Tell us about your PDF experience.

Microsoft Entra ID troubleshooting

documentation
Welcome to Microsoft Entra ID troubleshooting. These articles explain how to
determine, diagnose, and fix issues that you might encounter when you use Microsoft
Entra ID. In the navigation pane on the left, browse through the article list or use the
search box to find issues and solutions.

Sign-in and Multi-factor authentication

ｃ HOW-TO GUIDE

Authorization_RequestDenied error when changing password

Can't authenticate using ADAL

Code 403 Forbidden error when using SSO

Microsoft Entra Hybrid Sync Agent Installation Issues

ｃ HOW-TO GUIDE

No privileges to install MSI

Cannot start service AADConnectProvisioningAgent

The gMSA is set to log on as Service

There is no such object on the server

Unable to create gMSA because KDS may not be running on domain controller

Password writeback issues

ｃ HOW-TO GUIDE

General troubleshooting steps

Access rights and permissions

Error code 8023062C - insecure password reset or change

Error code SSPR_009 - synced Microsoft Entra admin can't do cloud reset
Error code SSPR_0029 - on-premises configuration not set up

Admin password reset on Microsoft 365 admin center

Initial sign-in delays after forced password change

On-premises policy disallows password reset

Sign-in to SAML-based SSO apps

ｃ HOW-TO GUIDE

Error AADSTS50003 - certificate or key not configured

Error AADSTS50011 - reply URL mismatch

Error AADSTS50020 - guest sign-in to resource tenant fails

Error AADSTS50105 - user not assigned a role

Error AADSTS650056 - misconfigured app

Error AADSTS70001 - app not found in directory

Error AADSTS75011 - authentication method mismatch

Error AADSTS75005 - not a valid saml request

Error AADSTS750054 - SAML request or response not present

Error (The maximum number of devices
that can be joined to the workplace by
the user has been reached) during a
Workplace Join
Article • 10/28/2024

This article describes a problem in which a "The maximum number of devices that can
be joined to the workplace by the user has been reached" error occurs when you try to
perform a Workplace Join operation.

Original product version: Windows Server 2012 R2 Datacenter, Windows Server 2012 R2
Standard, Windows 8.1 Enterprise, Microsoft Entra ID
Original KB number: 3045379

Symptoms
When a user tries to perform a Workplace Join operation on a WIndows device, they
receive the following message:

Confirm you are using the current sign-in info, and that your workplace uses this
feature. Also, the connection to your workplace might not be working right now.
Please wait and try again.

Additionally, an administrator may see the following Event details in Event Viewer.

Event ID:200
Log Name: Microsoft-Windows-Workplace Join/Admin Source: Microsoft-Windows-
Workplace Join Level: Error Description: The maximum number of devices that can
be joined to the workplace by the user has been reached.
Registration Service URI:
https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWeb
Service.svc

Cause
This problem occurs because the user has joined the maximum number of devices and
has fulfilled the designated quota.
Resolution
To resolve this problem, check the quota configuration. Then, check the number of
devices that the user has previously registered. If the quota is reached, follow these
steps, depending on the applicable scenario.

If the user is trying to perform Workplace Join to Microsoft Entra ID

1. Delete devices for the user.

a. Sign in to Azure portal or start the Microsoft Entra ID console from the
Microsoft 365 admin center as Company Administrator.
b. Move to the directory that the user is trying the join.
c. Locate Users, and then locate the user who cannot perform the Workplace
Join operation.
d. Locate Devices.
e. Review the list to determine which devices can be deleted. Then, click
Delete Device.
2. Increase the Registered Device Quota.
a. Sign in to the Azure portal or start the Microsoft Entra ID console from the
Microsoft 365 admin center as Company Administrator.
b. Move to the directory that the user is trying the join.
c. Locate Devices, and then locate Device Settings.
d. Change the Maximum Number of devices per user setting to a larger
value.

If the user is trying to perform Workplace Join to your local Active Directory site

1. Delete devices for the user.

Use Windows PowerShell scripts to identify devices and to delete devices
that are associated with a user.
2. Increase the Registered Device Quota value.

a. Sign in to your AD FS server.

b. Run Windows PowerShell as an elevated administrator.

c. Run the following command to increase the quota:

PowerShell

Set-ADFSDeviceRegistration -DevicesPerUser [0 - 1000]

 For example, run the following command to set the number of devices for
the user to 10:

PowerShell

Set-ADFSDeviceRegistration -DevicesPerUser 10

You can also verify that the user has reached the device capacity by reviewing the DRS
Event logs.

1. Open Event Viewer on the DRS server.

2. Browse to the location: Applications and Services Logs\Device Registration

Service\DRS\Admin

3. Look for Event ID 125. It should resemble the following:

User 'user@domain.com : GUID' is not eligible to enroll a device of type

'device_type' Reason 'DeviceCapReached'.

More information
For more troubleshooting information, see Diagnostic logging for troubleshooting
Workplace Join issues .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Graph PowerShell overview
Article • 01/13/2025

The Microsoft Graph PowerShell SDK acts as an API wrapper for the Microsoft Graph APIs,
exposing the entire API set for use in PowerShell. It contains a set of cmdlets that help you
manage identities at scale from automating tasks to managing users in bulk using Microsoft
Entra ID. It will help administer every Microsoft Entra feature that has an API in Microsoft
Graph.

The commands in Microsoft Graph PowerShell are autogenerated from the Microsoft Graph
API schema making it easier to get faster updates and functionality. The cmdlet reference
content is also autogenerated from the API reference.

Microsoft Graph PowerShell is the replacement for the Azure AD PowerShell and MSOnline
modules and is recommended for interacting with Microsoft Entra ID.

Microsoft Graph PowerShell features & benefits

The Microsoft Graph PowerShell SDK provides the following benefits:

Access to all Microsoft Graph APIs: Microsoft Graph PowerShell is based on Microsoft
Graph API. In addition to Microsoft Entra ID, the Microsoft Graph API includes APIs from
other Microsoft services like SharePoint, Exchange, and Outlook, all accessed through a
single endpoint with a single access token.
Supports PowerShell 7: Microsoft Graph PowerShell works with PowerShell 7 and later.
It's also compatible with Windows PowerShell 5.1.
Cross-platform support: Microsoft Graph PowerShell works on all platforms including
Windows, macOS, and Linux.
Supports modern authentication: Microsoft Graph PowerShell supports the Microsoft
Authentication Library (MSAL) which offers more security. For example, you can use
passwordless sign-in experiences.
Supports external identities: Users from other Microsoft Entra tenants can authenticate
to services in your tenant with Microsoft Graph PowerShell.
Uses least privilege: Microsoft Graph PowerShell permissions aren't pre-authorized and
users must perform one-time request for app permissions depending on their needs.
Advanced queries: Microsoft Graph PowerShell supports rich, advanced queries via
eventual consistency. For example, you can get a near-instant count of all users using
advanced queries.
Open source: Feature teams and the community can create great PowerShell experiences
and share them with everyone.
 Receives regular updates: Microsoft Graph PowerShell commands are updated regularly
to support the latest Graph API updates.

Upgrade your environment to use the Microsoft

Graph PowerShell SDK
To understand how to migrate from Azure AD PowerShell to Microsoft Graph PowerShell,
follow the migration guide.

Install the Microsoft Graph PowerShell SDK

The Microsoft Graph PowerShell SDK is published on the PowerShell Gallery . Follow the
installation instructions to install the Microsoft Graph PowerShell SDK.

Get started
To perform basic tasks, use the Get-started guide.

Next steps
If you don't have an Azure account, create a free account .
If you already have access to a Microsoft Entra tenant, Install the SDK.
Troubleshoot data freshness alerts in
Microsoft Entra Connect Health
Article • 10/28/2024

This article offers common diagnostic fixes for the data freshness alert "Health service
data is not up to date", which is generated when the Microsoft Entra Connect Health
Service hasn't received data in the last two hours. The alert occurs in the Health Service
for the following services:

Azure AD Sync service

Microsoft Entra Domain Services
Active Directory Federation Services (AD FS)

Prerequisites
Microsoft Entra Connect .
The Microsoft Entra Connect Health agent for AD DS .
The Microsoft Entra Connect Health agent for Active Directory Federation
Services .
The PsExec tool.

Symptoms
To view the data freshness alert, take the following steps:

1. In the Azure portal , search for and select Microsoft Entra Connect Health.

2. In the Microsoft Entra Connect Health | Quick start menu pane, select AD DS
Services.

3. Select your domain name, and then select Alerts.

4. In the Active Directory Domain Services Alerts pane, select Health service data is
not up to date.

5. In the Health service data is not up to date pane, select the Server Name. The lists
of properties for Alert Details and Data Type Details appear.

Common diagnostic steps

Before you continue, see Health service data is not up to date alert.

HTTP proxy troubleshooting steps

If you use an HTTP proxy, follow these steps:

1. If Secure Sockets Layer (SSL) inspection is turned on, make sure that you've added
the policy key service endpoint ( policykeyservice.dc.ad.msft.net ) to the allow list.

2. Use a PowerShell cmdlet to find connectivity issues. You can run the Test-
AzureADConnectHealthConnectivity cmdlet successfully as a regular user.
However, if all data types are missing, the proxy setting might be correct for the
user but not for Local System (the context that the service runs under). In that
case, run the appropriate Test-AzureADConnectHealthConnectivityAsSystem cmdlet
instead:

Sync

PowerShell

Test-AzureADConnectHealthConnectivityAsSystem -Role Sync

3. To check whether the proxy settings are correct for Local System:

a. Enter the following PsExec command to view the Windows settings remotely:

Console

PsExec.exe -i -s "start ms-settings:"

b. Select Network & internet > Proxy, and then select Edit under the Manual
proxy setup heading.

c. In the Edit proxy server dialog box, update the proxy server settings to match
the current setup.

d. Restart the services.

Performance counter troubleshooting steps

Run the following PowerShell commands to check for the existence of certain
performance counter categories.

Sync

PowerShell

[System.Diagnostics.PerformanceCounterCategory]::Exists("Processor")
[System.Diagnostics.PerformanceCounterCategory]::Exists("TCPv4")
[System.Diagnostics.PerformanceCounterCategory]::Exists("Memory")
[System.Diagnostics.PerformanceCounterCategory]::Exists("Process")

If any of these commands return False, run the following script to get more information
about the performance counters:

Sync

PowerShell

$perfCounters = @(
"\Processor(_Total)\% Processor Time",
"\Memory\Available MBytes",
"\TCPv4\Connections Established",
"\Process(Microsoft.Identity.AadConnect.Health.AadSync.Host)\Private
Bytes",

"\Process(Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup)\Pri
vate Bytes"
)
foreach($counter in $perfCounters)
{
try
{
$counterResult = Get-Counter -Counter $counter -MaxSamples 1 -
ErrorAction SilentlyContinue
if($counterResult -eq $null)
{
Write-Host $counter " -> does not exist" -ForegroundColor
Red
if($counter -eq
"\Process(Microsoft.Identity.AadConnect.Health.AadSync.Host)\Private
Bytes")
{
Write-Host " Please make sure Azure AD Connect
Health Sync Insights Service is running." -ForegroundColor Magenta
}
elseif($counter -eq
"\Process(Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup)\Pri
vate Bytes")
 {
Write-Host " Please make sure Azure AD Connect
Health Sync Monitoring Service is running." -ForegroundColor Magenta
}
}
else
{
Write-Host $counter " -> exists " -ForegroundColor Green
}
}
catch {}
}

Data type troubleshooting steps

This section includes troubleshooting steps for fixing data type issues.

Sync

ﾉ Expand table

Data type Troubleshooting steps

PerfCounter Make sure that the performance counters

exist.
Make sure that the Microsoft Entra Connect
Health Sync Monitoring Service is running.

AadSyncService‑Connectors Make sure that the Microsoft Entra Connect Health

AadSyncService‑GlobalConfigurations Sync Insights Service is running.
AadSyncService‑RunProfileResults
AadSyncService‑ServiceConfigurations
AadSyncService‑ServiceStatus
AadSyncService‑SynchronizationRules

Collect logs for the Monitoring Agent and

Insights Agent
If the dashboard isn't helping, collect the agent logs. The relevant service can be run in
the console to get more information.
Begin by entering the following PsExec command to run the command prompt
remotely:

Console

PsExec.exe -i -s cmd

Then, collect the agent logs for the Monitoring and Insights services of Sync, AD DS, or
AD FS, as described in the next section.

７ Note

AD FS also has a Diagnostics service. Instructions for collecting the corresponding

Diagnostic Agent logs are shown after the log collection sections for Monitoring
and Insights.

Collect Monitoring Agent logs

To collect Monitoring Agent logs, follow these steps:

1. At the remote command prompt, enter services.msc to open the Services snap-in.

2. Stop the Monitoring Service for the appropriate service type.

For example, for AD FS, select Microsoft Entra Connect Health AD FS Monitoring
Service from the list of services, then select the Stop Service icon.

3. Change the current directory to the appropriate directory according to the service
type. Then, open the configuration file of the Monitoring Agent service executable
in a text editor (such as Notepad) for editing. The path name and executable file
name for each service type is shown in the following table. The configuration file
name simply appends the .config file name extension to the end of the
executable file name.

ﾉ Expand table

Service Path Executable

type

Sync C:\Program Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe

Files\Microsoft
Azure AD
Connect Health
 Service Path Executable
type

Sync
Agent\Monitor

AD DS C:\Program Microsoft.Identity.Health.Adds.MonitoringAgent.Startup.exe
Files\Azure AD
Connect Health
Adds
Agent\Monitor

AD FS C:\Program Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe
Files\Azure AD
Connect Health
Adfs
Agent\Monitor

For example, for AD FS, enter the following commands:

Console

cd "C:\Program Files\Azure Ad Connect Health Adfs Agent\Monitor"

notepad
"Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe.config"

4. In the text editor, insert the following line to set the ConsoleDebug key to true :

XML

<add key="ConsoleDebug" value="true" />

5. Save and close the configuration file.

6. Run the Monitoring Agent service, and direct its output to a log file (monitor.log).

For example, for AD FS, enter the following command:

Console

Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe >
monitor.log

7. Let the Monitoring Agent service run for 15 minutes. Then, press Ctrl+C to stop the
service, and inspect the monitor.log file.
Collect Insights Agent logs
To collect Insights Agent logs, follow these steps:

1. At the remote command prompt, enter services.msc to open the Services snap-in.

2. Stop the Insights service for the appropriate service type.

For example, for AD FS, select Microsoft Entra Connect Health AD FS Insights
Service from the list of services, then select the Stop Service icon.

3. Change the current directory to the appropriate directory according to the service
type. Then, run the Insights Agent service executable by using the /console
parameter and direct its output to a log file (insights.log). The path name and
executable file name for each service type is shown in the following table.

ﾉ Expand table

Service Path Executable

type

Sync C:\Program Microsoft.Identity.AadConnect.Health.AadSync.Host.exe

Files\Microsoft Azure AD
Connect Health Sync
Agent\Insights

AD DS C:\Program Files\Azure Microsoft.Identity.Health.Adds.InsightsService.exe

AD Connect Health Adds
Agent\Insights

AD FS C:\Program Files\Azure Microsoft.Identity.Health.Adfs.InsightsService.exe

AD Connect Health Adfs
Agent\Insights

For example, for AD FS, enter the following commands:

Console

cd "C:\Program Files\Azure Ad Connect Health Adfs Agent\Insights"

Microsoft.Identity.Health.Adfs.InsightsService.exe /console >
insights.log

4. Let the Insights Agent service run for 15 minutes. Then press Ctrl+C to stop the
service, and inspect the insights.log file.
Collect logs for the Diagnostics Agent (for AD
FS only)
To collect Diagnostics Agent logs for AD FS, follow these steps:

1. In the remote command prompt, enter services.msc to open the Services snap-in.

2. Stop the Diagnostics service for the appropriate service type.

For example, for AD FS, select Microsoft Entra Connect Health AD FS Diagnostics
Service from the list of services, then select the Stop Service icon.

3. Change the current directory to the diagnostics directory for AD FS. Then, run the
Diagnostics Agent service executable by using the -Debug parameter, and direct its
output to a log file (diagnostics.log).

Console

cd "C:\Program Files\Azure Ad Connect Health Adfs Agent\Diagnostics"

Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe -Debug >
diagnostics.log

4. Press Enter.

5. Let the Diagnostics Agent service run for 15 minutes. Then, press Ctrl+C to stop
the service, and copy the console output into diagnostics.log.

6. Search for Error in the logs, and check whether any error entry indicates a specific
problem (such as connectivity or proxy configuration).

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to register a device:
Can't connect to the service
Article • 10/28/2024

Original product version: Windows 8.1 Enterprise, Windows Server 2012 R2 Standard,
Windows Server 2012 R2 Datacenter, Microsoft Entra ID
Original KB number: 3045378

Symptoms
When you try to perform a Workplace Join operation and register your device to your
local Active Directory domain from a Windows 8.1 device, you receive the following
error message:

Can't connect to the service

We can't connect to the service you need right now. Check your network connection
or try this again later.

Cause
This problem may occur for one of the following reasons:

Although the Active Directory Federation Services (AD FS) proxy server can resolve
the name of the federation server, the name resolves to an incorrect host.
The AD FS service is not running on the AD FS proxy server.
The WAP role is not installed.
The WAP role is installed but is not configured.

Resolution
To resolve this problem, follow these steps:

1. Sign in to your AD FS proxy server:

a. Run the Services Management Console (services.msc).
b. Locate the AD FS service.
c. Verify that the service is in a Started state.

2. Verify name resolution of the Internal AD FS instance:

a. From the AD FS proxy server, open a command prompt.
 b. Type PING adfsserver.contoso.com , and then press Enter.

７ Note

The adfsserver.contoso.com placeholder represents the address of your AD

FS server, such as sts.contoso.com .

3. Don't worry about whether the PING is successful or unsuccessful. Instead, notice
whether the target address resolves to the IP address of the server.

4. If the address is incorrect, correct the resolution conflicts:

Check the Hosts file on the AD FS proxy server to see whether the correct
entry is included and whether it targets your AD FS instance.
If you do not use a Hosts file, check internal DNS by using the Nslookup
command to verify DNS records.

More information
For more troubleshooting information, see the following article:

Diagnostic logging for troubleshooting Workplace Join issues

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Understand AD FS sign-in events in
Microsoft Entra ID with Connect Health
Article • 10/28/2024

With Microsoft Entra Connect Health, you can integrate Active Directory Federation
Services (AD FS) sign-in events into the Microsoft Entra sign-ins report. The Microsoft
Entra sign-ins report includes information about when the following types of entities
sign in to Microsoft Entra ID and access resources:

Users
Applications
Managed resources

This article shows how to use the Connect Health for AD FS agent, Azure Monitor, and
Log Analytics to correlate and analyze AD FS sign-in data.

Prerequisites
Microsoft Entra Connect Health for AD FS installed and upgraded to latest version
(3.1.95.0 or greater).
The Global Administrator or Reports Reader role to view the Microsoft Entra sign-
ins.
At least one Microsoft Entra ID P1 or P2 license for the first Connect Health agent.
25 extra Microsoft Entra ID P1 or P2 licenses for each extra registered agent.
An equal agent count to the total number of agents that are registered across all
monitored roles (AD FS, Microsoft Entra Connect, and Active Directory Domain
Services).
The requisite number of valid Microsoft Entra Connect Health licenses. (You aren't
required to assign the license to specific users.)

Sign-in data reporting

The Connect Health for AD FS agent correlates many event IDs from AD FS to offer
information about the sign-in request and error details if a request fails. The request
information is correlated to the Microsoft Entra sign-ins report schema. The information
can be displayed in the Microsoft Entra sign-in report user interface. Along with the
report, a new Azure Monitor workbook template and a new Azure Log Analytics stream
are available with the AD FS data. You can use and modify the workbook template for an
in-depth analysis for scenarios, such as:
 AD FS account lockouts.
Bad password attempts.
Spikes of unexpected sign-in attempts.

The available data mirrors the same data that's available for Microsoft Entra sign-ins.
Five tabs with information are available, based on the sign-in type:

Microsoft Entra ID
AD FS

Connect Health correlates events from AD FS, dependent on the server version. It then
matches the events with the AD FS schema. For more information, see What data is
displayed in the report?

Configuration
Basic configuration is automatic. Data is fed into the report after the feature goes live
and prerequisites are met.

You can enable Log Analytics for AD FS sign-ins and use it with any other Log Analytics-
integrated components, such as Microsoft Sentinel. For more information, see Enabling
Log Analytics and Azure Monitor.

Basic troubleshooting
For current known issues and limitations, see Frequently asked questions.

Kusto logging
To collect the sign-in events from AD FS sign-ins, run the following Kusto query in Log
Analytics.

Kusto

unioncluster('Idsharedweu').database('ADFSConnectHealth').SignInEvent,
cluster('Idsharedwus').database('ADFSConnectHealth').SignInEvent
| where env_time > ago(2d)
| where tenantId == "00000000-0000-0000-0000-000000000000"
| take 15

Next steps
Read more about AD FS sign-ins in Microsoft Entra ID with Connect Health.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Understand Microsoft Entra Connect
1.4.xx.x and device disappearance
Article • 10/28/2024

With the implementation of version 1.4.xx.x of Microsoft Entra Connect, customers may
see some or all of their Windows devices disappear from Microsoft Entra ID. This isn't a
cause for concern, as these device identities aren't used by Microsoft Entra ID during
Conditional Access authorization. This change won't delete any Windows devices that
were correctly registered with Microsoft Entra ID for Microsoft Entra hybrid join.

If you see the deletion of device objects in Microsoft Entra ID exceeding the Export
Deletion Threshold, allow the deletions to go through. How To: allow deletes to flow
when they exceed the deletion threshold

Background
Windows devices registered as Microsoft Entra hybrid joined are represented in
Microsoft Entra ID as device objects, and they can be used for Conditional Access.
Windows 10 devices are synchronized to the cloud via Microsoft Entra Connect, while
down level Windows devices are registered directly using either Active Directory
Federation Services (AD FS) or seamless single sign-on.

Windows 10 devices
Only Windows 10 devices with a specific userCertificate attribute value that's configured
by Microsoft Entra hybrid join should be synchronized to the cloud by Microsoft Entra
Connect. In previous versions of Microsoft Entra Connect, this requirement was not
rigorously enforced, and unnecessary device objects were added to Microsoft Entra ID.
Such devices in Microsoft Entra ID always stayed in the "pending" state, as these devices
were not intended to be registered with Microsoft Entra ID.

This version of Microsoft Entra Connect will only synchronize Windows 10 devices that
are correctly configured to be Microsoft Entra hybrid joined. Windows 10 device objects
without the Microsoft Entra join specific userCertificate will be removed from Microsoft
Entra ID.

Down-Level Windows devices

Microsoft Entra Connect should never synchronize down-level Windows devices. Any
devices in Microsoft Entra ID previously synchronized incorrectly will be deleted from
Microsoft Entra ID. If Microsoft Entra Connect attempts to delete down-level Windows
devices, then the device isn't the one that was created by the Microsoft Workplace Join
for non-Windows 10 computers MSI , and it can't be consumed by any other Microsoft
Entra feature.

Some customers might need to revisit How To: Plan your Microsoft Entra hybrid join
implementation to register their Windows devices correctly and ensure that those
devices can participate in device-based Conditional Access.

How can I verify which devices are deleted with

this update?
To verify which devices are deleted, use the PowerShell script in PowerShell certificate
report script.

This script generates a report about certificates stored in Active Directory Computer
objects, and specifically certificates issued by the Microsoft Entra hybrid join feature.

The script also checks the certificates present in the UserCertificate property of a
Computer object in AD. For each non-expired certificate present, the script validates
whether or not the certificate was issued for the Microsoft Entra hybrid join feature; for
example, Subject Name matches CN={ObjectGUID} .

Before this update, Microsoft Entra Connect would synchronize to Microsoft Entra any
Computer that contained at least one valid certificate. Beginning with Microsoft Entra
Connect version 1.4, the synchronization engine identifies Microsoft Entra hybrid join
certificates, and will use the cloudfilter filter to prevent the computer object from
synchronizing to Microsoft Entra ID unless there's a valid Microsoft Entra hybrid join
certificate.

Microsoft Entra devices that were previously synchronized to AD, but don't have a valid
Microsoft Entra hybrid join certificate, will be deleted by the synchronization engine
using the filter CloudFiltered=TRUE .

PowerShell certificate report script

PowerShell

<#
Filename: Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1.

