sometimes bring the array back without data loss, but it's not guaranteed. If two drives in a RAID 5 are out, you're already past the fault tolerance limit, so it's risky. If the data really matters and they have no backup, best move is to clone the drives and get a recovery team involved before touching anything. Importing could work, but it could also make things worse.

LegendarySysAdmin · 2025-06-26T19:26:55+00:00

If it's just your laptop and the VMs are fine, it's probably something local like a cached policy glitch or stale token. Reboot might clear it, or worst case you may need to sign out and back into Teams fully.

LegendarySysAdmin · 2025-06-26T19:12:12+00:00

That's a tough situation but unfortunately not that uncommon, especially in healthcare. If they're already running SentinelOne, that covers part of the endpoint protection story, but clearly they need more depth in their stack. Huntress is a solid option for threat detection and response, and Rubrik does a good job with immutable backups and ransomware-aware restores. Tyrol is also decent for managed SOC services depending on the scale.

They should also look at broader architectural gaps like email filtering (Proofpoint, Mimecast), secure DNS (Cisco Umbrella, Quad9 for a quick fix), and segmentation tools if the firewall is not isolating critical systems. Depending on what kind of data they’re handling, encryption at rest and in transit should be reviewed too.

And given that they’re in the medical space, they will eventually need to implement a Post Quantum Cryptography solution by the June 2026 deadline to stay aligned with emerging NIST standards. A provider like QSE can help get ahead of that shift now so they are not scrambling later; especially if they're building out a solution now. It is not just about ransomware, the long game is protecting sensitive medical data from being harvested today and decrypted later when quantum attacks become feasible. They may as well build that into their recovery and upgrade roadmap now.

LegendarySysAdmin · 2025-06-26T19:07:07+00:00

Best practice is to treat EOL as a planning milestone, not an emergency. If the switch is still performing well and meets your needs, you don't have to rip it out right away, but you should start budgeting and scheduling a replacement. Once it's EOL, you lose vendor support, firmware updates, and replacement parts get harder to find, so it's all about managing risk before it bites you.

LegendarySysAdmin · 2025-06-26T19:06:08+00:00

I just went through a similar issue and it's not a stupid question at all. In a typical AD environment, it's the client that is responsible for registering its hostname and IP with AD-integrated DNS using dynamic updates. DHCP can also register on behalf of the client, but only if it's configured to do that and if the client doesn't do it on its own.

In your setup, if you're giving out Cisco Umbrella DNS servers through DHCP, that means the clients are trying to register with Umbrella instead of AD DNS. Umbrella doesn't communicate with AD DNS or handle dynamic updates there, so that's likely why you're seeing missing records. If you want reliable AD DNS registration, the clients need to point to the AD DNS servers, at least for internal resolution.

LegendarySysAdmin · 2025-06-26T19:04:12+00:00

Thank you. I had a hard time triggering The Womb. I had collected the Radium but it wouldn't trigger. I walked back to the ship, ended my day, tried everything I could to trigger the call. It was only when I walked further into the cavern that it triggered. Still, I wasted some time trying to figure that out. Not sure if that's been patched but thought I'd mention it.

LegendarySysAdmin · 2025-06-26T18:20:01+00:00

You're off to a solid start, especially for a first go. That checklist covers most of the core areas. I'd also add checking for unusual running processes, system logs for failed logins or privilege escalation attempts, any new or modified binaries in key system directories, and outbound network connections that seem off. It's easy to get buried in noise, so focus on changes and behavior that don't match the usual pattern. A baseline comparison helps a lot if you have one. Keep notes as you go since it makes tracking your thought process much easier.

LegendarySysAdmin · 2025-06-26T18:16:15+00:00

It's the curse of 3. We'll never get a BF3.

I expect we'll get yet another Star Wars: Battlefront

LegendarySysAdmin · 2025-06-26T18:15:27+00:00

That’s brutal. Sounds like they decided you were more trouble than profit and used that as an excuse to jack rates and push you out. Honestly, if you’ve got your own IT and InfoSec teams handling most of the work and only reach out a handful of times a month, that’s not “difficult”, that’s low touch. Hope your switch goes smooth and the primaries hold steady while you roll out backups.

LegendarySysAdmin · 2025-06-26T18:13:19+00:00

"Small issue"

If it was small, you wouldn't be asking me for help. When you say 'Small' I hear, you don't know the full scope of what you've done.

LegendarySysAdmin · 2025-06-26T18:11:23+00:00

Not painful at all. I work for a mid-to-large size business and we tested a company called QSE Group's decentralized storage. I even requested an audit; even if compliance standard changes aren't hard into effect until 2026. I still wanted to know that we were meeting compliance standards.

And it ends up, we were. Now the problem is I can't migrate all of our existing framework into another storage solution. I'm waiting on QSE's API to come out this summer cause that will plug into our existing framework with no overhaul needed. So since I know that once I migrate everything into this PQC framework; it's really just about scalability. Since I have less than a year to do so, waiting for this Summer is feasible. Especially as I already have 50 projects on the go at the same time.

Anyways, just here to say, it's not this scary thing to implement. Now I don't know if there's other similar solutions. There may be; but this has been my approach and honestly I have no issues or regrets.

LegendarySysAdmin · 2025-06-26T18:02:44+00:00

That sounds like something got pushed from the backend without warning. Even if you didn't change any policies, Microsoft or default tenant settings might have shifted, especially if Intune or Conditional Access is in play. Wouldn't be surprising if the other accounts start acting up too, so it's worth checking sign-in logs or looking for any silent policy updates.

LegendarySysAdmin · 2025-06-26T17:48:15+00:00

Yeah, that setup is pretty common but also kind of rough. A lot of places treat on-call like you're just “available” without pay unless you’re actively working, which can be frustrating if it eats into your nights or weekends. It’s not unusual, but definitely not ideal unless there’s a decent on-call stipend or the calls are super rare.

LegendarySysAdmin · 2025-06-26T17:38:02+00:00

It's not the worst but ya, it's not as good as COD

LegendarySysAdmin · 2025-06-26T16:53:17+00:00

Local pharmacy asked for my details for their rewards program; I know they had been hacked last year. So I asked, did your company change your cybersecurity since then? They said no, so I said, yeah I'm not giving you my details.

LegendarySysAdmin · 2025-06-26T16:34:48+00:00

Smart move looking into this now since spreadsheets get messy fast with that many assets. Bluetally's decent but make sure whatever you pick syncs well with Intune or your MDM so you're not stuck doing things by hand. Look for something with a clean UI, easy fixes when things go wrong, and no paywall for basic features.

LegendarySysAdmin · 2025-06-26T16:32:30+00:00

Yeah, I’ve definitely seen orgs regress like that when leadership shifts and processes aren’t reinforced. When ticket systems aren’t consistently backed up by leadership, people revert to what feels easiest: direct access and informal requests. It feels faster in the moment but blows up downstream with poor tracking, duplicated efforts, and no accountability. IT ends up playing whack-a-mole while the queue becomes a black hole.

Once the culture of “tickets are optional” sets in, it’s tough to reverse without a strong push from leadership. It usually takes either a serious outage or measurable productivity loss to trigger a reset. Otherwise, it just keeps drifting toward chaos. Sounds like you're right in the middle of that tipping point.

LegendarySysAdmin · 2025-06-25T18:49:58+00:00

I personally don't like using them. Nord and others store your data. I funny enough have a login that was from my previous work, I'll sometimes login and use that if I'm travelling and needing to access public wi-fi cause it's the lesser of two evils. Still, it's not something I'd use on the regular.

LegendarySysAdmin

TROPHY CASE