This article helps you find troubleshooting information about common Azure AD pass-through authentication issues.
If you experience user login problems with pass-through authentication, do not disable the feature or uninstall pass-through authentication agents without having a cloud-only Global Administrator account or a Hybrid Identity Administrator account. Learn aboutadding a cloud-only Global Administrator account. Performing this step is critical and ensures that you are not locked out of your tenant.
Check the status of the feature and authentication agents
Make sure pass-through authentication is still onEnabledin your tenant and the status of the Authentication Agents is displayedActive, and noInert. You can check the status by going toAzure AD Connectblade inEnter the admin center.
Connection error messages that users encounter
If the user is unable to sign in using pass-through authentication, they may see one of the following errors that users experience on the Azure AD sign-in screen:
|AADSTS80001||Unable to connect to Active Directory||Ensure that proxy servers are members of the same AD cluster as the users whose passwords need to be validated and that they can connect to Active Directory.|
|AADSTS80002||An Active Directory connection timeout occurred||Check to ensure that Active Directory is available and responding to requests from agents.|
|AADSTS80004||The username passed to the agent was not valid||Make sure the user is trying to log in with the correct username.|
|AADSTS80005||Validation encountered an unexpected WebException||A transient error. Try the request again. If it still fails, contact Microsoft Support.|
|AADSTS80007||An error occurred while communicating with Active Directory||Check the agent logs for more information and verify that Active Directory is working as expected.|
Users get invalid username/password error
This can happen when a user's on-premises UserPrincipalName (UPN) is different from the user's cloud UPN.
To confirm that this is the issue, first check that the pass-through authentication agent is working correctly:
Create a demo account.
Enter the PowerShell module on the agent machine:
Εισαγωγή-Μονάδα "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\PassthroughAuthPSModule\PassthroughAuthPSModule.psd1"
Run the Invoke PowerShell command:
When prompted for credentials, enter the same username and password used to log in (https://login.microsoftonline.com).
If you get the same username/password error, it means that the pass-through authentication agent is working correctly and the problem might be that the on-premises UPN is not routable. To learn more, seeConfigure an alternate login ID.
If the Azure AD Connect server is not joined to the domain, a requirement is referred toAzure AD Connect: Prerequisites, the invalid username/password issue occurs.
Azure portal login failure reasons (Premium license required)
If your tenant has an Azure AD Premium license associated with it, you can also see thatconnection activity reportin theEnter the admin center.
Navigate toAzure Active Directory->Inputsin theAzure portaland click on a specific user's login activity. Look for itCONNECTION ERROR CODEfield. Map the value of this field to a failure cause and resolution using the following table:
|Connection error code||Reason for connection failure||Analysis|
|50144||The user's Active Directory password has expired.||Reset the user's password in your internal Active Directory.|
|80001||No authentication factor available.||Install and register an authentication agent.|
|80002||The authentication agent's password validation request timed out.||Check if Active Directory is reachable by the Authentication Agent.|
|80003||An invalid response was received from the Authentication Agent.||If the problem can be consistently reproduced across multiple users, check your Active Directory configuration.|
|80004||Incorrect User Principal Name (UPN) used in connection request.||Ask the user to log in with the correct username.|
|80005||Authentication Agent: An error occurred.||Transient error. Please try again later.|
|80007||Authentication Agent cannot connect to Active Directory.||Check if Active Directory is reachable by the Authentication Agent.|
|80010||The Authentication Agent cannot decrypt the password.||If the problem is consistently reproducible, install and register a new authentication agent. And uninstall the current one.|
|80011||The Authentication Agent cannot retrieve the decryption key.||If the problem is consistently reproducible, install and register a new authentication agent. And uninstall the current one.|
|80014||The validation request was responded to after the maximum elapsed time has been exceeded.||Authentication factor timed out. Please open a support ticket with the error code, correlation ID, and timestamp to get more details about this error|
Pass-through authentication agents authenticate Azure AD users by validating their usernames and passwords against Active Directory by callingWin32 LogonUser API. As a result, if you have configured the Connect to setting in Active Directory to restrict workstation login access, you must also add servers that host Pass-through Authentication Factors to the Connect to server list. Failure to do so will block your users from signing in to Azure AD.