DISCLAIMER:
Copyright (c) Microsoft Corporation. All rights reserved. This script is
made available to you without any express, implied or statutory warranty,
not even the implied warranty of merchantability or fitness for a
particular purpose, or the warranty of title or non-infringement. The entire
risk of the use or the results from the use of this script remains with you.
.Synopsis
This script generates a report about certificates stored in Active Directory
Computer objects, specifically,
certificates issued by the Microsoft Entra hybrid join feature.
.DESCRIPTION
It checks the certificates present in the UserCertificate property of a
Computer object in AD and, for each
non-expired certificate present, validates if the certificate was issued for
the Microsoft Entra hybrid join feature
(i.e. Subject Name matches CN={ObjectGUID}).
Before, Microsoft Entra Connect would synchronize to Microsoft Entra ID any
Computer that contained at least one valid
certificate but starting on Microsoft Entra Connect version 1.4, the sync
engine can identify Hybrid
Microsoft Entra join certificates and will 'cloudfilter' the computer object
from synchronizing to Microsoft Entra ID unless
there's a valid Microsoft Entra hybrid join certificate.
Microsoft Entra Device objects that were already synchronized to AD but do
not have a valid Microsoft Entra hybrid join
certificate will be deleted (CloudFiltered=TRUE) by the sync engine.
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN
'CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com'
.EXAMPLE
.\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -OU
'OU=SYNC,DC=Fabrikam,DC=com' -Filename "MyHybridAzureADjoinReport.csv" -
Verbose

#>
[CmdletBinding()]
Param
(
# Computer DistinguishedName
[Parameter(ParameterSetName='SingleObject',
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[String]
$DN,

# AD OrganizationalUnit
[Parameter(ParameterSetName='MultipleObjects',
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[String]
$OU,
 # Output CSV filename (optional)
[Parameter(Mandatory=$false,
ValueFromPipelineByPropertyName=$false,
Position=1)]
[String]
$Filename

# Generate Output filename if not provided

If ($Filename -eq "")
{
$Filename = [string] "$([string] $(Get-Date -Format
yyyyMMddHHmmss))_ADSyncAADHybridJoinCertificateReport.csv"
}
Write-Verbose "Output filename: '$Filename'"

# Read AD object(s)
If ($PSCmdlet.ParameterSetName -eq 'SingleObject')
{
$directoryObjs = @(Get-ADObject $DN -Properties UserCertificate)
Write-Verbose "Starting report for a single object '$DN'"
}
Else
{
$directoryObjs = Get-ADObject -Filter { ObjectClass -like 'computer'
} -SearchBase $OU -Properties UserCertificate
Write-Verbose "Starting report for $($directoryObjs.Count) computer
objects in OU '$OU'"
}

Write-Host "Processing $($directoryObjs.Count) directory object(s).

Please wait..."
# Check Certificates on each AD Object
$results = @()
ForEach ($obj in $directoryObjs)
{
# Read UserCertificate multi-value property
$objDN = [string] $obj.DistinguishedName
$objectGuid = [string] ($obj.ObjectGUID).Guid
$userCertificateList = @($obj.UserCertificate)
$validEntries = @()
$totalEntriesCount = $userCertificateList.Count
Write-verbose "'$objDN' ObjectGUID: $objectGuid"
Write-verbose "'$objDN' has $totalEntriesCount entries in
UserCertificate property."
If ($totalEntriesCount -eq 0)
{
Write-verbose "'$objDN' has no Certificates - Skipped."
Continue
}

# Check each UserCertificate entry and build array of valid certs

ForEach($entry in $userCertificateList)
 {
Try
{
$cert =
[System.Security.Cryptography.X509Certificates.X509Certificate2] $entry
}
Catch
{
Write-verbose "'$objDN' has an invalid Certificate!"
Continue
}
Write-verbose "'$objDN' has a Certificate with Subject:
$($cert.Subject); Thumbprint:$($cert.Thumbprint)."
$validEntries += $cert

$validEntriesCount = $validEntries.Count
Write-verbose "'$objDN' has a total of $validEntriesCount
certificates (shown above)."

# Get non-expired Certs (Valid Certificates)

$validCerts = @($validEntries | Where-Object {$_.NotAfter -ge (Get-
Date)})
$validCertsCount = $validCerts.Count
Write-verbose "'$objDN' has $validCertsCount valid certificates (not-
expired)."

# Check for Microsoft Entra hybrid join Certificates

$hybridJoinCerts = @()
$hybridJoinCertsThumbprints = [string] "|"
ForEach ($cert in $validCerts)
{
$certSubjectName = $cert.Subject
If ($certSubjectName.StartsWith($("CN=$objectGuid")) -or
$certSubjectName.StartsWith($("CN={$objectGuid}")))
{
$hybridJoinCerts += $cert
$hybridJoinCertsThumbprints += [string] $($cert.Thumbprint) +
'|'
}
}

$hybridJoinCertsCount = $hybridJoinCerts.Count
if ($hybridJoinCertsCount -gt 0)
{
$cloudFiltered = 'FALSE'
Write-verbose "'$objDN' has $hybridJoinCertsCount Microsoft Entra
hybrid join Certificates with Thumbprints: $hybridJoinCertsThumbprints
(cloudFiltered=FALSE)"
}
Else
{
$cloudFiltered = 'TRUE'
Write-verbose "'$objDN' has no Microsoft Entra hybrid join
 Certificates (cloudFiltered=TRUE)."
}

# Save results
$r = "" | Select ObjectDN, ObjectGUID, TotalEntriesCount, CertsCount,
ValidCertsCount, HybridJoinCertsCount, CloudFiltered
$r.ObjectDN = $objDN
$r.ObjectGUID = $objectGuid
$r.TotalEntriesCount = $totalEntriesCount
$r.CertsCount = $validEntriesCount
$r.ValidCertsCount = $validCertsCount
$r.HybridJoinCertsCount = $hybridJoinCertsCount
$r.CloudFiltered = $cloudFiltered
$results += $r
}

# Export results to CSV

Try
{
$results | Export-Csv $Filename -NoTypeInformation -Delimiter ';'
Write-Host "Exported Hybrid Microsoft Entra Domain Join Certificate
Report to '$Filename'.`n"
}
Catch
{
Throw "There was an error saving the file '$Filename':
$($_.Exception.Message)"
}

Next Steps
Microsoft Entra Connect Version history

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Hybrid Sync Agent
Installation Issues
Article • 04/30/2025

Overview
The scenarios in this set of articles describe frequent issues when installing Microsoft Entra
Hybrid Sync Agent, and how to correct them.

This troubleshooting doc applies to configuring the agent for Microsoft Entra Connect cloud
sync or Workday automatic user provisioning.

No privileges to install MSI

Cannot start service AADConnectProvisioningAgent
The gMSA is set to log on as Service
There is no such object on the server
Unable to create gMSA because KDS may not be running on domain controller

Prerequisites
To install Cloud Provisioning Agent, the following prerequisites are required: Prerequisites for
Microsoft Entra Connect cloud sync.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Microsoft Entra Hybrid Sync Agent
Installation Issues - No privileges to
install MSI
Article • 10/28/2024

This troubleshooting guide focuses on when you don't have privileges to install MSI.
Without these privileges, you may be unable to successfully install the Microsoft Entra
Connect Provisioning Agent.

Prerequisites
To install Cloud Provisioning Agent, the following prerequisites are required:
Prerequisites for Microsoft Entra Connect cloud sync.

No privileges to install MSI

While installing Cloud Provisioning Agent, you may get the following error:

Service 'Microsoft Entra Connect Provisioning Agent'

(AADConnectProvisioningAgent) failed to start. Verify that you have sufficient
privileges to start system services.

To verify that you have sufficient privileges:

1. Make sure the user context credentials are set to either Domain Administrator or
Enterprise Administrator.

2. Open the Local Security Policy snap-in (secpol.msc). In the Security Settings pane,
select Local policies > User Rights Assignment. Then select the Log on as a
service policy.
 3. Select Action > Properties. Then in Local Security Setting, make sure the NT
SERVICE\ALL SERVICES group appears.

During package installation, the service AADConnectProvisioningAgent is created, and

logon credentials are temporarily set to NT Service\AADConnectProvisioningAgent.

If Log on as a service doesn't have ALL SERVICES listed, the installation fails to start, and
it shows the previously listed error message.
To resolve this issue, provide ALL SERVICES user rights to Log on as a service.

The wizard now completes successfully.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Hybrid Sync Agent
Installation Issues - Cannot start service
AADConnectProvisioningAgent
Article • 10/28/2024

This troubleshooting guide focuses on when you can't start the

AADConnectProvisioningAgent service. This problem may block you from installing the
Microsoft Entra Connect Provisioning Agent successfully.

Prerequisites
To install Cloud Provisioning Agent, the following prerequisites are required:
Prerequisites for Microsoft Entra Connect cloud sync.

Cannot start service

AADConnectProvisioningAgent
While installing Cloud Provisioning Agent, you may get the following error:

Service 'Microsoft Entra Connect Provisioning Agent'

(AADConnectProvisioningAgent) failed to start. Verify that you have sufficient
privileges to start system services.

Assign domain administrator credentials to the AADConnectProvisioningAgent service,

as shown in How to troubleshoot agent failed to start.

After assigning credentials to the service, you may still be unable to complete the
installation wizard, and receive the following error message:

Failed changing Windows service credentials to gMSA. Please check the logs for
more detailed information. If that doesn't help resolve this issue, please contact
support.

If you select the Confirm button again in the installation wizard, following message will
be displayed:

Unable to create gMSA because KDS may not be running on domain controller.
Please create/run KDS manually.
To resolve this issue, check the System event logs for eventID 7041. The event details
describe how to assign a Log on as a service user right at the Local Security Policy snap-
in (secpol.msc).

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Hybrid Sync Agent
Installation Issues - The gMSA is set to
log on as Service
Article • 10/28/2024

This troubleshooting guide focuses on when the gMSA is set to log on as a service. This
situation may block you from successfully installing the Microsoft Entra Connect
Provisioning Agent.

Prerequisites
To install Cloud Provisioning Agent, the following prerequisites are required:
Prerequisites for Microsoft Entra Connect cloud sync.

The gMSA is set to log on as Service

While installing Cloud Provisioning Agent, you may get the following error:

Failed changing Windows service credentials to gMSA.

To resolve this issue, check the System event logs for EventID 7038. The following error
appears:

The user name or password is incorrect.

Open the Microsoft Entra Connect Provisioning Agent properties and select the Log
On tab. You'll find the settings aren’t grayed out, as is expected for a managed account
service.
To verify whether the account is managed, open a command prompt and type the
following command:

Console

Sc.exe qmanagedaccount aadconnectprovisioningagent

The account-managed status is shown as False.

To set the status to True and resolve this issue, type the following command:

Console
 Sc.exe managedaccount aadconnectprovisioningagent true

The wizard now completes successfully.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Hybrid Sync Agent
Installation Issues - There is no such
object on the server
Article • 10/28/2024

This troubleshooting guide focuses on when an object reference isn't set to an object
instance. This situation may block you from installing the Microsoft Entra Connect
Provisioning Agent.

Prerequisites
To install Cloud Provisioning Agent, the following prerequisites are required:
Prerequisites for Microsoft Entra Connect cloud sync.

Scenario 1
When installing Cloud Provisioning Agent, you may get this error during installation
process.

Error while creating group managed service account (gMSA). Error: There is no such
object on the server.

The installation wizard's trace file isn't clear about what's missing:

Output

[15:16:14.583] [ 16] [ERROR] Exception creating gmsa. Exception:

System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There
is no such object on the server.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_NativeObject()
at System.DirectoryServices.DirectoryEntry.InvokeGet(String propertyName)
at
Microsoft.Online.Deployment.Framework.Providers.GroupManagedServiceAccountPr
ovider.CreateGroupManagedAccount(String serviceAccountName, String
serviceDnsName, String username, String password)
[15:16:14.585] [ 16] [ERROR] Exception caught while creating gmsa.
Exception: System.DirectoryServices.DirectoryServicesCOMException
(0x80072030): There is no such object on the server.
To resolve the issue in this scenario, use the Active Directory Users and Computers snap-
in (dsa.msc). This snap-in verifies within the domain controller whether the Managed
Service Account container is present.

If the container is missing, contact the Windows Directory Services Team to restore or
create the container with the ADPrep /Domainprep command.

The following items are Active Directory Domain Service requirements:

The Active Directory schema in the gMSA domain's forest needs to be updated to
Windows Server 2012 to create a gMSA.

You can update the schema by installing a domain controller that runs Windows
Server 2012 or by running the version of adprep.exe from a computer running
Windows Server 2012. The object-version attribute value for the object
CN=Schema,CN=Configuration,DC=< name of DC >,DC=Com must be 52.

Scenario 2
In a similar scenario as above, you may get the following error:

Error when creating group managed service account (gMSA). Error: There is no such
object on the server.

The wizard trace shows the following information:

Output

[01:12:13.924] [ 9] [INFO ] IsServiceAccountGMSA:: Checking if service

account is gmsa
 [01:12:13.924] [ 9] [INFO ] Get current service credentials.
[01:12:13.938] [ 9] [INFO ] IsServiceAccountGMSA:: Service account: NT
SERVICE\AADConnectProvisioningAgent is not gmsa.
[01:12:15.414] [ 9] [INFO ] IsServiceAccountGMSA:: Checking if service
account is gmsa
[01:12:15.414] [ 9] [INFO ] Get current service credentials.
[01:12:15.418] [ 9] [INFO ] IsServiceAccountGMSA:: Service account: NT
SERVICE\AADConnectProvisioningAgent is not gmsa.
[01:12:15.468] [ 9] [ERROR] Exception creating gmsa. Exception:
System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There
is no such object on the server.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_NativeObject()
at System.DirectoryServices.DirectoryEntry.InvokeGet(String propertyName)
at
Microsoft.Online.Deployment.Framework.Providers.GroupManagedServiceAccountPr
ovider.CreateGroupManagedAccount(String serviceAccountName, String
serviceDnsName, String username, String password)
[01:12:15.472] [ 9] [ERROR] Exception caught while creating gmsa.
Exception: System.DirectoryServices.DirectoryServicesCOMException
(0x80072030): There is no such object on the server.

Once you verify and confirm that Managed Service account container is present at the
domain, a client Lightweight Directory Access Protocol (LDAP) trace shows the following
information:

Output

9638 [2]0144.1380::04/14/21-14:17:20.2063638
[Microsoft_Windows_LDAP_Client/Debug16 ] Message=ldap_search called for
connection 0x4392e0d8: DN is
<WKGUID=1eb93889e40c45df9f0c64d23bbb6237,DC=*****,DC=com>. SearchScope is
0x0. AttributesOnly is 0x0.

9679 [1]0144.1380::04/14/21-14:17:20.2075574
[Microsoft_Windows_LDAP_Client/Debug16 ] Message=4e 61 6d 65 45 72 72 3a 20
44 53 49 44 2d 30 33 NameErr:.DSID-03
9680 [1]0144.1380::04/14/21-14:17:20.2076087
[Microsoft_Windows_LDAP_Client/Debug16 ] Message=31 30 30 32 33 38 2c 20 70
72 6f 62 6c 65 6d 20 100238,.problem.
9681 [1]0144.1380::04/14/21-14:17:20.2076151
[Microsoft_Windows_LDAP_Client/Debug16 ] Message=32 30 30 31 20 28 4e 4f 5f
4f 42 4a 45 43 54 29 2001.(NO_OBJECT)

The agent couldn't find the WellKnown globally unique identifier (GUID) for the
Managed Service Accounts (MSA) container.

This error can be verified with the following PowerShell command:

 PowerShell

$ListOWKO = Get-ADObject (Get-ADRootDSE).DefaultNamingContext -Properties

otherwellKnownObjects

$ListOWKO.otherwellKnownObjects

The output of the previous command displays the following results:

Output

B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service
Accounts\0ADEL:8b637607-65e8-4a80-b194-f738b26b9414,CN=Deleted Objects,DC=<
name of DC >,DC=com

This orphan metadata value indicates one of these scenarios:

The MSA container was previously deleted and wasn't properly restored.
The value is missing.

The default value for the OtherWellKnownObjects attribute is:

B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=<

name of DC >,DC=com

To resolve this issue, open a ticket with Windows Directory Services Team.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Hybrid Sync Agent
Installation Issues - Unable to create
gMSA because KDS may not be running
on domain controller
Article • 10/28/2024

This troubleshooting guide focuses on when you can't install the service account after
many retries. This situation blocks you from installing the Microsoft Entra Connect
Provisioning Agent.

Prerequisites
To install Cloud Provisioning Agent, the following prerequisites are required:
Prerequisites for Microsoft Entra Connect cloud sync.

Unable to create gMSA because KDS may not

be running on domain controller
While installing Cloud Provisioning Agent, you may get the following error:

Unable to create gMSA because KDS may not be running on domain controller.
Please create/run KDS manually.

To locate the 9001 and 9002 EventIDs, go to Applications and Services Logs >
Microsoft > Windows > Security - Netlogon.


Use the following command to retrieve the server settings for the supported encryption
types:

Console

C:\windows\system32>reg query
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Syste
m\Kerberos\Parameters"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
\Kerberos\Parameters
SupportedEncryptionTypes REG_DWORD 0x7ffffff8

Within the command, the DWORD 0x7ffffff8 represents AES128_HMAC_SHA1

AES256_HMAC_SHA1.

In the Active Directory Users and Computers snap-in (dsa.msc), open the
provAgentgMSA properties of the domain controller:

1. Select the Attribute Editor tab.

2. Choose the msDS-SupportedEncryptionTypes attribute, and select Edit.
Verify that there's a mismatch between the encryption types that the server offers and
that the accounts accept.

To resolve the issue, remove the RC4 from the provAgentgMSA account by running the
following command in a domain controller:

Console

Set-ADServiceAccount -Identity provAgentgMSA -KerberosEncryptionType

AES128,AES256

Next, reboot the Provisioning agent server and reinstall the agent.

For more information on this issue, see Cannot install service account. The provided
context did not match the target.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run the IdFix tool:
IdFix.exe is not a valid Win32
application
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2859165

Symptoms
When you try to run the IdFix DirSync Error Remediation Tool in your on-premises Active
Directory Domain Services (AD DS) environment, you receive the following error
message:

IdFix.exe is not a valid Win32 application

Cause
This issue occurs if you're running the IdFix tool on an operating system that's not
supported for the tool.

Resolution
Install and run the IdFix tool on a computer that's running the 64-bit version of
Windows 7 or a later version.

More information
For more information about the IdFix tool, see IdFix DirSync Error Remediation Tool
(This includes a list of system requirements.).

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

IPv6 support in Microsoft Entra ID
Article • 10/28/2024

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback
button on this page to let us know how well this article worked for you or how we
can improve it.

We're excited to bring IPv6 support to Microsoft Entra ID, to support customers with
increased mobility, and help reduce spending on fast-depleting, expensive IPv4
addresses. For more information about how this change might affect Microsoft 365, see
IPv6 support in Microsoft 365 services.

If your organization's networks don't support IPv6 today, you can safely ignore this
information until such time that they do.

What's changing?
Our service endpoint URLs will now resolve to return both IPv4 and IPv6 addresses. If a
client platform or network supports IPv6, the connection will mostly be attempted using
IPv6, assuming that the network hops that are in between (such as firewalls or web
proxies) also support IPv6. For environments that don't support IPv6, client applications
will continue to connect to Microsoft Entra ID over IPv4.

The following features will also support IPv6 addresses:

Named locations
Conditional Access policies
Identity Protection
Sign-in logs

When will IPv6 be supported in Microsoft Entra

ID?
We'll begin introducing IPv6 support to Microsoft Entra ID in April 2023.

We know that IPv6 support is a significant change for some organizations. We're
publishing this information now so that customers can make plans to ensure readiness.
What does my organization have to do?
If you have public IPv6 addresses representing your network, take the actions that are
described in the following sections as soon as possible.

If customers don't update their named locations with these IPv6 addresses, their users
will be blocked.

Actions to take
Test Microsoft Entra authentication over IPv6
Find IPv6 addresses in Sign-in logs
Create or update named locations, to include identified IPv6 addresses

Named locations
Named locations are shared between many features, such as Conditional Access,
Identity Protection, and B2C. Customers should partner with their network
administrators and internet service providers (ISPs) to identify their public-facing IPv6
addresses. Customers should then use this list to create or update named locations, to
include their identified IPv6 addresses.
Conditional Access
When configuring Conditional Access policies, organizations can choose to include or
exclude locations as a condition. These named locations may include public IPv4 or IPv6
addresses, country or region, or unknown areas that don't map to specific countries or
regions.

If you add IPv6 ranges to an existing named location, used in existing Conditional
Access policies, no changes are required.
If you create new named locations for your organization's IPv6 ranges, you must
update relevant Conditional Access policies with these new locations.

Cloud proxies and VPNs

When a cloud proxy is in place, a policy that requires a Microsoft Entra hybrid joined or
complaint device can be easier to manage. Keeping a list of IP addresses used by your
cloud hosted proxy or VPN solution up to date can be nearly impossible.

Microsoft Entra per-user multifactor authentication

If you're a customer who uses per-user multifactor authentication, have you added IPv4
addresses that represent on-premises trusted networks using trusted IP addresses
instead of named locations? If you have, you might see a multifactor authentication
prompt for a request that was initiated through on-premises IPv6-enabled egress
points.

Using per-user multifactor authentication isn't recommended, unless your Microsoft

Entra ID licenses don't include Conditional Access and you don't want to use security
defaults.

Outbound traffic restrictions

If your organization restricts outbound network traffic to specific IP ranges, you'll have
to update these addresses to include IPv6 endpoints. Administrators can find these IP
ranges in the following articles:

Office 365 URLs and IP address ranges

Microsoft Entra Connect: Troubleshoot Microsoft Entra connectivity issues

For the IP ranges that are specified for Microsoft Entra ID, make sure that you allow
outbound access in your proxy or firewall.
Device configuration
By default, both IPv6 and IPv4 traffic is supported on Windows and most other
operating system (OS) platforms. Changes to the standard IPv6 configuration may result
in unintended consequences. For more information, see Guidance for configuring IPv6
in Windows for advanced users.

Service endpoints
The implementation of IPv6 support in Microsoft Entra ID won't affect Azure Virtual
Network service endpoints. Service endpoints still don't support IPv6 traffic. For more
information, see Limitations of Virtual Network service endpoints.

Test Microsoft Entra authentication over IPv6

You can test Microsoft Entra authentication over IPv6 before we enable it worldwide by
using the following procedures. These procedures help validate IPv6 range
configurations. The recommended approach is to use a Name Resolution Policy Table
(NRPT) rule pushed to your Microsoft Entra joined Windows devices. In Windows Server,
NRPT lets you implement a global or local policy that overrides DNS resolution paths.
With this feature, you can redirect DNS for various fully qualified domain names
(FQDNs) to special DNS servers that are configured to have IPv6 DNS entries for
Microsoft Entra sign-in. It's simple to enable and disable NRPT rules by using a
PowerShell script. You can use Microsoft Intune to push this feature to clients.

７ Note

Microsoft is providing these instructions for testing purposes only. You must
remove the following configurations by May 2023 to ensure that your clients
are using production DNS servers. The DNS servers in the following
procedures may be decommissioned after May 2023.

We recommend using the Resolve-DnsName cmdlet to validate NRPT rules. If

you use the nslookup command, the result may be different given the
differences that exist between these tools.

Make sure that you have open network connectivity on TCP and UDP port 53
between your client devices and the DNS servers that are used for the NRPT
rule.
Configure a client NRPT rule manually - public cloud
1. Open a PowerShell console as an administrator (right-click the PowerShell icon and
select Run As Administrator).

2. Add an NRPT rule by running the following commands:

PowerShell

$DnsServers = (
"ns1-37.azure-dns.com.",
"ns2-37.azure-dns.net.",
"ns3-37.azure-dns.org.",
"ns4-37.azure-dns.info."
)
$DnsServerIPs = $DnsServers | Foreach-Object {
(Resolve-DnsName $_).IPAddress | Select-Object -Unique
}
$params = @{
Namespace = "login.microsoftonline.com"
NameServers = $DnsServerIPs
DisplayName = "AZURE-AD-NRPT"
}
Add-DnsClientNrptRule @params

3. Verify that your client gets IPv6 responses for login.microsoftonline.com by

running the Resolve-DnsName cmdlet. The command output should resemble the
following text:

Console

PS C:\users\username> Resolve-DnsName login.microsoftonline.com

Name Type TTL Section IPAddress
---- ---- --- ------- ---------
login.microsoftonline.com AAAA 300 Answer 2603:1037:1:c8::8
login.microsoftonline.com AAAA 300 Answer
2603:1036:3000:d8::5
login.microsoftonline.com AAAA 300 Answer
2603:1036:3000:d0::5
login.microsoftonline.com AAAA 300 Answer
2603:1036:3000:d8::4
login.microsoftonline.com AAAA 300 Answer 2603:1037:1:c8::9
login.microsoftonline.com AAAA 300 Answer 2603:1037:1:c8::a
login.microsoftonline.com AAAA 300 Answer
2603:1036:3000:d8::2
login.microsoftonline.com AAAA 300 Answer
2603:1036:3000:d0::7
login.microsoftonline.com A 300 Answer 20.190.151.7
login.microsoftonline.com A 300 Answer 20.190.151.67
login.microsoftonline.com A 300 Answer 20.190.151.69
login.microsoftonline.com A 300 Answer 20.190.151.68
 login.microsoftonline.com A 300 Answer 20.190.151.132
login.microsoftonline.com A 300 Answer 20.190.151.70
login.microsoftonline.com A 300 Answer 20.190.151.9
login.microsoftonline.com A 300 Answer 20.190.151.133

4. If you want to remove the NRPT rule, run this PowerShell script:

PowerShell

Get-DnsClientNrptRule | Where-Object {
$_.DisplayName -match "AZURE-AD-NRPT" -or $_.Namespace -match
"login.microsoftonline.com"
} | Remove-DnsClientNrptRule -Force

Configure a client NRPT rule manually - US Gov cloud

Similar to the script for public cloud, the following script creates an NRPT rule for the US
Gov sign-in endpoint login.microsfotonline.us .

