Troubleshooting

Troubleshooting » Troubleshoot Azure Active Directory Pass-through Authentication

Password sync: Troubleshoot Azure Active Directory Pass-through Authentication

In order to enable the Azure AD Connect Pass-through Authentication feature, the Authentication Agent needs to be installed. Below are some of the errors that may arise while installing the Authentication Agent and enabling the Pass-through Authentication feature:

Authentication Agent installation issues

  1. Authentication Agent installation issues
    Collect agent logs from the server and contact Microsoft Support about the issue.

Authentication Agent registration issues

  1. Failure of Authentication Agent registration due to blocked ports
    Ensure that the server on which the Authentication Agent has been installed can communicate with Microsoft service URLs and ports listed here.
  2. Failure of Authentication Agent Registration due to token or account authorization errors.
    Make sure that a cloud-only Global Administrator account is used to enable the feature.
  3. An unexpected error occurred
    Collect agent logs from the server and contact Microsoft Support with your issue.

Authentication Agent uninstallation issues

  1. The below warning message appears when uninstalling Azure AD Connect:

    "Users will not be able to sign-in to Azure AD unless you have other Pass-through Authentication agents installed on other servers."

    This message appears if you have enabled Pass-through Authentication on your tenant and attempt to uninstall Azure AD Connect. Before uninstalling, please ensure that you have implemented high availability to avoid breaking user sign-in.

Issues with enabling the feature

  • Unable to enable the feature because there were no Authentication Agents available

    At least one active Authentication Agent is necessary to enable Pass-through Authentication on your tenant. The Authentication agent can be installed by installing Azure AD Connect or you can install a standalone Authentication Agent.

  • Unable to enable the feature due to blocked ports

    Ensure that the server on which Azure AD Connect is installed can communicate with Microsoft's service URLs and ports listed here.

  • Unable to enable the feature because of token or account authorization errors

    Make sure that a cloud-only Global Administrator account is used to enable the feature.

Azure AD Connect Pass-through Authentication feature synchronizes on-premises AD accounts' passwords and any changes to it to the corresponding accounts in Azure AD. Setting up Pass-through Authentication is a complex process and its troubleshooting involves multiple steps and commands. ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers the Password Synchronization feature that synchronizes passwords between AD and Azure AD with minimal steps. Here's how to :

Prerequisites

Before you configure password synchronization for Office 365 or Azure, you need to install the Windows Azure AD module for Windows PowerShell on the server in which ADSelfService Plus is deployed.

Important: Install the Password Sync Agent to synchronize native password changes and resets.

  • Log in to ADSelfService Plus admin console with admin credentials.
  • Navigate to Application > Add New Application.
  • Select the Office 365 / Azure accounts application.
  • Enter the Application Name and Description.
  • Enter the Domain name of your Office 365 / Azure account
  • In the Assign Policies field, select the policies for which password sync needs to be enabled.

Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Only user accounts that come under these policies can have their passwords synchronized with Azure AD.

  1. Select Enable Password Sync.
  2. Enter the Username and Password of Office 365 / Azure account
  3. Click Add Application.

Benefits of password synchronization using ADSelfService Plus:

  • Password synchronization with major enterprise applications including Azure AD/Office 365, AD LDS, Salesforce.
  • Synchronize custom password policies created using the Password Policy Enforcer feature.
  • Synchronize native password resets made in the Active Directory Users and Computers console and password changes made in the Ctrl+Alt+Del screen.
  • Enable password synchronization for users belonging to specific OU's and groups.

Simplify password management with ADSelfService Plus.

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.