Authentication Agent installation issues
An unexpected error occurred
Collect agent logsfrom the server and contact Microsoft Support about your problem.
Agent Authentication registration issues
Authentication Agent registration failed due to blocked ports
Verify that the server on which the Authentication Agent is installed can communicate with the listed service URLs and portshere.
Authentication Agent registration failed due to token or account authorization errors
Ensure that you use a cloud-only Global Administrator account or a Hybrid Identity Administrator account for all Azure AD Connect or stand-alone Authentication Agent installation and registration operations. There is a known issue with MFA enabled Global Administrator accounts. temporarily disable MFA (just to complete functions) as a workaround.
An unexpected error occurred
Collect agent logsfrom the server and contact Microsoft Support about your problem.
Authentication Agent uninstall issues
Warning message when uninstalling Azure AD Connect
If you have broadcast authentication enabled in your tenant and you try to uninstall Azure AD Connect, you will see the following warning message: "Users will not be able to connect to Azure AD unless you have other authentication agents installed on other servers."
Make sure your setting isvery availablebefore uninstalling Azure AD Connect to avoid tampering with user login.
Issues with enabling the feature
Enabling the feature failed because no authentication factors were available
You must have at least one authentication agent active to enable pass-through authentication on your tenant. You can install an authentication agent by either installing Azure AD Connect or a standalone authentication agent.
Feature activation failed due to blocked ports
Ensure that the server on which Azure AD Connect is installed can communicate with the listed service URLs and portshere.
Feature activation failed due to token or account authorization errors
Make sure you use a cloud-only Global Administrator account when enabling the feature. There is a known issue with global administrator accounts with multi-factor authentication (MFA). temporarily disable MFA (just to complete the operation) as a workaround.
Collection of forwarding authentication agent logs
Depending on the type of problem you may be having, you should look in different places for relay authenticator logs.
Azure AD Connect logs
For installation-related errors, check the Azure AD Connect logs at%ProgramData%\AADConnect\trace-*.log.
Authentication Agent event logs
For errors related to the Authentication Agent, open the Event Viewer application on the server and checkApplication and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin.
For detailed analytics, enable the "Session" log (right-click inside the Event Viewer to find this option). Do not run the Authentication Agent with this log enabled during normal operations. use only for troubleshooting. The contents of the log file are only visible after the log file is disabled again.
Detailed trace logs
To troubleshoot user login failures, look for trace logs at%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\. These logs include reasons why a particular user login failed using the pass-through authentication feature. These errors also map to the connection failure reasons shown in the previous connection failure reasons table. Here is an example log entry:
AzureADConnectAuthenticationAgentService.exe Error: 0 : Pass-through authentication request failed. Request ID: 'df63f4a4-68b9-44ae-8d81-6ad2d844d84e'. Reason: '1328'. ThreadId=5 DateTime=xxxx-xx-xxTxx:xx:xx.xxxxxxZ
You can get descriptive details of the error ("1328" in the previous example) by opening a command prompt and running the following command (Note: Replace "1328" with the actual error number you see in your logs):
Net helpmsg 1328
Domain controller logs
If audit logging is enabled, you can find additional information in the security logs of your domain controllers. A simple way to query connection requests sent by Pass-through Authenticators is as follows:
Performance Monitor counters
Another way to monitor Authentication Agents is to monitor specific Performance Monitor counters on each server where the Authentication Agent is installed. Use the following global counters (# PTA verifications,#PTA authentications failedand#PTA successful authentications) and error counters (# PTA authentication errors):
Pass-through authentication provides high availability by using multiple authentication factors andnotload balancing. Depending on your configuration,notall authentication agents receive approxequalnumber of requests. It is possible that a particular authentication agent receives no traffic at all.