1. Open a PowerShell console as an administrator by right-clicking the PowerShell

icon and selecting Run As Administrator.

2. Add an NRPT rule by running the following commands:

PowerShell

$DnsServers = (
"ns1-35.azure-dns.com.",
"ns2-35.azure-dns.net.",
"ns3-35.azure-dns.org.",
"ns4-35.azure-dns.info."
)
$DnsServerIPs = $DnsServers | Foreach-Object {
(Resolve-DnsName $_).IPAddress | Select-Object -Unique
}
$params = @{
Namespace = "login.microsoftonline.us"
NameServers = $DnsServerIPs
DisplayName = "AZURE-AD-NRPT-USGOV"
}
Add-DnsClientNrptRule @params

Deploy NRPT rule with Intune

To deploy the NRPT rule to multiple machines by using Intune, create a Win32 app and
assign it to one or more devices.
Step 1: Create the scripts
Create a folder, and then save the following installation and rollback scripts
(InstallScript.ps1 and RollbackScript.ps1) in it so that you can create the .intunewin file for
use in the deployment.

InstallScript.ps1

PowerShell

# Add Azure AD NRPT rule.

$DnsServers = (
"ns1-37.azure-dns.com.",
"ns2-37.azure-dns.net.",
"ns3-37.azure-dns.org.",
"ns4-37.azure-dns.info."
)
$DnsServerIPs = $DnsServers | Foreach-Object {
(Resolve-DnsName $_).IPAddress | Select-Object -Unique
}

# List the rules.

$existingRules = Get-DnsClientNrptRule | Where-Object {
$_.DisplayName -match "AZURE-AD-NRPT" -or $_.Namespace -match
"login.microsoftonline.com"
}
if ($existingRules) {
Write-Output ("Azure AD NRPT rule exists: {0}" -F $existingRules)
}
else {
Write-Output "Adding Azure AD NRPT DNS rule for
login.microsoftonline.com ..."
$params = @{
Namespace = "login.microsoftonline.com"
NameServers = $DnsServerIPs
DisplayName = "AZURE-AD-NRPT"
}
Add-DnsClientNrptRule @params
}

RollbackScript.ps1

PowerShell

# Remove the Azure AD NRPT rule.

# List the rules.
$existingRules = Get-DnsClientNrptRule | Where-Object {
$_.DisplayName -match "AZURE-AD-NRPT" -or $_.Namespace -match
"login.microsoftonline.com"
 }
if ($existingRules) {
Write-Output "Removing Azure AD NRPT DNS rule for
login.microsoftonline.com ..."
$existingRules | Format-Table
$existingRules | Remove-DnsClientNrptRule -Force
}
else {
Write-Output "Azure AD NRPT rule does not exist. Device was successfully
remediated."
}

DetectionScript.ps1

Save the following script (DetectionScript.ps1) in another location. Then, you can
reference the detection script in the application when you create it in Intune.

PowerShell

# Add Azure AD NRPT rule.

$DnsServers = (
"ns1-37.azure-dns.com.",
"ns2-37.azure-dns.net.",
"ns3-37.azure-dns.org.",
"ns4-37.azure-dns.info."
)
$DnsServerIPs = $DnsServers | Foreach-Object {
(Resolve-DnsName $_).IPAddress | Select-Object -Unique
}
# List the rules.
$existingRules = Get-DnsClientNrptRule | Where-Object {
$_.DisplayName -match "AZURE-AD-NRPT" -or $_.Namespace -match
"login.microsoftonline.com"
}
if ($existingRules) {
Write-Output 'Compliant'
}

Step 2: Package the scripts as a .intunewin file

See Prepare Win32 app content for upload to create a .intunewin file from the folder
and scripts that you previously saved.

Step 3: Create the Win32 application

The following instructions show you how to create the necessary Win32 application. For
more information, see Add, assign, and monitor a Win32 app in Microsoft Intune.
 1. Sign in to the Intune portal .

2. Select Apps > All Apps, and then select + Add to create a new Win32 app.

3. In the App type dropdown list, select Windows app (Win32), and then choose
Select.

4. On the App information page, click Select app package file to select the
.intunewin file that you previously created. Select OK to continue.

5. Return to the App information page, and then enter a descriptive Name,
Description, and Publisher for the application. Other fields are optional. Select
Next to continue.

6. On the Program page, enter following information and select Next.

Install command string:

powershell.exe -executionpolicy bypass -NoLogo -NoProfile -

NonInteractive -WindowStyle Hidden -file "InstallScript.ps1"

Uninstall command string:

powershell.exe -executionpolicy bypass -NoLogo -NoProfile -

NonInteractive -WindowStyle Hidden -file "RollbackScript.ps1"

Install behavior:
System

7. In the Requirement page, select both Operating system architectures and set
Minimum Operating system to Windows 10 1607. Select Next to continue.

8. On the Detection page, select Use a custom detection script from the Rules
format dropdown list. Select the browse button beside the Script file box to
choose the detection script. Leave the remaining fields as their default values.
Select Next to continue.

9. Select Next on the Dependencies page to continue without any changes.

10. Select Next on the Supersedence (preview) page to continue without any
changes.

11. On the Assignments page, create assignments based on your requirements, and
then select Next to continue.

12. Review the information one final time on the Review + create page. Once you
finish your validation, select Create to create the application.
Find IPv6 addresses in Sign-in logs
Using one or more of the following methods, compare the list of IPv6 addresses to
those addresses you expect. Consider adding these IPv6 addresses to your named
locations and marking some as trusted where appropriate. You need at least the Reports
Reader role assigned in order to read the sign-in log.

Azure portal
1. Sign in to the Azure portal as a Reports Reader, Security Reader, Global Reader,
Security Administrator, or other role with permission.
2. Browse to Microsoft Entra ID > Sign-in logs.
3. Select + Add filters > IP address and select Apply.
4. In the Filter by IP address box, insert a colon (:).
5. Optionally download this list of log entries to JSON or CSV format for further
processing.

Log Analytics
If your organization uses Log Analytics, you can query for IPv6 addresses in your logs
using the following query.

Kusto

union SigninLogs, AADNonInteractiveUserSignInLogs

| where IPAddress has ":"
| summarize RequestCount = count() by IPAddress, AppDisplayName,
NetworkLocationDetails
| sort by RequestCount

PowerShell
Organizations can use the following PowerShell script to query the Microsoft Entra sign-
in logs in Microsoft Graph PowerShell. The script provides you with a listing of IPv6
addresses along with the application and number of times it appears.

PowerShell

$tId = "TENANT ID" # Add the Azure Active Directory tenant ID.
$agoDays = 2 # Will filter the log for $agoDays from the current date and
time.
$startDate = (Get-Date).AddDays(-($agoDays)).ToString('yyyy-MM-dd') # Get
filter start date.
 $pathForExport = "./" # The path to the local filesystem for export of the
CSV file.

Connect-MgGraph -Scopes "AuditLog.Read.All" -TenantId $tId

# Get both interactive and non-interactive IPv6 sign-ins.

$signInsInteractive = Get-MgAuditLogSignIn -Filter "contains(IPAddress,
':')" -All
$signInsNonInteractive = Get-MgAuditLogSignIn -Filter "contains(IPAddress,
':')" -All

# Summarize IPv6 & app display name count.

$signInsInteractive |
Group-Object IPaddress, AppDisplayName |
Select-Object @{Name = 'IPaddress'; Expression =
{$_.Group[0].IPaddress}},
@{Name = 'AppDisplayName'; Expression =
{$_.Group[0].AppDisplayName}},
Count |
Sort-Object -Property Count –Descending |
Export-Csv -Path ($pathForExport + "Summary_Interactive_IPv6_$tId.csv")
-NoTypeInformation
$signInsNonInteractive |
Group-Object IPaddress, AppDisplayName |
Select-Object @{Name = 'IPaddress'; Expression =
{$_.Group[0].IPaddress}},
@{Name = 'AppDisplayName'; Expression =
{$_.Group[0].AppDisplayName}},
Count |
Sort-Object -Property Count –Descending |
Export-Csv -Path ($pathForExport +
"Summary_NonInteractive_IPv6_$tId.csv") -NoTypeInformation

Next steps
We'll keep this article updated. Here's a short link you can use to come back for updated
and new information: https://aka.ms/azureadipv6 .

Use the location condition in a Conditional Access policy

Conditional Access: Block access by location
Find help and get support for Microsoft Entra ID

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run the IdFix tool:
Current security context is not
associated with an Active Directory
domain or forest
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2859144

Symptoms
When you run the IdFix DirSync Error Remediation Tool to perform a query in your on-
premises Active Directory Domain Services (AD DS) environment, you receive the
following error message:

Exception: Current security context is not associated with an Active Directory

domain or forest.

This issue occurs after you log on to the computer by using a user account that's not a
member of the domain in which you're running the query. The IdFix tool uses the
security context of the user who runs the tool to determine the domain to query.

Resolution
Log on to the computer by using a user account that's a member of the domain in
which you're running the query.

More information
For more information about the IdFix tool, see IdFix DirSync Error Remediation Tool .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Send Microsoft Authenticator logs and
get an incident ID
Article • 10/28/2024

Follow these steps to send logs to customer support and get the incident ID.

1. Open Microsoft Authenticator.

2. Tap Send feedback in the app's top menu.
3. Select Having trouble?.
4. Fill out the form, and then select Send to send the feedback and/or logs (Send is
on the top left on iOS, and on the top right on Android).
5. Note the incident ID. You or your administrator will need this ID if you contact
Microsoft Support.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra diagnostic logs
Article • 10/28/2024

Original product version: Microsoft Entra ID

Original KB number: 4494802

To troubleshoot issues that are related to Microsoft Entra ID, Microsoft Support and the
Microsoft Entra engineering team can view and download diagnostic logs that are
associated with your Microsoft Entra tenant and on-premises configuration. Microsoft
may access (or make temporary copies of) the data to help resolve your support
incident.

More information
The following table explains the kinds of data that are associated with your Microsoft
Entra tenant and that may be accessed while we troubleshoot your support incident.
Additionally, you may be asked to provide the same types of data from your company's
on-premises environment. Depending upon your tenant, this information may be
automatically uploaded to the Microsoft Entra service or be requested by the Microsoft
Support Engineer to assist in troubleshooting your support incident.

ﾉ Expand table

Type Description

Microsoft Entra Information that's maintained in the Microsoft Entra tenant or synchronized
Objects from Active Directory on-premises environment, such as Tenant, User, Group,
Device, and related metadata.

Service Tenant configuration and settings that are related to your Azure tenant
configuration

Microsoft Entra Sign-in logs, audit logs, device registration logs, data previously uploaded
audit and sign-in (such as Authenticator App logs), and telemetry that is related to the health
logs of service.

Note System-generated logs contain identifiable information about end

users, such as a user name. Telemetry contains primarily pseudonymized
data, such as unique identifiers that are generated by the system. This data
cannot, on its own, identify individual people. However, it can be used to
deliver the enterprise services to users.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

"Cookies are disabled" error in
MSAL.Net XBAP application in Internet
Explorer
Article • 03/20/2025

This article describes a problem in which a script error is returned when you performing
a Microsoft Entra ID login by using an XAML Browser Application (XBAP) from Microsoft
Internet Explorer.

Symptoms
You receive a script error warning and an error message stating that cookies are
disabled when logging into Microsoft Entra ID. This problem happens when you run
Microsoft Authentication Library for .NET (MSAL.NET) code similar to the following in an
XAML Browser Application (XBAP) from Internet Explorer:

C#

string tenantId = "<Tenant ID>";

string clientId = "<Application ID>";
string[] Scopes = new string[] { "User.Read" };
string errorMessage = string.Empty;
try
{
using (HttpClient httpClient = new HttpClient())
{
IPublicClientApplication publicClientApp =
PublicClientApplicationBuilder.Create(clientId)
.WithDefaultRedirectUri()
.WithAuthority(AzureCloudInstance.AzurePublic,
AadAuthorityAudience.AzureAdMyOrg)
.WithTenantId(tenantId)
.Build();
AuthenticationResult authenticationResult = null;
var t = Task.Run(async () =>
{
try
{
authenticationResult = await
publicClientApp.AcquireTokenInteractive(Scopes)
.WithAccount(null)
.WithPrompt(Prompt.ForceLogin)
.ExecuteAsync();
}
catch (Exception ex)
 {
errorMessage = "Error while getting token: " +
ex.ToString();
}
});
t.Wait();

if (authenticationResult != null)
{
return authenticationResult.AccessToken;
}
else
{
return errorMessage;
}
}
}
catch (Exception ex)
{
return ex.Message;
}

Cause
Although XBAP applications run within Internet Explorer, they operate in their own
process space: PresentationHost.exe. This process is a highly secure container. XBAP
applications use the WebBrowser control to host the Microsoft Entra ID login page. To
minimize security risks from the browser surface, this container is configured yo use
security restrictions that include blocking cookies. However, the Microsoft Entra ID login
process depends on cookies. This conflict causes a script error.

Solution
Configure MSAL.Net to use the System Browser - Microsoft Edge to open the Entra ID
login page. Then, follow these steps to make the required updates:

1. In the Azure portal, locate your app in the App registrations page. Register
http://localhost as a redirect URL under Mobile and desktop applications

platform.
 

2. Make the following change to your code:

C#

try
{
using (HttpClient httpClient = new HttpClient())
{
IPublicClientApplication publicClientApp =
PublicClientApplicationBuilder.Create(clientId)
.WithRedirectUri("http://localhost")
.WithAuthority(AzureCloudInstance.AzurePublic,
AadAuthorityAudience.AzureAdMyOrg)
.WithTenantId(tenantId)
.Build();
AuthenticationResult authenticationResult = null;

var t = Task.Run(async () =>

{
try
{
authenticationResult = await
publicClientApp.AcquireTokenInteractive(Scopes)
.WithAccount(null)
.WithPrompt(Prompt.ForceLogin)
.WithUseEmbeddedWebView(false)
.ExecuteAsync();
}
catch (Exception ex)
{
errorMessage = "Error while getting token: " +
ex.ToString();
}
});

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

IDX10501 error in ASP.NET Core app with
Azure B2C custom policy
Article • 01/17/2025

This guide discusses the cause of the "IDX10501" error, and provides a step-by-step
solution to resolve it.

Symptoms
When you implement a custom policy in an ASP.NET Core application that integrates
with Azure Active Directory B2C (Azure AD B2C), you might encounter the following
IDX10501 error:

IDX10501: Signature validation failed. Unable to match key: kid: '[PII of type
'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Number of keys in TokenValidationParameters: '0'. Number of keys in Configuration:
'1'. Exceptions caught: '[PII of type 'System.Text.StringBuilder' is hidden. For more
details, see https://aka.ms/IdentityModel/PII.]'. token: '[PII of type
'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see
https://aka.ms/IdentityModel/PII.]'.

Understanding the error

Why is this error generated when the custom policy redirects to your app? In ASP.NET
Core, whenever a user is authenticated and authorized, and a redirect page exists to the
web app that contains an ID token, ASP.NET Core middleware tries to validate this ID
token to make sure that the redirect is genuine. To validate the ID token, the middleware
requires the public key of the signing certificate that was used to sign the ID token. The
middleware gets this public key by querying Azure Active Directory B2C. Specifically, the
middleware uses a "metadata" endpoint in Azure Active Directory B2C that provides
authentication information, including any public keys for signing certificates.

When you create a custom policy, you're required to create or upload a signing
certificate. This signing certificate is different from that used for built-in user flows in
Azure Active Directory B2C. This means that the public keys that are accessible from the
"metadata" endpoint for your Azure Active Directory B2C won't contain the public key
for your custom policy. The custom policy actually has its own metadata endpoint.
The endpoint that the middleware uses is configured by Microsoft.Identity.Web and is
set at app startup. Because the metadata URL is already set, invoking a custom policy
during runtime creates a scenario in which the middleware is looking at the wrong
metadata URL while it validates the returning token.

Solution
To resolve this issue, you must configure the correct metadata endpoint for the
additional custom policy. To do this, create a second authentication scheme to handle
the custom policy. By having this additional authentication scheme, you can set the
correct metadata endpoint at startup. This process uses the following steps:

1. Add an additional redirect URI to your app registration.

2. Configure an additional B2C authentication scheme in your app.
3. Add an action to the desired controller.
4. Implement the created action in the layout.

Code sample: ASP.NET Core Web App with Custom B2C Policy .

Prerequisites
Before you continue this process, make sure that you have:

An Azure B2C directory

An app registration for B2C authentication

Standard user flows that are set up

A custom B2C policy that's added to your directory

An existing ASP.NET Core web app that's configured by having

Microsoft.Identity.Web for B2C authentication

For more information, see Enable authentication in your own web app by using
Azure AD B2C

Step 1: Add an additional redirect URI

In the app registration, you have to add another redirect URI for the custom policy. In
this case, you can't use the existing redirect URI because it could cause confusion for the
web app. You'll be setting up two different authentication schemes. However, when the
B2C policy redirects to the web app, the middleware won't know which authentication
scheme to use. Therefore, you need a separate redirect URI to clearly distinguish
between redirects from the existing and new authentication schemes.

Follow these steps:

1. Navigate to your app registration in the Azure portal .

2. In the Manage section, select Authentication.
3. In the Redirect URIs section, select Add URI.
4. Add a redirect URI. In this case, the new redirect URI is
https://localhost:44321/signin-oidc-editemail .

７ Note

Each custom policy requires its own redirect URI. For example, if you're adding two
custom policies, you have to create two authentication schemes and two redirect
URIs.

Step 2: Configure an Additional Authentication Scheme

This process involves adding an action to your controller that issues a challenge to the
user. Before you create this action, configure the app with an additional authentication
scheme. This requires updating both the Appsettings.json file and the Startup.cs file.

Update Appsettings.json

Add the following configuration for your custom policy:

JSON
 "<name-of-your-configuration>": {
"Instance": "https://<B2C-tenant-name>.b2clogin.com",
"ClientId": "<client-id-of-your-app-registration>",
"CallbackPath": "/<endpoint-of-your-new-redirect-uri>",
"SignedOutCallbackPath": "/signout/<built-in-sign-in-sign-up-policy>",
"Domain": "<B2C-tenant-name>.onmicrosoft.com",
"SignUpSignInPolicyId": "<built-in-sign-in-sign-up-policy>"
},

Example of Appsettings.json

JSON

{
"AzureADB2C": {
"Instance": "https://markstestorganization1.b2clogin.com",
"ClientId": "09717d12-ca7f-4388-8393-dafe42c0c3a5",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath": "/signout/B2C_1_signupsignin1",
"Domain": "markstestorganization1.onmicrosoft.com",
"SignUpSignInPolicyId": "B2C_1_signupsignin1",
"ResetPasswordPolicyId": "B2C_1_PasswordReset1",
"EditProfilePolicyId": "B2C_1_editProfileTest1"
},
"AzureADB2CEditEmail": {
"Instance": "https://markstestorganization1.b2clogin.com",
"ClientId": "09717d12-ca7f-4388-8393-dafe42c0c3a5",
"CallbackPath": "/signin-oidc-editemail",
"SignedOutCallbackPath": "/signout/B2C_1_signupsignin1",
"Domain": "markstestorganization1.onmicrosoft.com",
"SignUpSignInPolicyId": "B2C_1_signupsignin1"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}

Important considerations

You can choose any name for the second B2C configuration. This configuration will
be used for a single custom policy. If you have to add more custom policies, you
must include additional B2C configurations in the AppSettings.json file. For this
reason, we recommend that you give the JSON object a name that reflects the
associated custom policy.
 The CallbackPath value is the portion of the redirect URI that follows the domain.
For example, if your redirect URI is https://localhost:44321/signin-oidc-
editemail , then CallbackPath will be /signin-oidc-editemail .

You must include the standard built-in sign-up/sign-in user flow in the
authentication scheme to make sure that users are prompted to sign in if they try
to access your custom policy without being signed-in.

Update Startup.cs
Configure an additional authentication scheme in the Startup.cs file. In the
ConfigureServices function, add the following code:

C#

// Create another authentication scheme to handle extra custom policy

services.AddAuthentication()
.AddMicrosoftIdentityWebApp(Configuration.GetSection("<name-of-json-
configuration>"), "<Arbitrary-name-for-Auth-Scheme>", "<Arbitrary-name-of-
Cookie-Scheme>");

services.Configure<OpenIdConnectOptions>("<Arbitrary-name-for-Auth-Scheme>",
options =>
{
options.MetadataAddress = "<Metadata-Address-for-Custom-Policy>";
});

You have to set custom names for both your authentication scheme and the
associated cookie scheme. Microsoft.Identity.Web will create these schemes by
using the names that you specify.

Replace <name-of-json-configuration> with the name of the JSON configuration

from the previous step. Per the example in this article, this should be
AzureADB2CEditEmail .

Replace <Your-Custom-Metadata-URL> with the OpenID Connect discovery endpoint

URL that's found under your custom policy in Azure AD B2C.

How to get the metadata address for custom policy

It's important to get the metadata address because this will be used by the middleware
to get the required information to validate ID tokens that are returned by the custom
policy.

To find the metadata address, follow these steps:

1. Log in to the Azure B2C portal.

2. In Policies section, select Identity Experience Framework.

3. Select Custom policies, and then select the custom policy that you're using. In this
case, it's B2C_1A_DEMO_CHANGESIGNINNAME.
 4. The metadata address is the URL that's listed under OpenId Connect Discovery
Endpoint. Copy this URL, and paste it as the value for the options.MetadataAddress
variable.

Step 3: Add an action to the controller

In your controller, implement an action to trigger the Custom B2C Policy challenge for
the user. In code sample, the action is added to the Home Controller for simplicity. Add
the following code to your controller, and adjust the values and action name to meet
your scenario. This code snippet can be found on line 40 of the HomeController.cs file in
the Controllers folder in the code sample:
 C#

[Authorize]
public IActionResult EditEmail()
{
var redirectUrl = Url.Content("~/");
var properties = new AuthenticationProperties { RedirectUri =
redirectUrl };
properties.Items["policy"] = "B2C_1A_DEMO_CHANGESIGNINNAME";
return Challenge(properties, "B2CEditEmail");
}

Make sure that <Your-Custom-Policy> matches your specific policy name and
<CustomAuthScheme> is consistent with what you configured earlier.

Step 4: Implement action in layout

Implement the action in the layout so that the user can actually invoke the custom
policy. In the code sample, the following snippet adds a button alongside the existing
B2C buttons, based on the tutorial. The snippet is added to line 13 of the
_LayoutPartial.cshtml file in the Views/Shared folder. Note that the asp-controller

property is set to Home to reference the Home Controller, and the asp-action property
is set to EditEmail to reference the action that's created in the Home Controller. For
more information, see Add the UI elements.

HTML

<li class="navbar-btn">
<form method="get" asp-area="" asp-controller="Home" asp-
action="EditEmail">
<button type="submit" class="btn btn-primary">Edit Email</button>
</form>
</li>

If you have an existing app that doesn’t use the partial layout, and you want only a quick
link to test the custom policy, you can use the following tag to create a basic link. Make
sure that you replace the indicated values and reference the correct controller if you
didn’t add your action to the Home Controller.

HTML

<a asp-area="" asp-controller="Home" asp-action="replace-with-your-

controller-action">Replace with text that describes the action</a>
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Authentication fails after an Android
app is published to the Google Play
Store
Article • 03/25/2025

This article provides a solution to an authentication failure that occurs during signing in
after users install an Android app published to the Google Play Store.

Symptoms
Consider the following scenario:

You have successfully implemented Microsoft Entra authentication in your Android

app with the Microsoft Authentication Library (MSAL).
The app has been built and executed and has passed all QA testing.
You publish the app to the Google Play Store.

In this case, after users install the app, authentication doesn't work when signing in to
the app.

If you expose authentication error messages to users, or if you let them send error
messages to your team, you might encounter an error message like the following text:

The redirect URI in the configuration file doesn't match with the one generated with
the package name and signature hash. Please verify the uri in the config file and
your app registration in Azure portal.

Another possible scenario for this issue is:

During development and QA testing, you set up your app to use a supported broker to
handle authentication and single sign-on (SSO). However, after the app is deployed
through Google Play and installed, the app no longer uses the broker for authentication.

Cause
When an Android application is built for installation on a device, it's built as an APK
compressed package and then signed by a certificate. This certificate signing ensures
that the person who built the application is the one who owns the private signing key.
This prevents hackers from making harmful modifications to the application, as they
can't sign their versions with the original private key.

Previously, Android developers owned and maintained their private signing keys.
Currently, Google Play Services generates and maintains the private signing key for
Android developers, ensuring secure storage by Google. The developer still maintains an
upload key so that Google Play Services can verify the authenticity of an uploaded app
bundle, but the actual signing is performed by the Google-owned signing certificate
when users install the app on their devices.

The MSAL for Android Native and Microsoft Supported Authentication Brokers use the
public signature hash of an installed application to identify it when interacting with the
Android operating system during authentication.

The public signature hash of an application installed via Google Play differs from the
one installed before publishing to Google Play. Thus, MSAL will be configured with the
incorrect signature hash.

Solution
To resolve this issue, do the following things:

Get a new signature hash with the MSAL Package Inspector tool or from the
Google Play Console.
Add a new redirect URI to the app registration in the Azure portal with the new
signature hash.
Update the MSAL configuration within the application code to use the new redirect
URI and signature hash.

Get a new signature hash with the MSAL Package

Inspector tool or from the Google Play Console
You can get a new signature hash by using the MSAL Package Inspector tool or from the
Google Play Console.

To install and use the MSAL Package Inspector, see Package Inspector for MSAL Android
Native Guide.

To get the signature hash from the Google Play Console, follow these steps:

1. Go to the Google Play Console and sign in with your Google Developer account.

2. Once you're in the Google Play Console, select the affected app.
 3. On the left navigation, under the Release category, expand Setup, and select App
Integrity.

4. Select the App signing tab. You'll see the fingerprint of the app signing key in
three different variations.

5. Copy the SHA-1 certificate fingerprint and paste it into the PowerShell script in
step 6 as the value of the $Thumbprint variable.

6. Run the following script to obtain the base64 encoded fingerprint that MSAL
needs:

PowerShell

$Thumbprint = "paste your fingerprint here"

$Thumbprint = $Thumbprint.Replace(":", "")

$Bytes = [byte[]]::new($Thumbprint.Length / 2)

For($i=0; $i -lt $Thumbprint.Length; $i+=2){

$Bytes[$i/2] = [convert]::ToByte($Thumbprint.Substring($i, 2), 16)
}

$hashedString =[Convert]::ToBase64String($Bytes)

Write-Host $hashedString

Add a new redirect URI to the app registration in the

Azure portal with the new signature hash
７ Note

We recommend adding a new redirect URI rather than modifying the existing one.
Your app registration can contain many redirect URIs. Additionally, modifying the
existing redirect URI might result in problems with the development version of your
app. This can cause issues during troubleshooting, development updates, and so
on.

1. Sign in to the Azure portal and navigate to the App registrations page.

2. Select the app registration for your Android app.

3. Under Manage, select Authentication.

4. Under Platform configurations, select Add a platform.

5. Under Configure platforms, select Android.

 6. Enter the package name of your Android app. Also, generate and enter the
signature hash.

７ Note

It's fine to use the same package name in multiple Android redirect URIs as
long as the signature hash is different.

7. Select Configure to complete the platform configuration.

Update the MSAL configuration within the application

code to use the new redirect URI and signature hash
Update the MSAL configuration file and Android Manifest file in the application code.

MSAL configuration file:

Only change the redirect URI. Copy and paste it directly from the Azure portal. In
the Azure portal, the signature hash portion of the redirect URI is HTTP encoded. It
should remain HTTP encoded.

JSON

{
"client_id": "<Client ID>",
"authorization_user_agent": "DEFAULT",
"redirect_uri": "<Redirect URI>"
"broker_redirect_uri_registered": true,
"authorities": [
{
"types": "AAD",
"audience": {
"type": "AzureADMyOrg",
"tenant_id": "<Tenant ID>"
}
}
],
"logging":{
"log_level": "VERBOSE",
"logcat_enabled": true
}
}

Android Manifest file:

Only change the android:path property in the

com.microsoft.identity.client.BrowserTabActivity activity. Paste the signature

hash as the value of this property.

XML

<activity
android:name="com.microsoft.identity.client.BrowserTabActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:schema="msauth"
android:host="com.example.azureauthsso1"
android:path="android_path" />
</intent-filter>
</activity>

７ Note
 Make sure to include the forward slash in front of the signature hash.
Unlike the redirect URI, the signature hash here isn't HTTP encoded.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

WIF10201: No valid key mapping found
for securityToken error in ASP.NET
application
Article • 03/17/2025

This article provides guidance for troubleshooting an authentication issue that occurs in
an ASP.NET MVC application that uses both WS-Federation OWIN middleware and
Windows Identity Foundation (WIF) to authenticate to Microsoft Entra ID.

Symptoms
The ASP.NET MVC application that was previously working generates the following error
message although no changes were made to the application:

Output

Error Details:
Server Error in '/' Application.
WIF10201: No valid key mapping found for securityToken:
'System.IdentityModel.Tokens.X509SecurityToken' and issuer:
'https://sts.windows.net/<Directory ID>/'.

Description: An unhandled exception occurred during the execution of the

current web request. Please review the stack trace for more information
about the error and where it originated in the code.

Exception Details:
System.IdentityModel.Tokens.SecurityTokenValidationException: WIF10201: No
valid key mapping found for securityToken:
'System.IdentityModel.Tokens.X509SecurityToken' and issuer:
'https://sts.windows.net/<Directory ID>/'.

Cause
To validate the signature of the token that's returned by the Entra ID after a successful
sign-in, WIF uses the certificate thumbprints that are in the Web.config file, as shown in
the following example:

web.config

<issuerNameRegistry
type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry,
 System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://sts.windows.net/<Directory ID>/">
<keys>
<add thumbprint="C142E..." />
<add thumbprint="8BA94..." />
<add thumbprint="D92E1..." />
</keys>
<validIssuers>
<add name="https://sts.windows.net/<Directory ID>/" />
</validIssuers>
</authority>
</issuerNameRegistry>

The "WIF10201" error occurs if none of these certificate thumbprints match the one
that's used by Entra ID to sign the token.

The Entra ID uses a signing key rollover mechanism to update the certificate that's used
to sign authentication tokens periodically. This key rollover causes the initial certificate
thumbprints that are configured in the Web.config file to become invalid.

Solution
You can either manually update the certificate thumbprints that are in the Web.config
file or automate the process through code. For more information, see Best practices for
keys metadata caching and validation.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Package Inspector for MSAL Android
Native
Article • 03/25/2025

The Microsoft Authentication Library (MSAL) for Android Native includes a tool called
Package Inspector. This tool lists the packages installed on an Android device and allows
users to view, copy, and paste the signature hash used to sign an application's package.
Package Inspector is invaluable for troubleshooting and verifying the signature hash of
applications installed on an Android device. This article covers installation, usage, and
common issues of the Package Inspector.

Scenarios for using Package Inspector

You have successfully developed an application to use MSAL, but after deploying
the app to the Google Play Store, the app fails to perform authentication.

In this scenario, Package Inspector is useful to discover the new signature hash
used by Google to sign the app package.

You are implementing MSAL in your Android application, but encounter the
following error:

The redirect URI in the configuration file doesn't match with the one generated
with the package name and signature hash. Please verify the uri in the config
file and your app registration in Azure portal.

In this scenario, you can use Package Inspector to verify what the package
signature hash is and configure both the Azure portal and application to use the
correct signature hash.

You are implementing MSAL in your Android application, but encounter the
following error:

Intent filter for: BrowserTabActivity is missing

This error occurs because the signature hash specified in the AndroidManifest.xml
file doesn't match the signature hash used to sign the APK file. In this scenario,
Package Inspector is useful to verify what the signature hash is.
 ７ Note

For more information about MSAL for Android Native, see Microsoft
Authentication Library (MSAL) for Android .

Prerequisites
Before you start, ensure you have the following:

A recent version of Android Studio installed.

Android Studio comes with an AVD manager. For more information, see Create and
manage virtual devices .

A virtual Android device with applications installed.

A physical device with developer options, USB debugging enabled, and a USB
cable. For more information, see Configure on-device developer options .

An application installed to inspect.

Install Package Inspector

There are two methods to install Package Inspector:

Option 1: Clone Android MSAL repository directly into

Android Studio
1. Open Android Studio and close any open projects.

2. Select Get From Version Control.

3. Ensure Git is selected at the top of the window, paste the Android MSAL repository
URL https://github.com/AzureAD/microsoft-authentication-library-for-
android.git , and then select Clone.
Option 2: Download Android MSAL repository and open
it in Android Studio
1. Download the Android MSAL repository .

2. Extract the zip file to your selected directory.

3. Open Android Studio and close any open projects.

4. Select Open an Existing Project.

5. Select the root package msal-android for the Android MSAL repository. Then,
select OK.
 ７ Note

The default name of the root package is microsoft-authentication-

library-for-android-dev . In this example, it's renamed msal-android .

Don't select the package-inspector directory.

Use Package Inspector

1. With the Android MSAL project open in Android Studio, connect the desired
Android device. It can be a physical device connected to the computer's USB port
or an emulator booted from Android Studio's AVD manager. Ensure your device
appears in the drop-down list at the top of Android Studio and select it.

2. On the left of the device drop-down list, there is another drop-down list. Select
package-inspector from it.
 

3. Select the play button (indicated with a green circle on the right) to build, install,
and run Package Inspector on the selected device.


4. Browse the list of packages in the Package Inspector app and select a package to
view its signature hash. All accessible packages appear in this list.
Common issues

Issues when loading Package Inspector into Android

Studio
To resolve these issues, ensure you load the root package from the MSAL repository, not
Package Inspector. Make sure that the Android MSAL project you load into Android
Studio is named microsoft-authentication-library-for-android-dev or whatever you
have renamed the root directory on your system instead of package-inspector . For
more information, see step 5 under Option 2 in the Install Package Inspector section.

Not all packages appear in Package Inspector

You have installed and opened Package Inspector, and a list of packages appear in the
app. However, you don't see packages for any apps you have installed on the device.
The issue might occur due to changes in Android 11 (API 30). For more information, see
Package visibility .

To resolve this issue, follow these steps:

1. Open the AndroidManifest.xml file within the package-inspector directory on the

left side of Android Studio.

2. Add the following permission and query between the <manifest></manifest> tags:

XML

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.microsoft.inspector"></manifest>
...

<permission android:name="android.permission.QUERY_ALL_PACKAGES" />

<queries>
<intent>
<action android:name="android.intent.action.MAIN" />
</intent>
</queries>

3. Rerun the application from Android Studio to apply the changes. Then, you can see
the packages you have installed.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Enable MSAL4J logging in a Spring Boot
web application
Article • 03/17/2025

This article provides step-by-step instructions to enable Microsoft Authentication Library

for Java (MSAL4J) logging by using the Logback framework in a Spring Boot web
application.

Code sample
The complete code sample and configuration guide for this implementation are
available on GitHub .

Enable MSAL4J logging

1. Add the following dependency to your Pom.xml file to include the Logback
framework:

XML

<dependency>
<groupid>ch.qos.logback</groupid>
<artifactid>logback-classic</artifactid>
<version>1.2.3</version>
</dependency>

2. In your app project, create a file in the src/main/resources folder, and name the
file Logback.xml. Then, add the following content:

XML

<?xml version="1.0" encoding="UTF-8"?>

<configuration>
<appender name="STDOUT"
class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} -
%msg%n</pattern>
</encoder>
</appender>
<root level="debug">
<appender-ref ref="STDOUT" />
 </root>
</configuration>

This Appender configuration logs messages to the console. You can adjust the
logging level to error , warn , info , or verbose based on your preference. For
more information, see LogBack: Appenders .

3. Set the logging.config property to the location of the Logback.xml file before the
main method:

Java

@SpringBootApplication
public class MsalB2CWebSampleApplication {

static { System.setProperty("logging.config", "C:\\Users\\<your

path>\\src\\main\\resources\\logback.xml");}
public static void main(String[] args) {
// Console.log("main");
// System.console().printf("hello");
// System.out.printf("Hello %s!%n", "World");
System.out.printf("%s%n", "Hello World");
SpringApplication.run(MsalB2CWebSampleApplication.class, args);
}
}

Configuration for running the code sample

Enable HTTPs support

This code sample is set up to run on the local server (localhost) by using the HTTPS
protocol. Follow the steps in Configure the sample to use your Azure AD B2C tenant
to generate a self-signed certificate. Put the keystore.p12 file in the resources folder.

App registration configuration

To configure app registration in Azure AD B2C, follow these steps:

1. Create two app registrations in your Azure AD B2C tenant: One for the web
application and the other for the web API.
2. Expose the required scope in the web API. For more information, see Configure
web API app scopes.
3. Configure the web API scope in the API Permissions blade for the web application.
4. Grant admin consent to all configured permissions in the web application.
For more information, see Configure authentication in a sample web app that calls a
web API by using Azure AD B2C.

Example configuration:

Logging output example

If the app is configured correctly, the logging output should resemble the following
output.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot sign-in prompt issues in
iOS with MSAL SDK
Article • 04/01/2025

This article provides guidance for troubleshooting repeated sign-in prompts in an iOS
app that uses Microsoft Authentication Library (MSAL).

Symptoms
You follow this tutorial to integrate Microsoft identity platform authentication in your
iOS app by using the Microsoft Authentication Library (MSAL) SDK. However, after the
initial login, users are unexpectedly prompted to sign in multiple times.

Cause
This issue is typically caused by the web browser used by MSAL does not allow cookie
sharing.

The tutorial uses the MSAL to implement authentication. MSAL SDK facilitates
authentication by automatically renewing tokens. It also enables single sign-on (SSO)
between other apps on the device and manages user accounts.

For SSO to function correctly, tokens must be shared between apps. To meet this
requirement, you must use a token cache or a broker application, such as Microsoft
Authenticator for iOS. Interactive authentication in MSAL requires a web browser. On
iOS, MSAL uses the Safari system browser by default for interactive authentication. This
default setup supports SSO state sharing between apps.

However, if you customize the browser configuration for authentication, such as by

using one of the following options, cookie sharing might not be enabled by default.

ﾉ Expand table

For iOS only For iOS and macOS

SFAuthenticationSession ASWebAuthenticationSession
SFSafariViewController WKWebView

Resolution
To prevent repeated login prompts, you must allow cookie sharing when you customize
the browser. To enable SSO and cookie sharing between MSAL and your iOS app, use
one of the following solutions:

Use ASWebAuthenticationSession and Safari system browser

( UIApplication.shared.open )

Use Case: Your app uses MSAL together with the default
ASWebAuthenticationSession instance, and you open external links or logout flows

in Safari system browser.

Note: ASWebAuthenticationSession is the recommended method for MSAL
interactive authentication on iOS 12+. It's the only supported method on iOS 13+.
This method is privacy-preserving and shares cookies with system browser. SSO
works between MSAL and Safari browser application because they share cookies
through the system authentication session.

Use WKWebView

Use Case: You explicitly configure MSAL to use WKWebView , and your app also uses
WKWebView for related workflows.

Note: You can use WKWebView for a consistent experience within your app.
However, because it's sandboxed, WKWebView doesn't share session cookies with
Safari system browser or other apps. In this condition, SSO support is limited to
use within your app.

For more information, see Customizing webviews and browsers.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS7000218 when a confidential
client application authenticates to
Microsoft Entra ID
Article • 04/30/2025

This article provides a solution to the AADSTS7000218 error that occurs when a confidential
client application authenticates to Microsoft Entra ID.

Symptoms
When a confidential client application authenticates to Microsoft Entra ID to get an access
token, the following error message is displayed:

Output

{
"error": "invalid_client",
"error_description": "AADSTS7000218: The request body must contain the
following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID:
xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z",
"error_codes": [7000218],
...
}

Cause
This issue occurs because the application doesn't provide the credentials (client secret or
assertion) that the token endpoint expects. A confidential client must provide its credentials
when authenticating to Microsoft Entra ID.

Resolution
To resolve this issue, include the client secret or assertion in the token request.

In some authentication flow scenarios, such as the OAuth 2 Resource Owner Password
Credentials (ROPC) grant flow or OAuth 2 device authorization grant flow, where you don't
expect the client application to be confidential, allow public client flows in the App
registrations:

1. In the Azure portal , in App registrations, select your application, and then select
Authentication.
 2. Select Advanced settings > Allow public client flows.

3. For Enable the following mobile and desktop flows, select Yes.

Changing the default client type from confidential to public causes security implications. For
more information, see What's the security implication of changing the default client type from
confidential to public in Azure AD?

Understand client types in Microsoft Entra ID

As defined in the OAuth 2.0 specification , client applications are categorized into two types:

Confidential client: A client that can securely store a secret used to authenticate to
Microsoft Entra ID.

For example, the client is a web application whose code and secrets are stored on a server
that isn't exposed to the public. Only an admin can access the application's confidential
information.

Public client: A client that can't store any secret.

For example, a public client is a mobile or desktop application running in an insecure or

unmanaged environment.
In the Microsoft Entra App Registration model, a registered application can be both a public
client and a confidential client, depending on the context in which the application is used. This
is because an application might have a part used as a public client, while other parts are
designed to be used as a confidential client. Depending on workflows, the application
developer must decide if the application should act as a public or confidential client. A
confidential client is expected in certain OAuth2 grant flows, such as the Client Credentials
flow, Authorization Code flow, or On-Behalf-Of flow. It uses a flow to request a token.

How Microsoft Entra ID determines the client type

Method 1: Use the type of the redirect URI (reply URL)

Microsoft Entra ID checks the redirect URI (reply URL) provided in the request and cross-
checks it with the redirect URI registered in the App Registrations.

A redirect URI of type Web classifies the application as a confidential client.

A redirect URI of type Mobile and desktop applications classifies the application as a
public client.


 Method 2: Use the Enable the following mobile and desktop flows option (when no
reply URL is provided)

In some OAuth 2.0 flows, such as the OAuth 2 Resource Owner Password Credentials
(ROPC) grant flow, OAuth 2 device authorization grant flow and Integrated Windows
Authentication, no reply URL is provided in the token request. In these cases, Microsoft
Entra ID uses the app registration's Enable the following mobile and desktop flows to
determine whether the client is confidential or public.
If Enable the following mobile and desktop flows is set to Yes, the client is public.
If it's set to No, the client is confidential.

How to identify the grant type and redirect URI used by an

application
Review the application code or capture a Fiddler trace to inspect the grant_type and
redirect_uri parameters sent in the POST request to the Microsoft Entra ID's token endpoint:

V1 endpoint: https://login.microsoftonline.com/<tenant name>/oauth2/token

V2 endpoint: https://login.microsoftonline.com/<tenant name>/oauth2/v2.0/token

Here's an example of a Fiddler trace:

Common OAuth 2.0 flows and their associated grant_type values are listed as follows:

ﾉ Expand table

OAuth 2.0 flow grant_type value

ROPC password

Device Code urn:ietf:params:oauth:grant-type:device_code

Authorization Code authorization_code

Client Credentials client_credentials

On-Behalf-Of urn:ietf:params:oauth:grant-type:jwt-bearer

SAML Bearer Assertion urn:ietf:params:oauth:grant-type:saml1_1-bearer

References
Microsoft Authentication Library (MSAL) Client Applications

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are
independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the
performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Infinite sign-in loop between ASP.NET
application and Microsoft Entra ID
Article • 04/25/2025

This article provides solutions to an issue where an ASP.NET application experiences an infinite
redirect loop during signing in with Microsoft Entra ID.

Symptoms
An ASP.NET application running an earlier version of Open Web Interface for .NET (OWIN)
middleware fails to recognize an authenticated request from Microsoft Entra ID. It keeps
sending the request back to Microsoft Entra ID for signing in, leading to the infinite loop issue.
The following error message might be displayed in the browser:

We couldn't sign you in. Please try again.

Cause
This issue occurs due to a cookie mismanagement issue (a known Katana bug ) in the earlier
version of OWIN.

How to recognize the Katana bug

Capture a Fiddler trace and examine one of the later redirect frames back to the web
application. Note in the following screenshot, the request in frame 58 contains multiple
OpenIdConnect.nonce cookies (red-circled). In a working scenario, you should only have one
OpenIdConnect.nonce cookie set at the beginning before authentication. After the request is
successfully authenticated, this nonce cookie is destroyed and ASP.NET sets its own session
cookie. Because of this bug, you see a buildup of these nonce cookies.
 

Solution 1: Upgrade to ASP.NET Core

The issue is resolved in ASP.NET Core and a later version of Katana OWIN for ASP.NET. To
resolve this issue, upgrade your application to use ASP.NET Core.

If you must continue to use ASP.NET, perform the following actions:

Update your application's Microsoft.Owin.Host.SystemWeb package to version 3.1.0.0 or

later.

Modify your code to use one of the new cookie manager classes, for example:

C#

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieManager = new
Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager()
});

or

C#

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
CookieManager = new SystemWebCookieManager()
});
Solution 2: Correct the redirect URL
In some cases where the application is hosted under a virtual directory or an application
instead of the root of the web site, solution 1 might not work. For more information, see
Infinite re-direct loop after AAD Authentication when redirect is specified and Microsoft
Account OAuth2 sign-on fails when redirect URL is not under the website root .

For example, suppose you have the following environment:

The root of a web site: https://mysite – This site runs under Application Pool 1.

An application test2 under the root: https://mysite/test2 – This application runs under
Application Pool 2.

Your ASP.NET application runs under the test2 application with the following code:

C#

public void Configuration(IAppBuilder app)

{
// For more information on how to configure your application,
visit https://go.microsoft.com/fwlink/?LinkID=316888

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.Authent
icationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained
from web.config
ClientId = clientId,
Authority = authority,
RedirectUri = "https://mysite/test2",
// PostLogoutRedirectUri is the page that users will be
redirected to after sign-out. In this case, it is using the home page
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
// ResponseType is set to request the id_token - which
contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseType.IdToken,
// ValidateIssuer set to false to allow personal and work
accounts from any organization to sign in to your application
// To only allow users from a single organizations, set
ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
// To allow users from only a list of specific
organizations, set ValidateIssuer to true and use ValidIssuers parameter

// OpenIdConnectAuthenticationNotifications configures
OWIN to send notification of failed authentications to OnAuthenticationFailed
method
 Notifications = new
OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed
}

}
);
}

You use the following code to trigger the sign-in flow:

C#

public void SignIn()

{
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}

This scenario can result in an authentication infinite loop with a buildup of multiple
OpenIdConnect.nonce cookies. The difference is that ASP.NET doesn't appear to set its
authenticated session cookies. To resolve the issue in such scenario, set the redirect URLs in the
OpenID Connect initialization code and the Challenge method (note the trailing slash in the
redirect URL):

C#

app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Sets the ClientId, authority, RedirectUri as obtained from
web.config
ClientId = clientId,
Authority = authority,
RedirectUri = "https://mysite/test2/",
// PostLogoutRedirectUri is the page that users will be
redirected to after sign-out. In this case, it is using the home page
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
...

C#
 public void SignIn()
{
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = "/test2/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}

References
Infinite redirects with ASP.NET OWIN and OpenID Connect

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Troubleshoot common problems adding
or removing an application to Microsoft
Entra ID
Article • 10/28/2024

This series of articles provide guidance on how to troubleshoot issues that may arise
when adding or removing an application in Microsoft Entra ID.

Application takes a long time to appear

See the article Application takes a long time to appear for steps to troubleshoot and
resolve this issue.

Application doesn't appear

See the article Application doesn't appear for steps to troubleshoot and resolve this
issue.

Unable to delete an application

See the article Unable to delete an application for steps to troubleshoot and resolve this
issue.

Send notification details to Microsoft support

See the article Send notification details to Microsoft support to learn how to see the
details of a portal notification and send them to a support engineer.

More information
If you need help with learning about applications, the List of Tutorials on How to
Integrate SaaS Apps with Microsoft Entra ID article is a good place to start.

In addition to this, the Microsoft Entra Applications Document Library can help you learn
more about single sign-on with Microsoft Entra ID and how it works.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

） Note: The author created this article with assistance from AI. Learn more

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Application takes a long time to appear
after clicking the "add" button
Article • 10/28/2024

If you experience a delay in the appearance of your application after clicking the "add"
button, it is possible that it may take 1-2 minutes (and sometimes longer) for the
application to appear in your directory. While this is not the expected performance, you
can monitor the progress of the application addition by clicking on the Notifications
icon (the bell) in the upper right corner of the Azure portal and looking for an In
Progress or Completed notification labeled Adding application.

If your application is not added or you encounter an error when clicking the Add button,
you will see a Notification in an Error state. To obtain more information about the error
and learn more or share with a support engineer, you can follow the steps in How to see
the details of a portal notification.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

） Note: The author created this article with assistance from AI. Learn more

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Application does not appear after
clicking the add button
Article • 10/28/2024

The process of adding an application to Microsoft Entra ID may sometimes fail due to
transient issues, networking problems, or a known issue. If you encounter an error when
clicking the Add button, you’ll see a Notification in an Error state, which indicates that
there was an error when creating the application. To learn more about the error or share
it with a support engineer, you can follow the steps in How to see the details of a portal
notification.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

） Note: The author created this article with assistance from AI. Learn more

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Unable to delete an application due to
disabled Delete button
Article • 10/28/2024

When deleting an app in Microsoft Entra ID, the Delete button may be disabled in
certain scenarios. These scenarios include:

For applications under Enterprise application, the Delete button will be disabled if
you don't have one of the following roles: Global Administrator, Cloud Application
Administrator, Application Administrator, or owner of the service principal.