How do I troubleshoot connectivity issues with Azure AD Connect? ›
Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.How do I enable pass-through authentication in Azure AD Connect? ›
Sign in to the Entra admin center with the Hybrid Identity Administrator credentials for your tenant. Select Azure Active Directory. Select Azure AD Connect. Verify that the Pass-through authentication feature appears as Enabled.How do I fix Azure AD Connect sync errors? ›
- Remove the Azure AD account (owner) from all admin roles.
- Hard delete the quarantined object in the cloud.
- The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user is now no longer a Hybrid Identity Administrator.
Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.What are the common issues with AD connect? ›
Azure AD Connect requires proper installation and configuration to function properly. Common issues include incorrect credentials, network connectivity issues, and firewall settings.How do I check my Azure AD Connect sync errors? ›
Sign in to the Microsoft 365 admin center with a global administrator account. On the Home page, you'll see the User management card. On the card, choose Sync errors under Azure AD Connect to see the errors on the Directory sync errors page.How do I know if pass through authentication is enabled? ›
Ensure that the Pass-through Authentication feature is still Enabled on your tenant and the status of Authentication Agents shows Active, and not Inactive. You can check status by going to the Azure AD Connect blade on the Entra admin center.How do I enable strong authentication in Azure AD? ›
Sign in to the Azure portal and select User management. Select Multifactor authentication. Select the user you want to enable and then select Enable. "Enabled" in this procedure means that the user is asked to set up MFA verification when they sign in for the first time.How does Azure AD pass through authentication work? ›
The user enters their password into the Azure AD sign in page, and then selects the Sign in button. Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.How do I force a sync in Azure AD Connect? ›
- Open Azure AD Connect.
- Open Manage Azure AD cloud sync.
- Select your configuration (domain)
- Click Start or Restart Sync.
How do I manually start Azure AD Connect sync? ›
If you need to manually run a sync cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta . To initiate a full sync cycle, run Start-ADSyncSyncCycle -PolicyType Initial from a PowerShell prompt.How do I force password sync with Azure AD Connect? ›
To do it, start the Azure AD sync appliance Configuration Wizard, and then continue through the screens until you see the option to enable password synchronization.Is federated authentication same as SSO? ›
The key difference between SSO and FIM is while SSO is designed to authenticate a single credential across various systems within one organization, federated identity management systems offer single access to a number of applications across various enterprises.What is the difference between Azure ADFS and passthrough authentication? ›
Pass-through authentication is an alternative to AD FS and password hash synchronization in Azure AD. This technology allows users to access cloud apps after authenticating against the local Active Directory. The configuration of pass-through authentication is less complex than that of AD FS, for example.What is the difference between legacy authentication and modern authentication Microsoft? ›
“Legacy authentication” is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities.How do I know if my Azure AD Connect is working? ›
You can check the status in the Microsoft 365 admin center. If there are no errors present, the DirSync or Azure AD Connect Status icon appears as a green circle (successful).What happens if Azure AD Connect goes down? ›
AAD Connect takes user accounts, and maybe passwords, from your on-premises Active Directory and copies them into Azure Active Directory. If your AAD Connect server goes down, you don't lose any data or very much functionality. There really isn't any need for a high availability configuration for AAD Connect.How do I force Azure AD Connect to update? ›
If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.How do I troubleshoot password hash sync in Azure AD? ›
Run the troubleshooting task
Start the Azure AD Connect wizard. Navigate to the Additional Tasks page, select Troubleshoot, and click Next. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot password hash synchronization.
How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.
What gets synced in Azure AD Connect? ›
Azure AD Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Azure AD. Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized.What happens when authentication fails? ›
If you receive this error message, that means that the username and/or password that you have entered is incorrect.How do I ensure user authentication? ›
In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.Which of the following authentication method validates the password on Azure AD? ›
Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in.Which three authentication methods can Azure AD users use? ›
- Microsoft Authenticator.