For Microsoft applications, you won't be able to delete them from the UI
regardless of your role.

For service principals that correspond to a managed identity, you can't delete the
service principals in the Enterprise apps blade. You need to go to the Azure
resource to manage it. To learn more about Managed Identity, please refer to the
article Managed Identity.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

） Note: The author created this article with assistance from AI. Learn more

Feedback
Was this page helpful?  Yes  No

Provide product feedback

How to send Notification Details to
Microsoft support
Article • 10/28/2024

How to see the details of a portal notification

You can see the details of any portal notification by following the steps below:

1. Select the Notifications icon (the bell) in the upper right of the Azure portal.

2. Select any notification in an Error state (those with a red (!) icon next to them).

７ Note

You cannot click notifications in a Successful or In Progress state.

3. Use the information under Notification Details to understand more details about
the problem.

If you still need help, you can also share this information with a support engineer or the
product group to get help with your problem.

How to get help by sending notification details

to a support engineer
1. Take a screenshot or select the Copy error icon, found to the right of the Copy
error textbox to copy all the notification details to share with a support or product
group engineer.

It is important that you share all the details listed below with a support engineer if you
need help, so that they can help you quickly.

Notification Details Explained

See the following descriptions for more details about the notifications.

Essential Notification Items

 Title – the descriptive title of the notification
Example – Application proxy settings
Description – the description of what occurred as a result of the operation
Example – Internal url entered is already being used by another application
Notification ID – the unique ID of the notification
Example – clientNotification-2adbfc06-2073-4678-a69f-7eb78d96b068
Client Request ID – the specific request ID made by your browser
Example – 302fd775-3329-4670-a9f3-bea37004f0bc
Time Stamp UTC – the timestamp during which the notification occurred, in UTC
Example – 2017-03-23T19:50:43.7583681Z
Internal Transaction ID – the internal ID we can use to look up the error in our
systems
Example – 71a2f329-ca29-402f-aa72-bc00a7aca603
UPN – the user who performed the operation
Example – tperkins@f128.info
Tenant ID – the unique ID of the tenant that the user who performed the operation
was a member of
Example – 7918d4b5-0442-4a97-be2d-36f9f9962ece
User object ID – the unique ID of the user who performed the operation
Example – 17f84be4-51f8-483a-b533-383791227a99

Detailed Notification Items

Display Name – (can be empty) a more detailed display name for the error
Example – Application proxy settings
Status – the specific status of the notification
Example – Failed
Object ID – (can be empty) the object ID against which the operation was
performed
Example – 8e08161d-f2fd-40ad-a34a-a9632d6bb599
Details – the detailed description of what occurred as a result of the operation
Example – Internal url https://bing.com/ is invalid since it is already in use
Copy error – Select the copy icon to the right of the Copy error textbox to copy all
the notification details to share with a support or product group engineer
Example {"errorCode":"InternalUrl\_Duplicate","localizedErrorDetails":
{"errorDetail":"Internal url 'https://google.com/' is invalid since it is
already in use"},"operationResults":\

[{"objectId":null,"displayName":null,"status":0,"details":"Internal url
'https://bing.com/' is invalid since it is already in

use"}\],"timeStampUtc":"2017-03-
 23T19:50:26.465743Z","clientRequestId":"302fd775-3329-4670-a9f3-
bea37004f0bb","internalTransactionId":"ea5b5475-03b9-4f08-8e95-

bbb11289ab65","upn":"tperkins@f128.info","tenantId":"7918d4b5-0442-4a97-
be2d-36f9f9962ece","userObjectId":"17f84be4-51f8-483a-b533-383791227a99"}

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

） Note: The author created this article with assistance from AI. Learn more

Feedback
Was this page helpful?  Yes  No

Provide product feedback

AADSTS7500514 - A supported type of
SAML response was not found with
PingFederate
Article • 05/06/2025

This article helps you troubleshoot error code AADSTS7500514 that's returned if a PingFederate
federated account tries to authenticate by using Microsoft Entra ID (formerly Azure Active
Directory).

Symptoms
When a federated account tries to authenticate by using Microsoft Entra ID from a Microsoft
Authentication Library (MSAL)-based or Active Directory Authentication Library (ADAL)-based
application, the sign-in fails. The following error message is displayed:

Output

{
error: "invalid_request",
error_description: "AADSTS7500514: A supported type of SAML response was not
found. The supported response types are 'Response' (in XML namespace
'urn:oasis:names:tc:SAML:2.0:protocol') or 'Assertion' (in XML namespace
'urn:oasis:names:tc:SAML:2.0:assertion').
....
error_uri: "https://login.microsoftonline.com/error?code=7500514"
}

The error typically occurs in the following environment:

A federated account that uses PingFederate as the identity provider.

The identity provider is configured to issue a SAML 1.1 token by using the WS-Trust
protocol.
The application uses one of the following APIs for authentication:
MSAL AcquireTokenByUserNamePassword method.
ADAL AcquireToken (string resource, string clientId, UserCredential userCredential)
method.
Any PowerShell module that uses these MSAL or ADAL methods.

Cause
Because ADAL is now deprecated, this article focuses on the MSAL.
This issue occurs if the SAML response from PingFederate doesn't contain the SAML version or
uses a format that MSAL can't recognize. Typically, this situation is caused by a
misconfiguration on the PingFederate side for Microsoft Entra ID.

Root cause analysis: SAML token version detection

When MASL authenticates a federated account, it determines whether the account is a
managed account or a federated account.

For managed accounts, MSAL uses the Resource Owner Password Credentials grant flow. For
federated accounts, it uses the SAML Assertion Grant flow.

The SAML Assertion Grant flow has two steps:

The client application authenticates to the federated identity provider to obtain a SAML
token.
The client uses the obtained SAML token to get an OAuth 2.0 JWT token from Microsoft
Entra ID.

The authentication error typically occurs in step 1, in which the client application has to parse
the SAML response from the identity provider to determine the version of the SAML token.
MSAL looks for the following attributes in the identity provider's SAML response:

saml:Assertion

TokenType

The following is an example AD FS SAML response from the /UserNameMixed endpoint:

saml:Assertion : major version = 1, minor version = 1

TokenType : urn:oasis:names:tc:SAML:1.0:assertion


Example of a PingFederate SAML response (SAML Assertion Grant flow step 1):

When you compare these responses, you find that PingFederate returns a different TokenType
value ( http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 ) for the
same SAML 1.1 token. However, MSAL doesn't support any TokenType value other than
urn:oasis:names:tc:SAML:1.0:assertion .

If the identity provider returns a different or unexpected value in the SAML response, MSAL
might incorrectly interpret the token as SAML 2.0. In this case, it uses the corresponding
grant_type value during step 2 of the SAML Assertion Grant flow.

Example of the request sent from MSAL application by using PingFederate (SAML Assertion
Grant flow step 2):

Example of the request that's sent from the MSAL application by using AD FS:
 

In this step, the value of the grant_type parameter must align with the actual version of the
SAML token. One of the following values is used by the MSAL application:

urn:ietf:params:oauth:grant-type:saml2-bearer - for SAML 2.0 tokens

urn:ietf:params:oauth:grant-type:saml1_1-bearer - for SAML 1.1 tokens

In the PingFederate example, MSAL uses the saml2-bearer as the grant_type based on its
misinterpretation of the SAML version. This causes a version mismatch between the grant_type
parameter and the SAML token that's included in the assertion that causes the authentication
error.

Solution
To resolve this issue, make sure that PingFederate is configured to align with Microsoft Entra ID
requirements. For step-by-step instructions, review the following articles:

Creating a connection to Microsoft Entra ID .

During Microsoft Entra ID connection setup, pay special attention to the settings in the
following steps:

1. Configure the connection protocols.

2. On the Connection Template tab, select Do not use a template for this connection,
and then select Next.
3. On the Connection Type tab, select Browser SSO Profiles.
4. In the Protocol list, select WS-Federation.
5. In the WS-Federation Token Type list, select SAML 1.1.
6. If you want to support active federation, select the WS-Trust STS checkbox.

Configuring WS-Trust STS

 When you configure WS-Trust STS, make sure that you select SAML 1.1 for Office 365 as
the Default Token Type.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are
independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the
performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Error AADSTS50173 - The provided
grant has expired due to it being
revoked
Article • 03/17/2025

Symptoms
When users try to sign in to an application that uses Microsoft Entra ID authentication,
they receive the following error message:

AADSTS50173: The provided grant has expired due to it being revoked, a fresh
auth token is needed. The user might have changed or reset their password. The

grant was issued on '{authTime}' and the TokensValidFrom date (before which
tokens are not valid) for this user is '{validDate}'.

Cause
This error occurs if the refresh token that's used for authentication is revoked. This issue
occurs if:

The user changes or resets their password.

The refresh token expires.
An administrator revokes the refresh token.

For more information, see:

Refresh tokens in the Microsoft identity platform

Revoke user access in Microsoft Entra ID

Resolution
To resolve this issue, follow the applicable steps.

For users
On the application that experiences the issues, try to locate an option to reauthenticate
or clear any cached token information. You can also perform these actions by signing
out and signing back in to the application (if this step is applicable or available).
For application developers
If the application is using Microsoft Authentication Library (MSAL), follow this guidance
to handle errors and exceptions in MSAL.

If the application isn't using MSAL, follow this guidance to handle errors and exceptions
in MSAL, and try to implement a similar approach on the application. The goal is to
request that the user reauthenticate and obtain a fresh token.

More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS220501 - Unable to
download Certificate Revocation List
Article • 10/28/2024

This article provides a solution to the Microsoft Entra authentication error

AADSTS220501 that occurs when you use certificate-based authentication.

Symptoms
When you try to sign in to an application with certificate-based authentication, you
receive the error AADSTS220501 with the following message:

Unable to download Certificate Revocation List (CRL). Invalid response or no

response from CRL Distribution Point {source}

Cause
The Certificate Revocation List (CRL) is inaccessible or has expired.

Resolution
To resolve this issue, follow these steps:

1. Verify if the CRL file path is accessible publicly by opening the CRL distribution
point URL via a web browser.

Here's an example of a CRL distribution point URL:

http://Contoso.com/CRLfilepath/CRLfilename.crl

To find the CRL distribution point URL for the tenant, see Configure certification
authorities using the Microsoft Entra admin center.

2. If the CRL file path is inaccessible, move the CRL to a publicly available location.

If the CRL file path is accessible, open the CRL file, go to the General tab, and then
check the date and time in the Next Update field that denotes the expiry date of
the CRL. If this date and time is earlier than the current system date, Windows
computers will invalidate certificates that are checked against this CRL. You have to
renew the CRL manually and replace the expired CRL.
More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS50003 - No signing key
configured
Article • 10/28/2024

This article describes a problem in which you receive the error message "Error
AADSTS50003 - No signing key configured." when trying to sign into a SAML-based
single sign-on (SSO) configured app that has been integrated with Microsoft Entra ID.

Symptoms
You receive error AADSTS50003 when trying to sign into an application that has been
setup to use Microsoft Entra ID for identity management using SAML-based SSO.

Cause
The application object is corrupted and Microsoft Entra ID doesn't recognize the
certificate configured for the application.

Resolution
To delete and create a new certificate, follow the steps below:

1. On the SAML-based SSO configuration screen, select Create new certificate under
the SAML signing Certificate section.
2. Select Expiration date and then click Save.
3. Check Make new certificate active to override the active certificate. Then, click
Save at the top of the pane and accept to activate the rollover certificate.
4. Under the SAML Signing Certificate section, click remove to remove the Unused
certificate.

More Information
For a full list of Active Directory Authentication and authorization error codes see
Microsoft Entra authentication and authorization error codes

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS50011 with SAML
authentication - The reply URL specified
in the request does not match
Article • 10/28/2024

This article provides a resolution to the AADSTS50011 error that occurs during federated
authentication with Microsoft Entra ID.

Symptoms
You receive error AADSTS50011 when trying to sign into an application that has been set
up to use Microsoft Entra ID for identity management using SAML-based SSO.

Error AADSTS50011 - The reply URL does not match the reply URLs configured for
the application <GUID>. Make sure the reply URL sent in the request matches one
added to your application in the Azure portal. Navigate to
https://aka.ms/urlMismatchError to learn more about how to fix this." when trying
to sign into a SAML-based Single Sign-On (SSO) configured app that has been
integrated with Microsoft Entra ID.

Cause
The AssertionConsumerServiceURL value in the SAML request doesn't match the Reply
URL value or pattern configured in Microsoft Entra ID. The AssertionConsumerServiceURL
value in the SAML request is the URL you see in the error.

Resolution
To fix the issue, follow these steps:

1. Ensure that the AssertionConsumerServiceURL value in the SAML request matches

the Reply URL value configured in Microsoft Entra ID.
2. Verify or update the value in the Reply URL textbox to match the
AssertionConsumerServiceURL value in the SAML request.

As an example, refer to the following article for detailed steps about how to configure
the values in Microsoft Entra ID:
 Tutorial: Microsoft Entra SSO integration with Salesforce

７ Note

The reply URL is also known as Redirect URI. These values depend on what
application is being used. You should get the values from the application vendor.

After you update the Reply URL value in Microsoft Entra ID and it matches the value that
sent by the application in the SAML request, you should be able to sign in to the
application.

More Information
For a full list of Active Directory Authentication and authorization error codes, see
Microsoft Entra authentication and authorization error codes.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS50011 with OpenID
authentication: The redirect URI
specified in the request does not match
Article • 10/28/2024

This article describes a problem in which an AADSTS50011 error message is returned

when you try to sign in to an application that uses OpenID Connect (OIDC)-based
authentication with Microsoft Entra ID.

Symptoms
You receive the following error message when you try to sign in to an application that
uses OIDC or OAuth2 authentication protocols with Microsoft Entra ID:

Error AADSTS50011 - The redirect URI <Redirect URI> specified in the request does
not match the redirect URIs configured for the application <AppGUID>. Make sure
the redirect URI sent in the request matches one added to your application in the
Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more
about how to fix this.

Cause
This error occurs if the redirect URI (reply URL) configured in the application (code) and
the Microsoft Entra app registration don't match.

When a user accesses the application for authentication, the application redirects the
user to Microsoft Entra ID with a predefined redirect URI. Once the user is authorized
successfully, Microsoft Entra ID verifies the following values:

The redirect URI sent from the application

The redirect URI values in the registered application in Microsoft Entra ID

If the redirect URI the application sent doesn't match any of the redirect URIs in
Microsoft Entra ID, error AADSTS50011 will be returned. If the values match, Microsoft
Entra ID sends the user to the redirect URI.

Resolution
To fix the issue, follow these steps to add a redirect URI in Microsoft Entra app
registration.

1. Copy the application ID from the error message. This is the ID of your application
that has been registered in Microsoft Entra ID.

2. Go to the Azure portal . Make sure you sign in to the portal by using an account
that has permissions to update Microsoft Entra Application registration.

3. Navigate to Microsoft Entra ID, select App registrations, locate the application
registration by using the application ID, and then open the app registration page.

You can also open the page directly by using the following links:

If this app is owned by an organization (Microsoft Entra tenant), use

https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/Application

MenuBlade/Authentication/appId/<AppGUID> .

If this app is owned by your personal Microsoft (MSA) account, use

https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/Application

MenuBlade/Authentication/appId/<AppGUID>/isMSAApp/true .

4. On the app registration page, select Authentication. In the Platform

configurations section, select Add URI to add the redirect URI displayed in the
error message to Microsoft Entra ID.
 5. Save the changes and wait three to five minutes for the changes to take effect, and
then send the login request again. You should now be able to sign in to the
application. If you don't see the Microsoft Entra login page, try clearing the
password cache from your browser or use InPrivate browsing.

７ Note

If the redirect URI sent from the application isn't the desired one, you should
update your application code or configuration.

The following video shows how to fix the redirect URI mismatch error in Microsoft Entra
ID:
https://www.youtube-nocookie.com/embed/a_abaB7494s

More information
For a complete list of Active Directory authentication and authorization error codes, see
Microsoft Entra authentication and authorization error codes.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS50020 - User account from
identity provider does not exist in tenant
Article • 04/07/2025

This article helps you troubleshoot error code AADSTS50020 that's returned if a guest user from
an identity provider (IdP) can't sign in to a resource tenant in Microsoft Entra ID.

Symptoms
When a guest user tries to access an application or resource in the resource tenant, the sign-in
fails, and the following error message is displayed:

AADSTS50020: User account 'user@domain.com' from identity provider

{IdentityProviderURL} does not exist in tenant {ResourceTenantName}.

When an administrator reviews the sign-in logs on the home tenant, a "90072" error code entry
indicates a sign-in failure. The error message states:

User account {email} from identity provider {idp} does not exist in tenant {tenant} and
cannot access the application {appId}({appName}) in that tenant. The account needs to be
added as an external user in the tenant first. Sign out and sign in again with a different
Microsoft Entra user account.

Cause 1： Users log in to Microsoft Entra admin center by

using personal Microsoft Accounts
When you try to log in to Microsoft Entra admin center by using your personal Microsoft
Accounts (Outlook, Hotmail or OneDrive), you are connected to the Microsoft Services tenant
by default. Within the default tenant, there is no linked directory for performing any actions.
This behavior is expected.

In the prior experience, a directory (for example: UserNamehotmail735.onmicrosoft.com) is

created and linked to the personal account, and you can perform actions such as creating user
accounts in the directory. The behavior has now been changed.

Solution: Create an Azure account with a new tenant

If you aim to have a directory, you must create an Azure account and a new tenant:

1. Browse to https://azure.microsoft.com/en-us/free/ , and then select Start free .

 2. Follow the instructions to create an Azure account.
3. A tenant will be generated alongside the Azure account, and you will be automatically
designated as the Global Administrator. This grants you full access to all options within
this tenant.

Cause 2: Used unsupported account type

(multitenant and personal accounts)
If your app registration is set to a single-tenant account type, users from other directories or
identity providers can't sign in to that application.

Solution: Change the sign-in audience setting in the app

registration manifest
To make sure that your app registration isn't a single-tenant account type, perform the
following steps:

1. In the Azure portal , search for and select App registrations.

2. Select the name of your app registration.

3. In the sidebar, select Manifest.

4. In the JSON code, find the signInAudience setting.

5. Check whether the setting contains one of the following values:

AzureADandPersonalMicrosoftAccount
AzureADMultipleOrgs
PersonalMicrosoftAccount

If the signInAudience setting doesn't contain one of these values, re-create the app
registration by having the correct account type selected. You currently can't change
signInAudience in the manifest.

For more information about how to register applications, see Quickstart: Register an
application with the Microsoft identity platform.

Cause 3: Used the wrong endpoint (personal and

organization accounts)
Your authentication call must target a URL that matches your selection if your app registration's
supported account type was set to one of the following values:

Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant)

Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant)

and personal Microsoft accounts (e.g. Skype, Xbox)

Personal Microsoft accounts only

If you use https://login.microsoftonline.com/<YourTenantNameOrID> , users from other

organizations can't access the application. You have to add these users as guests in the tenant
that's specified in the request. In that case, the authentication is expected to be run on your
tenant only. This scenario causes the sign-in error if you expect users to sign in by using
federation with another tenant or identity provider.

Solution: Use the correct sign-in URL

Use the corresponding sign-in URL for the specific application type, as listed in the following
table:

ﾉ Expand table

Application type Sign-in URL

Multitenant applications https://login.microsoftonline.com/organizations

Multitenant and personal accounts https://login.microsoftonline.com/common

Personal accounts only https://login.microsoftonline.com/consumers

In your application code, apply this URL value in the Authority setting. For more information
about Authority , see Microsoft identity platform application configuration options.

Cause 4: Signed in to the wrong tenant

When users try to access your application, either they're sent a direct link to the application, or
they try to gain access through https://myapps.microsoft.com . In either situation, users are
redirected to sign in to the application. In some cases, the user might already have an active
session that uses a different personal account than the one that's intended to be used. Or they
have a session that uses their organization account although they intended to use a personal
guest account (or vice versa).
To make sure that this scenario is the issue, look for the User account and Identity provider
values in the error message. Do those values match the expected combination or not? For
example, did a user sign in by using their organization account to your tenant instead of their
home tenant? Or did a user sign in to the live.com identity provider by using a different
personal account than the one that was already invited?

Solution: Sign out, then sign in again from a different browser

or a private browser session
Instruct the user to open a new in-private browser session or have the user try to access from a
different browser. In this case, users must sign out from their active session, and then try to
sign in again.

Cause 5: Guest user wasn't invited

The guest user who tried to sign in was not invited to the tenant.

Solution: Invite the guest user

Make sure that you follow the steps in Quickstart: Add guest users to your directory in the
Azure portal to invite the guest user.

Cause 6: App requires user assignment

If your application is an enterprise application that requires user assignment, error AADSTS50020
occurs if the user isn't on the list of allowed users who are assigned access to the application.
To check whether your enterprise application requires user assignment:

1. In the Azure portal , search for and select Enterprise applications.

2. Select your enterprise application.

3. In the sidebar, select Properties.

4. Check whether the Assignment required option is set to Yes.

Solution: Assign access to users individually or as part of a

group
Use one of the following options to assign access to users:
 To individually assign the user access to the application, see Assign a user account to an
enterprise application.

To assign users if they're a member of an assigned group or a dynamic group, see

Manage access to an application.

Cause 7: Tried to use a resource owner password

credentials flow for personal accounts
If a user tries to use the resource owner password credentials (ROPC) flow for personal
accounts, error AADSTS50020 occurs. The Microsoft identity platform supports ROPC only within
Microsoft Entra tenants, not personal accounts.

Solution: Use an endpoint that's specific to the tenant or

organization
Use a tenant-specific endpoint ( https://login.microsoftonline.com/<TenantIDOrName> ) or the
organization's endpoint. Personal accounts that are invited to a Microsoft Entra tenant can't
use ROPC. For more information, see Microsoft identity platform and OAuth 2.0 Resource
Owner Password Credentials.

Cause 8: A previously deleted user name was re-

created by the home tenant administrator
Error AADSTS50020 might occur if the name of a guest user who was deleted in a resource
tenant is re-created by the administrator of the home tenant. To verify that the guest user
account in the resource tenant isn't associated with a user account in the home tenant, use one
of the following options:

Verification: Check whether the resource tenant's guest user is

older than the home tenant's user account
To check the creation date of the guest user account, you can use Microsoft Graph, Microsoft
Entra PowerShell, or the Microsoft Graph PowerShell SDK.

Microsoft Graph
Issue a request to the MS Graph API to review the user creation date, as follows:
 msgraph

GET https://graph.microsoft.com/v1.0/users/{id |
userPrincipalName}/createdDateTime

Then, check the creation date of the guest user in the resource tenant against the creation date
of the user account in the home tenant. The scenario is confirmed if the guest user was created
before the home tenant's user account was created.

Microsoft Entra PowerShell

Run the Get-EntraUser PowerShell cmdlet to review the user creation date, as follows:

PowerShell

Get-EntraUser -UserId {id | userPrincipalName} | Select-Object id,

userPrincipalName, createdDateTime

Then, check the creation date of the guest user in the resource tenant against the creation date
of the user account in the home tenant. The scenario is confirmed if the guest user was created
before the home tenant's user account was created.

Microsoft Graph PowerShell SDK

Run the Get-MgUser PowerShell cmdlet to review the user creation date, as follows:

PowerShell

$p = @('Id', 'UserPrincipalName', 'CreatedDateTime')

Get-MgUser -UserId {id | userPrincipalName} -Property $p| Select-Object $p

Then, check the creation date of the guest user in the resource tenant against the creation date
of the user account in the home tenant. The scenario is confirmed if the guest user was created
before the home tenant's user account was created.

Solution: Reset the redemption status of the guest user

account
Reset the redemption status of the guest user account in the resource tenant. Then, you can
keep the guest user object without having to delete and then re-create the guest account. You
can reset the redemption status by using the Azure portal, Azure PowerShell, or the Microsoft
Graph API. For instructions, see Reset redemption status for a guest user.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Error AADSTS530004 -
AcceptCompliantDevice setting isn't
configured for this organization
Article • 12/16/2024

This article discusses scenarios where the AADSTS530004 error occurs when a guest user
accesses an application or resource in a resource tenant and provides solutions.

Symptoms
When a guest user tries to access an application or resource in a resource tenant, the
sign-in process fails, and the following error message is displayed:

AADSTS530004: AcceptCompliantDevice setting isn't configured for this

organization. The administrator needs to configure this setting to allow external user
access to protected resources.

Additionally, when an administrator reviews the sign-in logs in the home tenant, the
same error code is displayed.

Scenario 1: Conditional Access policy for

compliant devices
When a Conditional Access policy in the resource tenant is set with the Require device
to be marked as compliant control and the policy is applied to guest users, the
AADSTS530004 error can occur.

To resolve the error, follow these steps:

1. Create a Cross Tenant Access Policy (XTAP) policy with the Trust compliant devices
setting in the user's home tenant.

2. Ensure that the guest user's device is authenticated.

Device authentication might fail under some conditions. For more information, see
Device authentication fails.

3. Ensure that the guest user's device is joined to Microsoft Intune or supported
mobile device management (MDM) solutions in the home tenant and is compliant.
 ７ Note

Several third-party device compliance partners are supported for integration

with Microsoft Intune. For more information, see Support third-party device
compliance partners in Intune. For more information about configuring
Intune device compliance, see Monitor results of your Intune Device
compliance policies.

Scenario 2: Conditional Access policy for

hybrid-joined devices
When a Conditional Access policy in the resource tenant is set with the Require
Microsoft Entra hybrid joined device control and the policy is applied to guest users,
the error can occur.

To resolve the error, follow these steps:

1. Create an XTAP policy with the Trust Microsoft Entra hybrid joined devices setting
in the user's home tenant.

2. Ensure that the guest user's device is authenticated.

Device authentication might fail under some conditions. For more information, see
Device authentication fails.

3. Ensure that the guest user's device is Microsoft Entra hybrid joined in the home
tenant.

Scenario 3: Conditional Access policy for

approved client apps
When a Conditional Access policy in the resource tenant is configured with the Require
approved client app control and the policy is applied to guest users, the error can
occur.

This scenario isn't supported. To resolve the error, don't apply this control to guest
users.

Device authentication fails

Device authentication might fail under one of the following conditions:

When accessing using a browser in InPrivate or Incognito mode.

When using unsupported browsers or devices, particularly on mobiles.

When browser cookies are disabled.

When a desktop or native application doesn't support device authentication or

doesn't use Microsoft Authentication Broker.

For more information about Microsoft Authentication Broker on different device

platforms, see the following pages:
Windows
Android
iOS
macOS, iOS and iPadOS

For more information on supported device platforms, see Microsoft Entra Conditional
Access - Device platforms.

To verify whether the device claim is sent, review the sign-in logs for the failed or
successful user in the resource tenant:

1. Navigate to the sign-in logs for the user and locate the relevant failure or success
event.
2. Under the Device Info section, check the Join type field. This field indicates the
device claim that was passed.

AADSTS error code reference

For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes. To investigate individual errors, search at
https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS50017 - Validation of given
certificate for certificate-based
authentication failed
Article • 02/25/2025

This article provides solutions to the Microsoft Entra authentication AADSTS50017 error
that occurs when you access an application or resource with certificate-based
authentication (CBA).

Symptoms
When you try to access an application or resource with CBA, the sign-in process fails
and the following error message is displayed:

AADSTS50017: Validation of given certificate for certificate based authentication

failed.

Cause 1: Certificate chain failures or validation

failures
The AADSTS50017 error might occur because of the following problems:

Certificate chain failures due to missing certificate authority (CA) certificates in

store.

Validation failures with Subject Key Identifier (SKI) and Authority Key Identifier (AKI)
values.

In Public Key Infrastructure (PKI), the certificate chain validation process ensures
the integrity and authenticity of the certificate chain. The SKI and AKI play crucial
roles in this process. The SKI provides a unique identifier for the public key held by
the certificate. The AKI is used to identify the CA that issues the certificate.

To resolve this issue, follow these steps:

1. Check if issuing certificate is correctly uploaded to the trusted certificate list.

A certificate chain consists of multiple certificates linked together. The end user's
certificate can be issued by a root CA or a non-root CA (intermediate CA). If you
 have a non-root issuing CA (intermediate CA), both intermediate and root CA
certificates must be uploaded to the Microsoft Entra CA trusted store.

2. Check the SKI value of your certificate and confirm if the AKI value matches any
intermediate or root CA certificate that's uploaded to the trusted store.

If there is no match, your certificate or the missing CA certificate should be

changed accordingly. To do this, configure certificate authorities by using the
Microsoft Entra admin center.

To get the SKI and AKI values, check the details of your certificate and uploaded
issuing CA certificates.

ﾉ Expand table

Certificate type Characteristic

Root CA certificate It has its own SKI. It can issue the intermediate certificates when
applicable. It doesn't contain the AKI field.

Issuing or Its AKI points to the Root CA certificate's SKI. It has its own SKI
intermediate CA that matches the AKI on a user certificate. It can issue user
certificate (when certificates, and issue intermediate certificates when applicable.
applicable) Multiple intermediate CA certificates can exist.

End-Entity (User or It has its own SKI. Its AKI points to the issuing CA certificate's SKI.
Client) certificate

Cause 2: Invalid certificates

If any certificates in the certificate chain are missing valid extension identifiers, such as
certificate policy extensions, the AADSTS50017 error might occur.
To resolve this error, validate the certificate policy extensions for all certificates within
the certificate chain, including user certificates, intermediate CA certificates, and the root
CA certificate. Ensure that the certificate policy extension and its Object Identifiers
(OIDs) are consistent and valid across the entire chain.

To verify the policy OIDs for consistency and validity, retrieve the relevant certificates in
chain and validate them as follows:

If any certificates are missing certificate policy extensions, reissue the CA certificate or
end user certificate with the appropriate certificate policy extensions embedded.

For more information about policy extension and other supported extensions, see
Supported Extensions.

AADSTS error code reference

For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes. To investigate individual errors, search at
https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No
Provide product feedback
Error AADSTS50057 - User account is
disabled
Article • 10/28/2024

This article discusses how to resolve the "AADSTS50057" error that occurs when a user
tries to sign in to an application that can be used together with Microsoft Entra ID.

Symptoms
When users try to sign in to an application that's integrated into Microsoft Entra ID, they
receive an "AADSTS50057" error message ("The user account is disabled.").

Cause
The user object is disabled on the resource tenant.

Solution
Engage the resource tenant owners to determine why the user account is disabled.
Then, take the corresponding action, as shown in the following table.

ﾉ Expand table

Scenario Action

The user account is No actions should be performed. Access is expectedly blocked.

supposed to be disabled.

The user account isn't Resource tenant owners should re-enable the account. One of the
supposed to be disabled, options to re-enable the account is using PowerShell to set the -
or it was disabled by AccountEnabled parameter to $true , as described in the Set-
mistake. AzureADUser cmdlet reference.

More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

AADSTS500011 - Resource Principal Not
Found
Article • 02/21/2025

This article describes a problem in which users experiences an "AADSTS500011" error

when they try to sign in to Microsoft Entra ID.

Symptoms
When users try to sign in to an application that uses Microsoft Entra ID authentication,
they receive the following error message:

AADSTS500011 - The resource principal named [resource URL] was not found in the
tenant named [tenant ID]

Cause
This issue occurs if the resource principal (the application or service) is not found in the
tenant. This issue occurs if:

The resource application isn't provisioned by the administrator in the tenant.

The resource application isn't consented to by any user in the tenant.
The resource URL is not configured correctly.
The tenant ID is not correct.

Resolution
To resolve this issue, follow these steps:

1. Verify resource application provisioning:

Make sure that the application (resource principal) is registered correctly in

your Microsoft Entra ID tenant.
Go to the Azure portal , and navigate to Microsoft Entra ID > Enterprise
applications.
Check whether the application is listed and correctly configured.

2. Consent to application:
 Make sure that the resource application has been consented to by an
administrator or a user in the tenant.
Go to the Azure portal , and navigate to Microsoft Entra > Enterprise
applications.
Find the application, and make sure that it has the necessary permissions and
consent.

3. Check resource URL:

Verify that the resource URL that appears in the error message matches the
resource application that you provisioned in your tenant ID.
Make sure that the authentication request is sent by using the correct
resource URL.

4. Check tenant ID:

Verify that the tenant ID that appears in the error message is the same as
your tenant ID.
Make sure that the authentication request is sent to the correct Microsoft
Entra ID tenant.

More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS500571 - Guest user
account is disabled
Article • 10/28/2024

This article discusses how to resolve an AADSTS500571 error that occurs when a user tries
to sign in to an application that can be used together with Microsoft Entra ID.

Symptoms
When a guest user tries to sign in to an application that's integrated into Microsoft Entra
ID, they receive an "AADSTS500571" error message ("The guest user account is
disabled").

Cause
The guest user object is disabled on the resource tenant.

Solution
Engage the resource tenant owners or sponsor to determine the reason that the guest
account is disabled. Then, take the corresponding action, as shown in the following
table.

ﾉ Expand table

Scenario Action

The guest account is No actions should be performed. Access is expectedly blocked.

supposed to be disabled.

The guest account isn't Resource tenant owners should re-enable the account. One of the
supposed to be disabled, options to re-enable the account is by using PowerShell to set the -
or it was disabled by AccountEnabled parameter to $true , as described in the Set-
mistake. AzureADUser cmdlet reference.

More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.
To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS50105 - The signed in user
is not assigned to a role for the
application
Article • 10/28/2024

This article provides a resolution to the AADSTS50105 error that occurs during federated
authentication with Microsoft Entra ID.

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback
button on this page to let us know how well this article worked for you or how we
can improve it.

Symptoms
You receive the following error message when you try to sign in to an application that
has been set up to use Microsoft Entra ID for identity management using SAML-based
Single Sign-On (SSO):

Error AADSTS50105 - The signed in user is not assigned to a role for the application.

Cause
The user hasn't been granted access to the application in Microsoft Entra ID. The user
must belong to a group that is assigned to the application, or be assigned directly.

７ Note

Nested groups are not supported, and the group must be directly assigned to the
application.

Resolution
To assign one or more users to an application directly, see Quickstart: Assign users to an
app.
More Information
For a full list of Active Directory authentication and authorization error codes, see
Microsoft Entra authentication and authorization error codes.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS650056 - Misconfigured
application
Article • 10/28/2024

This article describes a problem in which you receive the following error message when
trying to sign into a SAML-based single sign-on (SSO) configured app that has been
integrated with Microsoft Entra ID:

Error AADSTS650056 - Misconfigured application. This could be due to one of the

following: the client has not listed any permissions for '{name}' in the requested
permissions in the client's application registration. Or, the admin has not consented
in the tenant. Or, check the application identifier in the request to ensure it matches
the configured client application identifier. Or, check the certificate in the request to
ensure it's valid. Please contact your admin to fix the configuration or consent on
behalf of the tenant. Client app ID: {id}. Please contact your admin to fix the
configuration or consent on behalf of the tenant.

Symptoms
You receive error AADSTS650056 when trying to sign into an application that has been
setup to use Microsoft Entra ID for identity management using SAML-based SSO.

Cause
The Issuer attribute sent from the application to Microsoft Entra ID in the SAML
request doesn’t match the Identifier value configured for the application in Microsoft
Entra ID.

Resolution
Ensure that the Issuer attribute in the SAML request matches the Identifier value
configured in Microsoft Entra ID.

Verify that the value in the Identifier textbox matches the value for the identifier value
displayed in the error.

For more information about the Issuer attribute, see Single Sign-On SAML protocol.
More Information
For a full list of Active Directory authentication and authorization error codes see
Microsoft Entra authentication and authorization error codes.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS70001 - Application with
Identifier was not found in the directory
Article • 10/28/2024

This article describes a problem in which you receive the error message "Error
AADSTS70001 - Application with Identifier was not found in the directory." when trying
to sign into a SAML-based single sign-on (SSO) configured app that has been integrated
with Microsoft Entra ID.

Symptoms
You receive error AADSTS70001 when trying to sign into an application that has been set
up to use Microsoft Entra ID for identity management using SAML-based SSO.

Cause
The Issuer attribute sent from the application to Microsoft Entra ID in the SAML
request doesn’t match the Identifier value that's configured for the application in
Microsoft Entra ID.

Resolution
Ensure that the Issuer attribute in the SAML request matches the Identifier value
configured in Microsoft Entra ID.

On the SAML-based SSO configuration page, in the Basic SAML configuration section,
verify that the value in the Identifier textbox matches the value for the identifier value
displayed in the error. If there's a trailing slash at the end of the url, it should be also
included.

Using the Test SSO Function in the Microsoft Entra admin

center
The Microsoft Entra admin center can help you troubleshoot SAML configuration errors.
 1. In the Microsoft Entra admin center, go to Enterprise Applications and click on the
application needing troubleshooting.
2. Navigate to the Single sign-on page using the left-hand navigation menu
3. Click on Test this application to use the Test SSO functionality.
4. Copy and paste the error received into the Resolving Errors section and click Get
resolution guidance
5. View the difference between the Issuer and Identifier found.
6. Correct either the Issuer or Identifier.

More Information
For a full list of Active Directory Authentication and authorization error codes, see
Microsoft Entra authentication and authorization error codes

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error - AADSTS75011 Authentication
method by which the user authenticated
with the service doesn't match
requested authentication method
AuthnContextClassRef
Article • 10/28/2024

This article describes a problem in which you receive the error message, "Error -
AADSTS75011 Authentication method by which the user authenticated with the service
doesn't match requested authentication method AuthnContextClassRef," when you try
to sign in to a SAML-based single sign-on (SSO) configured app that has been
integrated with Microsoft Entra ID.

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback
button on this page to let us know how well this article worked for you or how we
can improve it.

Symptoms
You receive a AADSTS75011 error message when you try to sign in to an application that
has been set up to use Microsoft Entra ID for identity management by using SAML-
based SSO.

Cause
The RequestedAuthnContext is in the SAML request. This means the app is expecting the
AuthnContext specified by the AuthnContextClassRef . However, the user has already

authenticated prior to access the application and the AuthnContext (authentication

method) used for that previous authentication is different from the one being
requested. For example, a federated user access to MyApps and WIA occurred. The
AuthnContextClassRef will be urn:federation:authentication:windows . Microsoft Entra

ID won't perform a fresh authentication request, it will use the authentication context
that was passed-through it by the IdP (ADFS or any other federation service in this case).
Therefore, there will be a mismatch if the app requests other than
urn:federation:authentication:windows . Another scenario is when MultiFactor was used:

'X509, MultiFactor .

Resolution
RequestedAuthnContext is an optional value. If possible, ask the application if the value

could be removed.

Another option is to make sure that the RequestedAuthnContext value will be honored.
This is done by requesting a fresh authentication. By doing this, when the SAML request
is processed, a fresh authentication is done and AuthnContext is honored. In order to
request a Fresh Authentication, the SAML request must contain the value,
forceAuthn="true" .

More information
For a full list of Active Directory Authentication and authorization error codes, see
Microsoft Entra authentication and authorization error codes

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS75005 - The request is not
a valid Saml2 protocol message
Article • 10/28/2024

This article describes a problem in which you receive the error message "Error
AADSTS75005 - The request is not a valid Saml2 protocol message." when you try to
sign into an apapplication that has been integrated with Microsoft Entra ID.

Symptoms
You receive error AADSTS75005 when trying to sign into an application that has been set
up to use Microsoft Entra ID for identity management using SAML-based SSO.

Cause
Microsoft Entra ID doesn't support the SAML request sent by the application for single
sign-on. Some common issues are:

Missing required fields in the SAML request.

SAML request encoded method.

Resolution
1. Capture the SAML request. Follow the tutorial How to debug SAML-based single
sign-on to applications in Microsoft Entra ID to learn how to capture the SAML
request.
2. Contact the application vendor and share the following info:

SAML request
Microsoft Entra Single Sign-on SAML protocol requirements

The application vendor should validate that they support the Microsoft Entra SAML
implementation for single sign-on.

More Information
For a full list of Active Directory Authentication and authorization error codes, see
Microsoft Entra authentication and authorization error codes
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS750054 - SAMLRequest or
SAMLResponse must be present as
query string parameters in HTTP
request for SAML Redirect binding
Article • 10/28/2024

This article describes a problem in which you receive the error message "Error
AADSTS750054 - SAMLRequest or SAMLResponse must be present as query string
parameters in HTTP request for SAML Redirect binding." when trying to sign into a
SAML-based single sign-on (SSO) configured app that has been integrated with
Microsoft Entra ID.

Symptoms
You receive error AADSTS750054 when trying to sign into an application that has been
setup to use Microsoft Entra ID for identity management using SAML-based SSO.

Cause
Microsoft Entra ID wasn't able to identify the SAML request within the URL parameters
in the HTTP request. This can happen if the application is not using HTTP redirect
binding when sending the SAML request to Microsoft Entra ID.

Resolution
The application needs to send the SAML request encoded into the location header using
HTTP redirect binding. For more information about how to implement it, read the
section HTTP Redirect Binding in the SAML protocol specification document .

Most often, the error is due to one of the following issues:

1. Ensure that single-sign on is enabled on the application side.

2. The application must support service provider-initiated single sign-on (sometimes
known as SP-initiated SSO). When entering a sign-in URL for an application that
only supports identity provider-initiated single sign-on can lead to a bounce back
from the application without a SAML response.
3. Verify that the sign-on URL is correctly configured.
Using the Test SSO Function in the Microsoft Entra admin
center
The Microsoft Entra admin center can help you troubleshoot SAML configuration errors.

1. In the Microsoft Entra admin center, go to Enterprise Applications and click on the
application needing troubleshooting.
2. Navigate to the Single sign-on page using the left-hand navigation menu
3. Click on Test this application to use the Test SSO functionality.
4. Copy and paste the error received into the Resolving Errors section and click Get
resolution guidance
5. Follow the steps to troubleshoot error AADSTS750054

More Information
For a full list of Active Directory Authentication and authorization error codes see
Microsoft Entra authentication and authorization error codes

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS700003 - Device object
was not found in the tenant
'<TenantName>' directory
Article • 02/24/2025

This article discusses how to resolve the "AADSTS700003" error that occurs when you try
to sign in to an application that's integrated into Microsoft Entra ID.

Symptoms
When you try to sign in to an application that's integrated into Microsoft Entra ID, you
receive an "AADSTS700003" error with one of the following error messages:

Device object was not found in the tenant '<TenantName>' directory.

Your organization has deleted this device.

Cause
This issue occurs because the device object is deleted on your home tenant. When a
device is deleted, the "Delete device" activity type is recorded in the Microsoft Entra
audit log. In Microsoft Entra ID, there are three ways to register or join user devices:

Microsoft Entra registered

Microsoft Entra joined
Microsoft Entra hybrid joined

Device registration or join creates a device identity. This device identity is used in
scenarios such as device-based Conditional Access policies and Mobile Device
Management with Microsoft Intune. When you receive the AADSTS700003 error, the
device object isn't found in the tenant.

Solution
Engage the home tenant administrators to determine when and why your device object
is deleted. Then, take the corresponding action depending on the device
registration/join type, as shown in the following table:
 ﾉ Expand table

Device join Action

type

Microsoft For Windows 10/11 Microsoft Entra registered devices, go to Settings >
Entra Accounts > Access Work or School. Select your work or school account on the
registered screen. Select Disconnect to disconnect the device. Then, register the device to
Microsoft Entra ID again.

For iOS and Android, you can use the Microsoft Authenticator application and
select Settings > Device Registration > Unregister device. Then, register the
device to Microsoft Entra ID again.

For macOS, you can use the Microsoft Intune Company Portal application to
unenroll the device from management and remove any registration. Then,
register the device to Microsoft Entra ID again.

For more information, see Microsoft Entra register FAQ.

Microsoft Open a PowerShell console with the administrative right on the Windows device,
Entra joined and run the dsregcmd /forcerecovery command. Select Sign in to sign in with
your Microsoft Entra ID account.

Microsoft Open a PowerShell console with the administrative right on the Windows device,
Entra hybrid and run the dsregcmd /leave command. Then, reboot the device and sign in to
joined the device with your domain credential.

More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No
Provide product feedback
Error AADSTS7000110: Request is
ambiguous, multiple application
identifiers found
Article • 01/16/2025

This article discusses how to resolve the AADSTS7000110 error that occurs when an
application tries to obtain or refresh a token from Microsoft Entra ID.

Symptoms
When you try to sign in to an Azure application that can be used together with
Microsoft Entra ID, you receive the following AADSTS7000110 error message:

Request is ambiguous, multiple application identifiers found. The client ID used to

obtain the grant (e.g. refresh token or authorization code) might not match the
client ID passed in this request or client credential.

Cause
The application tried to do one of the following activities:

Redeem an OAuth2 authorization code to get an access token or a refresh token

that has the wrong application ID ( client_id parameter).

Use a refresh token that was initially issued to the application ID of a different
caller.

Solution
Use an OAuth2 authorization code or a refresh token that's from the same application
ID ( client_id parameter).

More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS7000112 - Application is
disabled
Article • 10/28/2024

This article discusses how to resolve the AADSTS7000112 error that occurs when you try to
sign in to an application that can be used together with Microsoft Entra ID.

Symptoms
When you try to sign in to an Azure application that's integrated into Microsoft Entra ID,
you receive the following AADSTS7000112 error message:

Application '<appIdentifier>'(<appName>) disabled.

Cause
The service principal object is disabled on the resource tenant.

Solution
Work together with the resource tenant owners to determine why the service principal
object is disabled. Then, use the following table to take the appropriate action.

ﾉ Expand table

Scenario Action

The service principal is Don't do anything. Access is intentionally blocked. We don't expect or
supposed to be recommend that resource tenant administrators of first-party
disabled. applications disable the respective service principal. Microsoft Services
automatically provisions and manages the service principals.

The service principal Ask the resource tenant owners to re-enable the service principal. One
isn't supposed to be method to re-enable the service principal is to use PowerShell to set
disabled, or it was the -AccountEnabled parameter to $true . For more information, see
disabled mistakenly. the Set-AzureADServicePrincipal cmdlet reference.

More information
For a full list of authentication and authorization error codes, see Microsoft Entra
authentication and authorization error codes.

To investigate individual errors, go to https://login.microsoftonline.com/error .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS900439 -
USGClientNotSupportedOnPublicEndpoi
nt
Article • 03/31/2025

This article provides a solution to the error AADSTS900439

(USGClientNotSupportedOnPublicEndpoint) that occurs when you try to sign in to an
application registered in the Azure Government cloud using a public cloud endpoint.

Symptoms
When trying to sign in to an application registered in the Azure Government cloud using
a public endpoint, the sign-in fails, and you receive the AADSTS900439
(USGClientNotSupportedOnPublicEndpoint) error.

Cause
Microsoft Entra authority for Azure Government has been updated from https://login-
us.microsoftonline.com to https://login.microsoftonline.us . This change also applies

to Microsoft 365 GCC High and Microsoft 365 DoD environments, which Microsoft Entra
authority for Azure Government also services. Microsoft Entra ID enforces the correct
endpoint for sign-in operations. You can no longer sign in to an application registered in
the Azure Government cloud using the public endpoint https://login-
us.microsoftonline.com .

For more information, see Microsoft Entra Authority for Azure Government Endpoint
Update .

Solution
To resolve this issue, ensure you use the correct Azure Government endpoint for sign-in
operations. Here are the mappings between Azure services and Azure Government
endpoints:

ﾉ Expand table
 Name Azure Government endpoint

Portal https://portal.azure.us

Microsoft Graph API https://graph.microsoft.us

Active Directory Endpoint and Authority https://login.microsoftonline.us

For more information, see Azure Government endpoint mappings.

More information
Each national cloud environment differs from the global Microsoft environment. When
you develop applications for these environments, it's important to understand the key
differences. For example, registering applications, acquiring tokens, and calling the
Microsoft Graph API can be different.

For more information about registering applications in a national cloud, see App
registration endpoints.

For more information about acquiring tokens in a national cloud, see Microsoft Entra
authentication endpoints.

For more information about the different Microsoft Graph national cloud deployments
and the capabilities that are available to developers within each cloud, see Microsoft
Graph national cloud deployments. Here's a sample implementation: Configure a .NET
application to call Microsoft Graph in a national cloud tenant .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error AADSTS50000 getting a token or
signing in to an Azure app
Article • 03/19/2025

The AADSTS50000 error can occur during the authentication process or token
acquisition flow that uses the token endpoint. These errors can have multiple causes.
This article provides common scenarios and resolutions for this error.

Symptoms
When a user tries to sign in to an application that's integrated into Microsoft Entra ID,
the user receives the following error message:

AADSTS50000: There was an error issuing a token or an issue with our sign-in
service.

Cause 1: The user password is expired, invalid,

or out of sync
This issue is common in hybrid environments. The user's federated account password
might be out of sync between the on-premises Active Directory and Microsoft Entra ID.
Additionally, this issue can also occur when a user session is being revoked.

Solution for cause 1

Reset the user password, and then verify that the new password can successfully
authenticate to Microsoft Entra ID.

Cause 2: Parameters are incorrectly configured

in the token acquisition request
This problem commonly occurs in the on-behalf-of (OBO) flow. Certain parameters that
are required for token acquisition might be missing or invalid.

Solution for cause 2

Make sure that the client ID is valid and that other required parameters are configured
correctly. For more information, see Microsoft identity platform and OAuth 2.0 On-
Behalf-Of flow.