- Authenticator Lite (in Outlook)
- Windows Hello for Business.
- FIDO2 security key.
- OATH hardware token (preview)
- OATH software token.
- Voice call.
What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.How do I change authentication methods in Azure AD? ›
Browse to Azure Active Directory > Users > All users. Choose the user for whom you wish to add an authentication method and select Authentication methods. At the top of the window, select + Add authentication method. Select a method (phone number or email).What is the default authentication method in Azure AD? ›
Delete a Microsoft Authenticator authentication method. A password is currently the default primary authentication method in Azure AD.What protocol is used to authenticate towards Azure AD? ›
Azure Active Directory B2C (Azure AD B2C) provides identity as a service for your apps by supporting two industry standard protocols: OpenID Connect and OAuth 2.0.What does Microsoft Active Directory use for authentication? ›
How Does Authentication Work in Active Directory? Active Directory authentication is a process that supports two standards: Kerberos and Lightweight Directory Access Protocol (LDAP).
What is the difference between Delta Sync and full sync in Azure AD Connect? ›
Azure Active Directory Sync. There are two types of sync in Azure Active Directory Connect: delta sync and full sync. A delta syncs synchronizes only the latest changes while a full sync is only necessary when changing Azure AD Connect configuration.What is the difference between initial sync and Delta Sync? ›
Delta sync is faster than the initial sync, but it checks the whole data of the protected disk. Time may vary depending on the size of the protected volume and sites bandwidth.How do I manually sync Active Directory? ›
To synchronize your users, groups, and contacts from the local Active Directory into Azure Active Directory, install Azure Active Directory Connect and set up directory synchronization. In the admin center, select Setup in the left nav. Under Sign-in and security, select Add or sync users to your Microsoft account.Is Azure AD Connect bidirectional? ›
In a one-way configuration changes to an object on-premise updates the corresponding object in Azure AD. Two-way or bidirectional synchronization configurations allow for object changes to be made either on-premise or within Azure AD/Microsoft 365 and update the corresponding object on the opposite end.How to restart the Azure AD Connect synchronization service? ›
Go to Windows Service Control Manager (START → Services). Select Microsoft Azure AD Sync and click Restart.How do I force Office 365 to sync with Active Directory? ›
Force AD Sync Using AD Users & Computers
After making the changes to your user account that you want to replicate, select the check box in the bottom left corner of the Office 365 tab: Clicking Apply or OK will force an AD sync immediately.
- Log in to the ADSelfService Plus user portal.
- Go to Application.
- Click on the enterprise application with which they want to link their AD account.
- Provide their credentials for that user account.
- Provide the username and password of their account in Domain B to link both accounts.
The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.Does Azure AD Connect sync passwords? ›
Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.How do I test Azure connectivity? ›
- Sign in to the Azure portal.
- In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.
- Under Network diagnostic tools, select Connection troubleshoot. ...
- Select Test connection.
How do I check my Azure AD Connect health? ›
- In the Azure portal, search for and select Azure AD Domain Services.
- Select your managed domain, such as aaddscontoso.com.
- On the left-hand side of the Azure AD DS resource window, select Health.
- Type “cmd” to bring up the Command Prompt.
- Open the Command Prompt.
- Type “ping” in the black box and hit the space bar.
- Type the IP address you'd like to ping (e.g., 192.XXX.X.X).
- Review the ping results displayed.
- Open a command prompt.
- Type in "telnet <IP ADDRESS OF SERVER PC> <PORT>" and press enter.
- For example, you would type “telnet 220.127.116.11 1521”
- If a blank screen appears then the port is open, and the test is successful.
- If you receive a connecting...
Select the Start button, then type settings. Select Settings > Network & internet. The status of your network connection will appear at the top.What is the service name for Azure AD Connect? ›
The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements.What is Microsoft Azure Active Directory Connect? ›
Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.What port does Azure AD Connect Health require? ›
The latest Azure AD Connect Health agent versions only require port 443.