Cause 3: Consent-related issues

This issue can occur in an OAuth2 Device code grant flow to the token endpoint. After
the user signs in to a browser window and accepts the consent dialog, this error occurs.

Solution for cause 3: Verify application consent settings

1. In the Azure portal , make sure that the client application (Service Principal) exists
on the tenant's Enterprise Applications page. You can search for the application by
App ID.
2. Verify that the user can consent to the application. Check the user settings on the
Enterprise Applications page or review relevant policies that affect user consent.

Cause 4: Symmetric signing key is used in the

application or service principal object
Microsoft Identity Platform (v2 endpoint) tokens must be signed by a certificate
(asymmetric key). Errors might occur if a symmetric signing key is used.

Solution for cause 4

Step 1: Check whether symmetric key is used in application object

1. In the Azure portal, go to the App Registrations.

2. In the Manage section, select Manifest.

3. Check whether an entry exists in the keyCredentials section that includes

type=Symmetric and usage=Sign .
 

Alternatively, use the Microsoft Graph PowerShell cmdlet Get-MgApplication to retrieve

key credentials.

Step 2: Check whether symmetric key is used in service principal

object

1. If the application is not found in the App Registrations page in the Azure portal,
browse to the Enterprise Applications page.
2. Locate the application, and then get the Object ID of the Service Principal.
3. Use Get-MgServicePrincipal to retrieve the key credentials.

Step 3: Remove symmetric signing key

If the symmetric key exists:

Use Remove-MgApplicationKey to remove the symmetric key for the app

registration.
Use Remove-MgServicePrincipalKey to remove the symmetric key for the service
principal object.

If a signing key is required, use a signing certificate instead. For more information, see
SAML-based single sign-on: Configure a signing certificate.
Cause 5: No delegated permission exposed in
the resource application (web API)
This error might occur in the following scenario:

You have a multitenant resource application that's registered in Tenant A. This

application exposes only the Application Permission type.
In Tenant B, you have a client application registered. In the API permission page
for this application, you configure the permission for the resource application
that's registered in Tenant A.
You use an OAuth 2 delegated grant flow (for instance auth code grant flow) to
request an access token for the resource app that uses /.default as the value of
the web API scope.

Solution for cause 5

Configure the resource application to expose the delegated permission, and then
consent to that delegated permission in the client application.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Problems signing in to SAML-based
Single Sign-On configured apps
Article • 10/28/2024

To troubleshoot the sign-in issues below, we recommend the following to better

diagnosis and automate the resolution steps:

Install the My Apps Secure Browser Extension to help Microsoft Entra ID to provide
better diagnosis and resolutions when using the testing experience in the Azure
portal.
Reproduce the error using the testing experience in the app configuration page in
the Azure portal. Learn more on Debug SAML-based Single Sign-On applications

If you use the testing experience in the Azure portal with the My Apps Secure Browser
Extension, you don't need to manually follow the steps below to open the SAML-based
Single Sign-On configuration page.

To open the SAML-based Single Sign-On configuration page:

1. Open the Azure portal and sign in as a Global Administrator or Coadmin.

2. Open the Microsoft Entra Extension by selecting All services at the top of the
main left-hand navigation menu.

3. Type “Microsoft Entra ID" in the filter search box and select the Microsoft Entra ID
item.

4. Select Enterprise Applications from the Microsoft Entra left-hand navigation

menu.

5. Select All Applications to view a list of all your applications.

If you do not see the application you want show up here, use the Filter control at
the top of the All Applications List and set the Show option to All Applications.

6. Select the application you want to configure for Single Sign-On.

7. Once the application loads, select Single Sign-On from the application’s left-hand
navigation menu.

8. Select SAML-based SSO.

General troubleshooting
Problem when customizing the SAML claims sent to an
application
To learn how to customize the SAML attribute claims sent to your application, see
Claims mapping in Microsoft Entra ID.

Errors related to misconfigured apps

Verify both the configurations in the portal match what you have in your app.
Specifically, compare Client/Application ID, Reply URLs, Client Secrets/Keys, and App ID
URI.

Compare the resource you’re requesting access to in code with the configured
permissions in the Required Resources tab to make sure you only request resources
you’ve configured.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot infinite redirection
between OIDC app and Entra ID
Article • 01/06/2025

This article describes an infinite redirection issue that exists between an OpenID Connect
(OIDC) application and Microsoft Entra ID.

Symptoms
When you browse to a website that's built by using an OpenID Connect (OIDC) app and
Microsoft Entra ID, the browser enters an infinite loop that forms between the website
and the Microsoft Entra ID authentication process.

The issue specifically occurs when you browse the website by using the HTTP protocol.
When you use HTTPS, the issue doesn't occur.

Cause
The .AspNet.Cookies cookie isn't sent in HTTP requests because of its secure attribute.

Solution: Enforce HTTPS navigation

To resolve the issue, enforce HTTPS navigation for the site. HTTPS is always
recommended for sites that require authentication.

Workaround
If your scenario requires the initial navigation to occur over HTTP, you can customize the
Cookies Authentication middleware to allow the authentication AspNet cookie for both
the HTTP and HTTPS schemes by setting the CookieSecure attribute to
CookieSecureOption.Never , as shown in the following Startup.Auth.cs file.

７ Note

This workaround isn't recommended for production environments because it

compromises security by allowing cookies to be sent over HTTP.
 C#

public void ConfigureAuth(IAppBuilder app)

{

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.Authen
ticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
CookieSecure = CookieSecureOption.Never
});

app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,

}
}

This issue is discussed also in this ASP.NET Security Blog article (Issue #219) .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra ID is sending the token
to an incorrect reply URL endpoint or
localhost
Article • 10/28/2024

This article describes a problem in which Microsoft Entra ID is sending the token to an
incorrect reply URL endpoint or localhost.

Symptoms
During single sign-on, if the sign-in request does not contain an explicit reply URL
(Assertion Consumer Service URL) then Microsoft Entra ID will select any of the
configured reply URLs for that application. Even if the application has an explicit reply
URL configured, the user may be to redirected https://127.0.0.1:444 .

When the application was added as a non-gallery app, Microsoft Entra ID created this
reply URL as a default value. This behavior has changed and Microsoft Entra no longer
adds this URL by default.

Cause
The user has not been granted access to the application in Microsoft Entra ID.

Resolution
Delete the unused reply URLs configured for the application.

On the SAML-based SSO configuration page, in the Reply URL (Assertion Consumer
Service URL) section, delete unused or default Reply URLs created by the system. For
example, https://127.0.0.1:444/applications/default.aspx .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

"ValidationContext.Nonce is null" errors
in ASP.NET MVC apps
Article • 01/07/2025

This article provides solutions to the common nonce validation errors that you might
encounter in ASP.NET MVC apps by using OpenID Connect (OIDC) middleware.

Common error messages

Depending on the version of Open Web Interface for .NET (OWIN) that you use, you
might receive one of the following error messages:

IDX21323: RequireNonce is '[PII is hidden by default. Set the 'ShowPII' flag in

IdentityModelEventSource.cs to true to reveal it.]'.
OpenIdConnectProtocolValidationContext.Nonce was null,
OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce
cannot be validated. If you do not need to check the nonce, set
OpenIdConnectProtocolValidator.RequireNonce to false.

IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A

nonce cannot be validated. If you do not need to check the nonce, set
OpenIdConnectProtocolValidator.RequireNonce to false.

Understanding nonce cookies

The ASP.NET OIDC middleware uses a nonce cookie to prevent replay attacks. The app
throws the exception if it can't find the nonce cookie in the authenticated request.
Cookies are domain-based. This means that if the cookies are set for a specific domain,
all subsequent requests to that domain will include the cookies until they expire or are
deleted.

The following Fiddler traces describe how these cookies are set and used in a working
flow:

In Frame 116, the browser sends a request to the OIDC app that's protected by
Microsoft Entra ID. After receiving the request, the app detects that it isn't
authenticated. It then redirects the request to Microsoft Entra ID
( login.microsoftonline.com ) for authentication. Additionally, the app sets the
OpenIdConnect.nonce cookie in the "302" redirect response.
 

After successful authentication (Frame 120-228), Microsoft Entra ID redirects the

request back to the web app (Frame 229) together with the authenticated ID token.
The nonce cookie that was previously set for this domain is also included in the
POST request. The OIDC middleware validates the authenticated token and the
nonce cookie before it continues to load the page (through another redirect). At
this point, the nonce cookie's purpose is finished, and the app invalidates it by
setting the expiration attribute to expire.

Solution

Cause 1: Multiple domains are used for the same website

The browser originally navigates to the app on Domain A (Frame 9), and the nonce
cookie is set for this domain. Later, Microsoft Entra ID sends the authenticated token to
Domain B (Frame 91). Because the redirection to Domain B doesn't include the nonce
cookie, the web app throws the validationContext.Nonce is null error.
 

Solution 1
To resolve this issue, follow these steps:

1. Redirect the request back to the same domain that was originally used after
authentication. To control where Azure AD sent the authenticated request back to
the app, set the OpenIdConnectAuthentications.RedirectUri property in the
ConfigureAuth method.

2. Configure the redirect URI (reply URL) in App Registration. Otherwise you might
receive the following error: AADSTS50011: The reply URL that's specified in the
request doesn't match the reply URLs that Azure configured for the app. For more
information, see Error AADSTS50011 with OpenID authentication.

Cause 2: Missing SameSite attributes

Because of the SameSite cookie security updates, all cookies that are involved in the
authentication process (including Nonce cookies) should contain the following
attributes:

SameSite=None
Secure

For more information, see SameSite cookies and the Open Web Interface for .NET.
Solution 2
To make sure that both the required attributes are included, follow these steps:

1. Use the HTTPS protocol to navigate to the web app.

2. Update .NET Framework and NuGet packages:

For .NET Framework apps: Upgrade .NET Framework to version 4.7.2+ and
relevant NuGet packages (Microsoft.Owin.Security.OpenIdConnect,
Microsoft.Owin) to version 4.1.0+.
For .NET Core apps:
Version 2.x apps should use .NET Core 2.1+.
Version 3.x apps should use .NET Core 3.1+.

Example configuration code for Startup.Auth.cs:

C#

using System.Configuration;
using Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using System.Threading.Tasks;
using Microsoft.Owin.Security.Notifications;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;

namespace NetWebAppOIDC2
{
public partial class Startup
{
private static string clientId =
ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance =
ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenantId =
 ConfigurationManager.AppSettings["ida:TenantId"];
private static string postLogoutRedirectUri =
ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
private static string authority = aadInstance + tenantId;

public void ConfigureAuth(IAppBuilder app)

{

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.Authen
ticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = "https://localhost:44313",

Notifications = new
OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed
}

// Don't use SystemwebCookieManager class here to

override the default CookieManager because that seems to negate the SameSite
cookie attribute that's being set.
// CookieManager = new SystemWebCookieManager()

});
}

private Task
OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage
, OpenIdConnectAuthenticationOptions> context)
{
context.HandleResponse();
context.Response.Redirect("/?errormessage=" +
context.Exception.Message);
return Task.FromResult(0);
}
}
}

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Application and delegated permissions
for access tokens in the Microsoft
identity platform
Article • 01/16/2025

This article introduces the differences between application and delegated permissions
for access tokens in the Microsoft identity platform to help diagnose issues when
applications call web APIs.

Overview
As described in the Overview of permissions and consent in the Microsoft identity
platform and Glossary: Microsoft identity platform, there are two types of permissions
for an access token: delegated permissions and application permissions. Delegated
permissions are granted to a signed-in user, whereas application permissions are
granted directly to an application. The key difference is that delegated permissions
require user sign-in, while application permissions don't; instead, the application
authenticates to Microsoft Entra ID using its own application identity (client ID and
secret/assertion).

Regardless of permission types, you must configure API permissions on the Microsoft
Entra App Registration page:

Select Application permissions if your application doesn't need any user to sign in.
Select Delegated permissions if your application requires a user to sign in so that
the access token can be issued for that sign-in.

７ Note

When you select Application permissions, admin consent must be granted for the
permission to function correctly.

Permission type tokens issued from OAuth2

authentication flows
Microsoft Entra ID supports various OAuth2 authentication flows. The kind of
authentication flow that an application uses results in specific types of permissions in an
access token.

Application permission tokens can only be obtained from the client credentials grant
flow.

Delegated permission tokens can only be obtained from the following flows:

Implicit grant flow

Authorization code grant flow
On-Behalf-Of flow
Device authorization grant flow
Resource Owner Password Credentials grant flow

Identify the permission type for an access

token
To determine whether an access token is a delegated or application permission token,
inspect the token claims using a tool like jwt.ms .

For application permission tokens, the permissions are in the roles claim:

JSON

"oid": "<oid>"
"roles": [
"User.Read.All"
],
"sub": "<sub>"

７ Note

The scp claim is absent in application permission tokens.

For delegated permission tokens, the permissions are in the scp claim:

JSON

"scp": "Directory.Read.All User.Read",

"sub": "<sub>",

７ Note
 The roles claim might still appear in a delegated permission token, but it lists the
roles assigned to the user in the API app.

Identify the permission type an API supports

Understanding what type of permissions an API supports is essential. Many errors such
as 400, 401, 403, and 500 occur when applications call different APIs (for example,
Microsoft Graph and Power BI) with incorrect permission type tokens. For an API,
different REST endpoints might require different permission types. You can refer to the
API endpoint documentation to check the supported permission type. You also need to
evaluate whether the authentication flow used in the application generates the desired
permission tokens.

Example scenario
Power BI API: While Power BI supports both delegated and application permissions,
some tasks, like viewing reports (requiring the Report.Read.All permission), can only be
performed with a delegated token. On the App Registration page, Application
permissions only support two permissions: Tenant.Read.All and Tenant.ReadWrite.All.

In contrast, Delegated permissions offer a richer feature set:

Troubleshoot issues when calling Microsoft
Graph REST endpoints
Users often encounter issues when their applications call Microsoft Graph REST
endpoints. The requests work successfully in Microsoft Graph Explorer but fail in their
applications. To troubleshoot these issues, check the following things:

Check the permission type the access token has. Microsoft Graph Explorer always
uses a delegated permission token.
Ensure the same user account is used to sign in to Microsoft Graph Explorer and
the application.
Verify if the endpoint supports delegated permissions, application permissions, or
both.
Verify that the access token has the correct permissions to call the endpoint.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot consent issues in Microsoft
Entra ID
Article • 01/16/2025

This article provides guidance on troubleshooting consent issues in Microsoft Entra ID. It
applies to OpenID Connect and OAuth2-based authentications.

７ Note

SAML-based applications might present similar errors but require different solutions,
typically due to configuration mismatches within the SAML request on either the third-
party SAML Service Provider or Microsoft Entra ID.

Symptoms
When an application tries to sign in or get an access token for a resource that hasn't been
consented to by a user or admin, you receive an error message similar to one of the
following examples:

Need admin approval

AADSTS65001: The user or administrator has not consented to use the application
with ID '<App-ID>' named '<Name-of-App>'. Send an interactive authorization
request for this user and resource.

AADSTS650056: Misconfigured application. This could be due to one of the

following: The client has not listed any permissions for 'AAD Graph' in the
requested permissions in the client's application registration. Or, The admin has
not consented in the tenant. Or, Check the application identifier in the request to
ensure it matches the configured client application identifier. Please contact your
admin to fix the configuration or consent on behalf of the tenant.

AADSTS90094: An administrator of <TenantDisplayName> has set a policy that

prevents you from granting <Name-of-App> the permissions it is requesting.
Contact an administrator of <TenantDisplayName>, who can grant permissions to
this app on your behalf.

AADSTS90008: The user or administrator has not consented to use the application
with ID '<App-ID>'. This happened because application is misconfigured: it must
 require access to Windows Azure Active Directory by specifying at least 'Sign in
and read user profile' permission

AADSTS900941: Administrator consent is required. App is considered risky.

(AdminConsentRequiredDueToRiskyApp) This app may be risky. If you trust this
app, ask your admin to grant you access.

AADSTS900981: An admin consent request was received for a risky app.

(AdminConsentRequestRiskyAppWarning) This app may be risky. Only continue if
you trust this app.

There are many reasons why you might receive a message indicating that admin approval or
admin consent is required. Consider the following high-level scenarios:

The User.Read permission is missing.

User consent is disabled at the tenant level.
User assignment is enabled for the application.
A service principal doesn't exist in the tenant for the client application.
A service principal doesn't exist in the tenant for the resource.
A consent URL that specifies prompt=admin_consent or prompt=consent is requested.
Scopes that haven't been consented to are requested in a sign-in request.
The scope or permission requires admin consent.
User consent is blocked for risky applications.

The following sections provide a troubleshooting guide for finding the root causes of
consent issues. If you want to resolve issues directly, go to the Perform admin consent
section.

Before troubleshooting
Make sure the application has permission for user sign-in, such as the User.Read
permission. Furthermore, ensure that this permission has been consented to.

For example, if you own the application registration or any application requiring user sign-
in, you should at least have the Microsoft Graph User.Read or Openid delegated permission
added to the application registration API Permissions.
 

Troubleshoot steps

Step 1: Get the sign-in request sent to Microsoft Entra ID

To determine why the consent prompt appears, get the sign-in request and examine the
parameters sent to Microsoft Entra ID. When the consent prompt appears, you can get the
sign-in request by using one of the following methods:

If you're using a browser, view the address bar.

If you're not using a browser or still can't see the address bar in the browser, use an
HTTP capture tool like Fiddler to get the request.

A sign-in request should look like the following one:

V1 OAuth2 endpoint:

https://<Aad-Instance>/<Tenant-ID>/oauth2/authorize?client_id=<App-

ID>&response_type=code&redirect_uri=<Redirect-URI>&resource=<App-URI-ID>&scope=
<Scope>&prompt=<Prompt>

V2 OAuth2 endpoint:

https://<Aad-Instance>/<Tenant-ID>/oauth2/v2.0/authorize?client_id=<App-
ID>&response_type=code&redirect_uri=<Redirect-URI>& scope=<Scope>&prompt=<Prompt>

The following table provides an example of the parameters used in a sign-in request, which
are referenced throughout the following troubleshooting steps:

ﾉ Expand table
 Property Sign-in request portion Value

Aad- <Aad-Instance> login.microsoftonline.com

Instance

Tenant- <Tenant-ID> portion of the sign-in request common

ID

App-ID <App-ID> portion of the sign-in request 1f92960d-1442-4cd2-8c76-

d13c5dcb30bf

Scope <Scope> portion of the sign-in request Openid+User.Read+Directory.Read.All

App- V1 endpoint: <App-URI-ID> portion of the sign-in request https://graph.microsoft.com

URI-ID
V2 endpoint: For resources other than Microsoft Graph,
this will be the portion before the scope name. For
example, for
https://analysis.windows.net/powerbi/api/App.Read.All ,
App.Read.All is the scope name, so the App-URI-ID is
https://analysis.windows.net/powerbi/api .

Prompt <Prompt> portion of the sign-in request

Step 2: Verify if you allow users to consent

To check if user consent is allowed in your organization, follow these steps:

1. Sign in to the Azure portal.

2. Navigate to Microsoft Entra ID, and select Enterprise applications > Consent and
permissions.

3. Review the User consent for applications setting:

If Allow user consent for apps is selected, all users can consent to permissions
that don't require admin consent. In this case, go to the next step.

If Do not allow user consent is selected, users will always receive the "Need
admin approval" message. In this case, an admin must perform admin consent.

７ Note

If an admin believes they have already consented to those permissions,

most likely, not all of the required permissions listed in the sign-in request
were consented to, or the wrong application was used based on the <App-
ID> .
Step 3: Verify if the application exists
To verify if the application exists in the tenant, follow these steps:

1. Sign in to the Azure portal.

2. Switch to the correct tenant based on the <Tenant-ID> .
3. Go to Enterprise applications.
4. Set Application Type to All Applications and search for the <App-ID> .
5. If the application isn't found, this is why you experience consent issues. In this case,
perform admin consent. If the application is found, go to the next step.

Step 4:Verify if user assignment is required

In the Enterprise applications pane, search for and select the application. Under the
Manage section, select Properties to open the Properties pane, and then review the
Assignment required setting.

If user assignment is required, an admin must consent to this application. To do so, go to

the perform admin consent section.

７ Note

Consenting to an application for all users in an organization doesn't allow all users to
access the application. You must follow the user assignment rules. Only those users
assigned to the application can access it. If you don't want to perform admin consent,
the only workaround is to turn off Assignment required, ask users for consent when
they access the application, and then turn Assignment required back on.

If user assignment isn't required, go to the next step.

Step 5: Compare permissions requested and granted for

the application
To verify if the scopes (also called permissions) in the sign-in request are listed in the
Permissions section of the application, follow these steps:

1. If the application is found in Step 3: Verify if the application exists, select it.

2. Go to Permissions.

3. Compare what is listed in the Permissions pane and what is listed as <Scope> in the
sign-in request. The permissions listed in the Permissions pane are those that have
been consented to.
 ７ Note

Pay attention to the permission type. Delegated permissions are for when
users sign in, and application permissions are for when the service principal
is used to authenticate via the client credential flow.

OpenID Connect scopes are generally not listed in enterprise applications.

Don't worry if the following scopes aren't listed:
openid : Sign users in

email : View users' email address

profile : View users' basic profile

offline_access : Maintain access to data you have given it access to

4. If <Scope> in the sign-in request is blank or contains less than what is listed in the
Permissions pane, go to the next step. If other scopes in <Scope> aren't in the
Permissions pane, go to the Perform admin consent section. The missing permissions
must be consented to.

Step 6: Verify if the resource exists in your tenant

To check if a resource exists, try a request that looks like https://<Aad-Instance>/<Tenant-
ID>/oauth2/authorize?response_type=code&client_id=<App-ID>&resource=<App-URI-ID> .

You might encounter one of the following behaviors or errors:

You're allowed to sign in (this is the behavior you expect). In this case, go to the next
step. In most cases, if you see the code parameter in the address bar, it means the
authentication process was successful.

Error AADSTS650052: The app needs access to a service that your organization has not
subscribed to or enabled. Contact your IT Admin to review the configuration of your
service subscriptions.

This error means the resource doesn't exist in your organization. To resolve this issue,
use this consent URL: https://login.microsoftonline.com/<Tenant-
ID>/oauth2/authorize?response_type=code&client_id=<App-URI-
ID>&prompt=admin_consent

Error AADSTS650057: Invalid resource. The client has requested access to a resource
which is not listed in the requested permissions in the client's application registration.
Client app ID: <App-ID>(<App-Display-Name>). Resource value from request: '<App-
 URI-ID>'. Resource app ID:<Resource-App-ID>. List of valid resources from app
registration: 00000002-0000-0000-c000-000000000000

In order for a client application to sign in and get an access token for a resource, the
resource must be assigned the required API permissions that the client application
requires, such as access to Azure Key Vault.

７ Note

Only the application owner can do this operation.

Error AADSTS500011: The resource principal named '<App-URI-ID>' was not found in
the tenant named '<Tenant-ID>'. This can happen if the application has not been
installed by the administrator of the tenant or consented to by any user in the tenant.
You might have sent your authentication request to the wrong tenant.

This error means that the specified <App-URI-ID> is invalid or only available as a
single-tenant application. Otherwise, it means this resource can't be accessed by
external organizations or doesn't exist.

To resolve this issue, you must work with the application owner to verify that the <App-
URI-ID> and <Tenant-ID> are correct. If the <App-URI-ID> is owned by a different

<Tenant-ID> , then the app registration for <App-URI-ID> must be set up as a multi-

tenant application. Otherwise, the <Tenant-ID> must be the same tenant as where the
app registration for <App-URI-ID> is located.

Step 7: Verify if the prompt parameter is passed

Sometimes, signing in to the application requires passing the prompt parameter of consent
or admin_consent . Once the application obtains consent, make sure the prompt parameter
isn't specified. Otherwise, users might always receive a consent error.

Your sign-in request might look like this:

https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize?

client_id=1f92960d-1442-4cd2-8c76-
d13c5dcb30bf&response_type=code&redirect_uri=https://www.contoso.com&scope=openid+prof

ile+User.Read+Directory.Read.All&prompt=consent

So, to resolve consent issues, remove the prompt parameter as follows:

https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize?

client_id=1f92960d-1442-4cd2-8c76-
d13c5dcb30bf&response_type=code&redirect_uri=https://www.contoso.com&scope=openid+prof

ile+User.Read+Directory.Read.All

Perform admin consent

To resolve consent issues, perform admin consent by following these steps:

1. Have an administrator (a user with the Global Administrator, Company Administrator,

or Application Administrator role) access the application.

2. If the consent screen appears, review the requested permissions. To approve the
requested permissions, select the Consent on behalf of your organization checkbox.

７ Note

If an administrator isn't sure what the permissions allow, the administrator must
work with the application vendor to understand the permissions and their use.
Microsoft support might not know what these permissions do or why they're
needed.
 3. If the administrator doesn't get the consent screen, grab the sign-in address, add
&prompt=consent to the end, and then use this request to perform admin consent.

Here's an example:
https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize?

client_id=1f92960d-1442-4cd2-8c76-

d13c5dcb30bf&response_type=code&redirect_uri=https://www.contoso.com&scope=openid
+profile&tresource=https://graph.microsoft.com&prompt=consent

If the requested permissions aren't listed in the application registration, use the
Microsoft identity platform (V2) endpoint to force admin consent. V2 endpoint
requires each permission scope to be passed in the scope parameter as follows:

https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=1f92960d-1442-4cd2-8c76-

d13c5dcb30bf&response_type=code&redirect_uri=https://www.contoso.com&scope=openid
+profile+User.Read+Directory.Read.All&prompt=consent

７ Note

Permission scopes used by the application must be provided by the application

owner.
Consent for application permissions will always require admin consent from a
global or company administrator. Application permissions must be added within
the application registration in the application's owning tenant.
Application admins can also consent to delegate permissions that require admin
consent.
When using the admin consent URL, the permissions must already be configured
with the application registration. Otherwise, the application owner must have
their application correctly configured with Microsoft Entra ID. An admin consent
URL looks like https://login.microsoftonline.com/<Tenant-ID>/adminconsent?
client_id=<App-ID> .

More information

Consent
In most cases, certain permissions that require consent haven't been consented. Therefore,
consent is requested. To understand the consent, see the following pages:
 Overview of permissions and consent in the Microsoft identity platform
Microsoft identity platform admin consent protocols
Microsoft Entra app consent experiences

Application registrations and enterprise applications

In Microsoft Entra, there's an application model that consists of application objects (also
called "application registrations") and service principal objects (also called "enterprise
applications"). How their relationship works together based on the required permissions is
set on the application object. For more information, see Application and service principal
objects in Microsoft Entra ID.

Simply adding permissions to an application registration doesn't consent to the

permissions. To consent to permissions, you must assign permissions to the service
principal.

Delegated permissions and application permissions

There are two types of permissions in Microsoft Entra ID: delegated permissions and
application permissions. Make sure you apply the correct permission configuration in the
application registration and consent to that permission.

For more information about permissions in Microsoft Entra ID, see the following pages:

Overview of permissions and consent in the Microsoft identity platform

Understanding the difference between application and delegated permissions from
OAuth2 Authentication Flows

Collect Microsoft Entra activity logs

You can use the Microsoft Entra activity logs to get more details. To do so, follow these
steps:

1. Sign in to the Azure portal by using an account that has permission to read audit logs,
such as a Global Administrator or Security Reader.
2. Go to Microsoft Entra ID.
3. Select Audit logs under the Monitoring section.
4. Set your filter as follows:

Category: ApplicationManagement
Status: Failure
Activity: Consent to application

5. Find and select the app that fails to consent.

 6. Review the STATUS REASON to get more details.

In certain scenarios, you're required to perform admin consent even though you might
allow users to consent and the permission normally doesn't require an admin to consent.
For example, when the status reason shows
"Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException." For more
information, see Unexpected error when performing consent to an application and
Unexpected consent prompt when signing in to an application.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Use NetLog as an alternative to Fiddler and
HAR captures
Article • 04/14/2025

This article provides guidance on using the Network Logs (NetLog) tool as an alternative to
Fiddler and HTTP Archive (HAR) captures to diagnose network issues in Microsoft Entra.
NetLog is built into Chromium-based browsers like Microsoft Edge, Google Chrome, and
Electron. When standard Fiddler captures are unavailable or HAR captures from developer tools
truncate necessary information, you can use NetLog to capture network activity.

Known limitations
Before using NetLog, be aware of the following limitations:

POST request bodies aren't captured.

Sites running in Internet Explorer compatibility mode aren't captured.

Depending on the information you need, you might still need to use Fiddler or HAR captures.

Use NetLog in browsers

Follow these steps to capture network activity using NetLog:

1. (Optional but helpful) Close all browser tabs except one.

2. Navigate to NetLog:

For Google Chrome: Open a new tab and go to chrome://net-export .

For Microsoft Edge: Open a new tab and go to edge://net-export .

3. In the Options section, select Include raw bytes (will include cookies and credentials).

4. Leave the Maximum log size field blank.

5. Select Start Logging to Disk.

6. Select a location (such as Desktop) to save the log file (edge-net-export-log.json or

chrome-net-export-log.json).

7. In the same browser window, open a new tab.

8. Reproduce the issue.

 ７ Note

If you close or navigate away from the NetLog tab, the logging will stop
automatically.

9. After reproducing the issue, return to the NetLog tab and select the Stop Logging button.

10. Locate the NetLog file saved in step 6.

For more information, see How to capture a NetLog dump .

Use NetLog on mobile devices

NetLog is supported on mobile versions of Microsoft Edge and Google Chrome:

Android: NetLog works in Edge and Google Chrome for Android.

iOS: NetLog works in Google Chrome for iOS.

On mobile devices, you have an email option to send the log.

View and analyze NetLog data

You can view the NetLog file using the online NetLog Viewer . To do so, open the NetLog
Viewer, select File, and then upload the exported NetLog file.

You can use the following tabs in the NetLog Viewer to inspect different aspects of network
activity:

Events: View detailed network events.

Proxy: Check proxy settings.
Timeline: Analyze request timing.
DNS: Inspect Domain Name System (DNS) lookups.
Sockets: Review Transmission Control Protocol (TCP) connections.
Cache: Examine cached resources.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are
independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the
performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
An exception occurs when you sign in to
an app that's set up for Azure B2C
Article • 10/28/2024

Original product version: Microsoft Entra ID

Original KB number: 3092592

Symptoms
When you try to sign up for, or sign in to, an app that's set up for Microsoft Azure B2C,
you receive the following error message:

Server Error in '/' Application"

Response status code does not indicate success: 404 (Not Found)

Description : An unhandled exception occurred during the execution of the current

web request. Please review the stack trace for more information about the error and
where it originated in the code.

Exception Details : System.Net.WebException: The remote server returned an error.

404 (Not Found)

Source Error :
Line 106: {
Line 107: ...
Line 108: OpenIdConnectConfiguration config = await mgr.GetConfigurationAsync();
Line 109: ...
Line 110: }

Cause
This problem occurs if the Policy Name setting for sign-in, password reset, or the user
profile is missing or incorrect in the web.config file for your app.

Resolution
To resolve this issue, follow these steps:

1. Open the web.config file for your app.

 2. In this file, verify the following:

The ida:SignInPolicyId app key exists, and you've replaced the value with the
name of the Sign-in policy that you provided in the Azure B2C Admin Portal.
The ida:PasswordResetPolicyId app key exists, and you've replaced the value
with the name of the Sign-in policy that you provided in the Azure B2C
Admin Portal.
The ida:UserProfilePolicyId app key exists, and you've replaced the value with
the name of the Sign-in policy that you provided in the Azure B2C Admin
Portal.

The web.config file should resemble the following:

Console

<appSettings>
...
<add key="ida:SignInPolicyId" value="B2C_Signin_Policy">
<add key="ida:PasswordResetPolicyId" value="B2C_PasswordReset_Policy">
<add key="ida:UserProfilePolicyId" value="B2C_UserProfile_Policy">
...
</appSettings>

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error occurs when you try to sign in to
an app that's set up for Azure AD B2C
Article • 10/28/2024

This article describes an error that occurs when you try to sign in to an app that's set up
for Azure AD B2C.

Original product version: Microsoft Entra ID

Original KB number: 3092587

Symptoms
When you try to sign in to an app that is set up for Microsoft Azure Active Directory
(AD) business to consumer (B2C), you receive the following error message:

Sorry, but we're having trouble signing you in

We track these errors automatically, but if the problem persists feel free to contact
us. In the meantime, please try again.
Your administrator hasn't provided any contact details Correlation ID:xxxxxxxx-xxxx-
xxxx-xxxx-xxxxxxxxxxxx
Timestamp:yyyy-mm-dd hh:mm:ssZ
AADB2C: An exception has occurred

Cause
The client ID may be missing or incorrect in the Web.config file for the app.

Resolution
To fix this issue, follow these steps:

1. Open the Web.config file for the app.

2. In the Web.config file, find the app key ida:ClientId.

3. Replace the value of the app key with the client ID that is provided for your app in
the Azure AD B2C admin portal.

The changed part of the file resembles the following:

 Console

<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx**">
</appSettings>

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to sign in to an app
that is set up for Azure AD B2C: Server
Error in '/' Application
Article • 10/28/2024

This article describes an error that occurs when trying to sign in to an app that is set up
for Azure AD B2C.

Original product version: Microsoft Entra ID

Original KB number: 3092588

Symptoms
When you try to sign in to an app that is set up for Microsoft Azure Active Directory
(AD) business to consumer (B2C), you receive the following error message:

Server Error in '/' Application

Response status code does not indicate success: 404 (Not Found)
Description : An unhandled exception occurred during the execution of the current
web request. Please review the stack trace for more information about the error and
where it originated in the code.
Exception Details : System.Net.Http.HttpRequestException: Response status code
does not indicate success: 404 (Not Found)
Source Error : An unhandled exception occurred during the execution of the current
web request. Information regarding the origin and locations of the exception can be
identified using the exception stack trace below.
Stack Trace :
...
[IOException: Unable to get document from:
https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-
configuration?p=Policyname ]

Cause
The sign-up policy name may be missing or incorrect in the Web.config file for the app.

Resolution
To fix this issue, follow these steps:

1. Open the Web.config file for the app.

2. In the Web.config file, verify that the app key ida:SignUpPolicyId exists.

3. Replace the value of the app key with the name of the sign-up policy that you
provided in the Azure AD B2C admin portal.

The changed part of the file resembles the following:

Console

<appSettings>
<add key="ida:SignUpPolicyId" value="B2C_Signup_Policy_Name">
</appSettings>

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to delete a B2C
directory in Microsoft Entra ID: Cannot
delete '<contoso>'
Article • 10/28/2024

This article describes an issue in which an error occurs when you try to delete a B2C
directory in Microsoft Entra ID.

Original product version: Microsoft Entra ID

Original KB number: 3112170

Symptoms
In a Microsoft Entra environment, you set up a B2C directory, and then you try to delete
it. However, you receive the following error message:

Cannot delete '<contoso>'

The following issue(s) prevent deletion of the directory:
Directory contains one or more applications that were added by a user or
administrator

Cause
This problem occurs if existing B2C application service principals (for example, CPIM,
Ibiza Portal, and SSPR) are blocking the deletion.

Resolution
To fix this issue, use the Azure portal.

Step 1: Delete all apps that are listed on the Azure AD B2C
Dashboard
To do this, follow these steps:

1. Sign in Azure portal as an administrator who has access to the Azure AD B2C
directory.
2. Select your display name in the upper-right corner, and then select the directory
that's your B2C directory.

７ Note

If you have only one directory, your Azure AD B2C directory will already be
selected.

3. To find the Azure AD B2C blade, select the More Services (>) button in the lower-
left corner, and then search on "B2C".

4. Select Azure AD B2C.

5. Select All Settings, and then select Applications.

6. Delete all applications. To do this, select the application, select Properties, and
then select the Delete button.
Step 2: Delete the Azure AD B2C tenant
To do this, follow these steps:

1. In the Azure AD B2C directory, locate and select the Microsoft Entra ID blade in
the Azure portal.

2. On the Overview menu, select Delete Directory.

3. Follow the instructions in the portal.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

No local administrator group privileges
on Microsoft Entra joined device
Article • 10/28/2024

This article discusses how to resolve a scenario in which you assign or activate the Azure
AD Joined Device Local Administrator role for a user, but the user doesn't receive local
administrator group privileges after they sign in to a Microsoft Entra joined device.

Cause 1: User was assigned the Azure AD

Joined Device Local Administrator role while
using a cached PRT
You assigned the Azure AD Joined Device Local Administrator role to a user who was
still using a cached primary refresh token (PRT) on their local device.

Check for the presence of a PRT

To check whether an active PRT exists, run the following dsregcmd command at a
command prompt:

Windows Command Prompt

dsregcmd /status

In the command output, locate the SSO State section. ( SSO stands for "single sign-on.")
The time at which the PRT was previously updated is shown in the AzureAdPrtUpdateTime
field.

Cause 2: Privileged Identity Management (PIM)

was activated for a user who has a cached PRT
You used Privileged Identity Management (PIM) to activate a user into the Microsoft
Entra joined device local administrator role, but they have a cached PRT on their local
device.

For instructions to determine whether a PRT is active, see Check for the presence of a
PRT.
Solution 1: Wait until the PRT is renewed
The Cloud Authentication Provider (CloudAP) plug-in renews the PRT every four hours. If
the user waits out the time interval of up to four hours before the CloudAP plug-in
renews the PRT, they can then sign in and receive the local administrator group
privileges, as expected.

Solution 2: Get a new PRT

If you want to fix the missing privileges issue immediately so that the user doesn't have
to wait, use a new PRT. Getting a new PRT is a multipart process.

７ Note

If the missing privileges issue was caused by explicitly assigning the role instead of
activating PIM, skip Part 1. Instead, start at Part 2: Check for local administrator
permissions.

Part 1: (PIM users only) Activate PIM and verify that the
role activation was completed
Follow the instructions in Activate a Microsoft Entra role in PIM to activate the Azure AD
Joined Device Local Administrator role for the user. Then, follow these steps in the Azure
portal to verify that the role activation was completed for that user:

1. In the Azure portal , search for and select Microsoft Entra Privileged Identity
Management.

2. In the PIM navigation pane, locate the Tasks heading, and then select My roles.

3. In the My roles | Microsoft Entra roles page, select the Active assignments tab.

4. In the Role column, make sure that the Azure AD Joined Device Local
Administrator role appears.

Part 2: Check for local administrator permissions

Have the user follow these steps to check for local administrator permissions:

1. Sign in to the Windows client computer.

2. Select Start, enter cmd, and then select Command Prompt in the search results.

3. Run the following whoami command:

Windows Command Prompt

whoami /all

4. In the command output, locate the GROUP INFORMATION section, and then check
whether the BUILTIN\Administrators group is shown in the Group Name column.
The following example output doesn't list this group in the group information. This
means that a cached PRT was obtained before the PIM activation or explicit
assignment of the Azure AD Joined Device Local Administrator role occurred.

Output

USER INFORMATION
----------------

User Name SID

=====================
==================================================
someuser\contoso.corp S-1-12-3687709483-1112055202-2756941246-
4106396469

GROUP INFORMATION
-----------------

Group Name Type SID

Attributes
========================================= ================ ============
==================================================
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Cloud Account Authentication Well-known group S-1-5-64-36
 Mandatory group, Enabled by default, Enabled group

PRIVILEGES INFORMATION
----------------------

Privilege Name Description

State
======================= ====================================
========
SeShutdownPrivilege Shut down the system
Disabled
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeUndockPrivilege Remove computer from docking station
Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set
Disabled
SeTimeZonePrivilege Change the time zone
Disabled

If the BUILTIN\Administrators group is missing, continue to Part 3 to refresh the

PRT.

Part 3: Refresh the PRT and verify that the expected role
was received
Have the user follow these steps to refresh the PRT and verify that they now have the
expected role:

1. Schedule a refresh of the PRT by running the following dsregcmd command:

Windows Command Prompt

dsregcmd /refreshprt

The following message appears:

PRT refresh scheduled. Check AAD event logs for details.

2. Wait one to two minutes for the token refresh to occur.

3. Sign out of the Windows session, and then sign back in.

4. Run the following whoami command:

Windows Command Prompt

 whoami /groups

5. Check whether the BUILTIN\Administrators group is shown in the Group Name

column. As the following example output shows, that group should now appear in
the list of groups:

Output

GROUP INFORMATION
-----------------

Group Name Type SID

Attributes
========================================= ================
===================================================
==================================================
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Group used for deny only
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-12-1-
788341310-1134859379-3309005462-3346259773 Mandatory group, Enabled by
default, Enabled group
NT AUTHORITY\Cloud Account Authentication Well-known group S-1-5-64-36
Mandatory group, Enabled by default, Enabled group

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Pending devices in Microsoft Entra ID
Article • 10/28/2024

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback
button on this page to let us know how well this article worked for you or how we
can improve it.

Pending devices are devices that are synced to Microsoft Entra ID from your on-
premises Active Directory, but haven't completed registration with the Microsoft Entra
device registration service. When the registered state of a device is pending, the device
can't complete any authorization or authentication requests, such as requesting a
Primary Refresh token for single sign-on, or applying device-based Conditional Access
policies.

７ Note

The pending state exists only for Microsoft Entra hybrid joined devices.

Why a device might be in a pending state

When you configure a Microsoft Entra hybrid join task in the Microsoft Entra Connect
Sync for your on-premises devices, the task will sync the device objects to Microsoft
Entra ID, and temporarily set the registered state of the devices to "pending" before the
device completes the device registration. This is because the device must be added to
the Microsoft Entra directory before it can be registered. For more information about
the device registration process, see How it works: Device registration.

For more information about how to troubleshoot pending devices, see the following
video:
https://www.youtube-nocookie.com/embed/QBR1c81kaxA

How a device gets stuck in a pending state

There are two scenarios in which a device can be stuck in a pending state.
Sync a new on-premises domain joined device to
Microsoft Entra ID
A new on-premises device can get stuck in a pending state if it can't complete the
device registration process. This problem can be caused by several factors, such as that
the device can't connect to the registration service.

To troubleshoot a device registration problem, see:

Troubleshooting Microsoft Entra hybrid joined devices

Test Device Registration Connectivity

The state of a registered device is changed to pending

This problem can occur in the following scenario:

1. The device object is moved to another organizational unit (OU) that isn't in the
sync scope in Microsoft Entra Connect Sync.
2. Microsoft Entra Connect Sync recognizes this change as the device object being
deleted in the on-premises Active Directory. Therefore, it deletes the device in
Microsoft Entra ID.
3. The device object was moved back to the OU in the sync scope.
4. Microsoft Entra Connect Sync creates a pending device object for this device in
Microsoft Entra ID.
5. The device fails to complete the device registration process because it was
registered previously.

To fix the problem, unregister the device by running dsregcmd /leave at an elevated
command prompt, and restart the device. The device will reinitiate the device
registration process through the scheduled task. For Windows 10-based devices, the
scheduled task is under Task Scheduler Library > Microsoft > Windows > Workplace
Join > Automatic-Device-Join Task.

Get a list of pending devices

1. The Microsoft Graph PowerShell SDK must be installed to execute Microsoft Graph
PowerShell commands.

2. Use the Connect-MgGraph command to sign in to your Microsoft Entra tenant. For
more information, see Get started with the Microsoft Graph PowerShell SDK.

3. Count all pending devices:

 PowerShell

(Get-MgDevice -All -Filter "TrustType eq 'ServerAd'" | Where-

Object{($_.ProfileType -ne "RegisteredDevice") -and (-not
$_.AlternativeSecurityIds)}).count

You can also save the returned data in a CSV file:

PowerShell

Get-MgDevice -All -Filter "TrustType eq 'ServerAd'" | Where-

Object{($_.ProfileType -ne "RegisteredDevice") -and (-not
$_.AlternativeSecurityIds)} | select-object -Property AccountEnabled,
Id, DeviceId, DisplayName, OperatingSystem, OperatingSystemVersion,
TrustType | export-csv pendingdevicelist-summary.csv -NoTypeInformation

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot issues in the Global Secure
Access client for Windows
Article • 01/13/2025

The Global Secure Access client is deployed on a managed Microsoft Windows device
(that is, a Microsoft Entra hybrid join device or a Microsoft Entra joined device). It
enables an organization to control network traffic between these devices and various
websites, applications, and resources that are available on the internet or an intranet
(on-premises corporate network). If you use this method to route traffic, you can
enforce and apply more checks and controls, such as continuous access evaluation
(CAE), device compliance, and multi-factor authentication, for resource access.

Installation
Use the following methods to install the Global Secure Access client on a managed
Windows device:

Download and install on a Windows device as a local administrator.

Deploy through Active Directory Domain Services (AD DS) Group Policy for a
Microsoft Entra hybrid join device.

Deploy through Intune or other MDM service for a Microsoft Entra hybrid join or
Microsoft Entra joined device.

If you experience a failure when you try to install the Global Secure Access client, check
the following items:

Prerequisites for the Global Secure Access client for Windows

 Errors in the Global Secure Access client logs (C:\Users\
<username>\AppData\Local\Temp\Global_Secure_Access_Client_<number>.log)

Application and system event logs for any other errors, such as a process failure

If you experience issues when you try to upgrade a client, first try to uninstall the earlier
client version and restart the device, and then try again to install the upgrade.

Self-Service diagnostic tools for post-

installation issues
Use the following self-service diagnostic tools to troubleshoot issues in the Global
Secure Access client after a successful installation:

Troubleshoot the Global Secure Access client: advanced diagnostics

Troubleshoot the Global Secure Access client: Health check tab

If the diagnostic tools can't fix the issues, collect troubleshooting logs, and then submit
a support ticket by including the logs.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't delete a directory through the
Azure Management Portal
Article • 10/28/2024

This article can help you fix an issue in which you can't delete a directory from the
Microsoft Entra extension in Azure portal.

Original product version: Microsoft Entra ID

Original KB number: 2967860

Symptoms
You can't delete a directory from the Microsoft Entra extension through the Azure
Management Portal. Additionally, you receive one of the following messages:

You are signed in as a user for whom <Your Company Name> is the home directory.

Delete all users except yourself.

Directory has one or more subscriptions to Microsoft Online Services.

Directory has one or more Azure subscriptions.

Directory has one or more applications.

Directory has one or more Multi-Factor Authentication providers.

Directory is a "Partner" directory.

Directory contains one or more applications that were added by a user or

administrator.

You are signed in as a user for whom <Your

Company Name> is the home directory
Make sure that your directory has no home users, and then delete the directory. The
user who deletes this directory must be a guest user, must be homed in another
directory, and must be a global admin of the directory that is being deleted.

For example, your directory has the domains contoso.onmicrosoft.com and contoso.com .
There must be no users who have these domains in your directory. The guest user may
be a Microsoft account or may be homed from another directory such as
fabrikam.onmicrosoft.com .

To learn more about how to add a guest user, see Create or edit users. When you create
this user in your directory, select one of the following:

A user who has an existing Microsoft account

A user in another Microsoft Entra directory

This user must also be an admin of your Azure subscription.

Delete all users except yourself

Do what the message tells you to do. That is, delete all users except yourself.

Directory has one or more subscriptions to

Microsoft Online Services
Do you have one of the following subscriptions?

Office 365
Intune
Dynamics
Microsoft Azure Information Protection (previously known as Microsoft Azure
Rights Management)
Microsoft Entra ID P1 or P2

If you have one of these subscriptions, contact billing and subscriptions support .

Do you have one of the following subscriptions?

Microsoft Enterprise Mobility + Security

Microsoft Entra Basic

If you have one of these subscriptions, contact your Volume Licensing partner to cancel
the subscription.

Directory has one or more Azure subscriptions

If you have an Azure subscription, make sure that your Azure subscription is not linked
to another directory. To do this, follow these steps:

1. In the navigation pane, select Settings, and select Subscriptions.

2. Notice the following information:

Subscription
Account administrator
Directory

3. If the directory that you are trying to delete is listed under any of the subscriptions,
the account administrator has to sign in and change the directory that is
associated with the subscription. To do this, the account administrator should
follow these steps:
a. On this screen, select Edit Directory.
b. In the Edit Directory window, select the Directory list, and then change the
directory.

７ Note

If no other directory is available as an option, the account administrator must be a

global admin of another directory or must create a new directory. You will see the
Edit Directory option if the account is a Microsoft account. Organizational accounts
can't change the directory. Therefore, the directory can't be deleted.

Directory has one or more applications

To learn how to remove applications from your directory, read Adding, updating, and
removing an application

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
 the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

You may also have to remove additional service principals. Use Azure Active Directory
module for Windows PowerShell to remove all service principals. To do this, follow these
steps:

1. Open Azure Active Directory module for Windows PowerShell.

2. Connect to the Microsoft Online Service.

3. Run the following command:

PowerShell

Get-MsolServicePrincipal | Remove-MsolServicePrincipal

７ Note

You may receive an error when you remove some service principals. These
principals can't be removed. However, this does not prevent you from
deleting your directory. The error that you receive may resemble the
following:

Remove-MsolServicePrincipal : Invalid value for parameter. Parameter Name:

appPrincipalId.

Directory has one or more Multi-Factor

Authentication providers
Remove Azure multi-factor authentication providers for your directory. For information
about how do this, see Plan an Azure Multi-Factor Authentication deployment.

Directory is a 'Partner' directory

Contact Microsoft Partner Support at Microsoft Partner Site .

Directory contains one or more applications

that were added by a user or administrator
To fix this issue, follow the steps in "Cannot delete" error when you try to delete a B2C
directory in Microsoft Entra ID .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

You can't open the Azure Active
Directory module for Windows
PowerShell
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 User and Domain Management, Office 365
Identity Management
Original KB number: 2461873

Symptoms
When you try to open the Microsoft Azure Active Directory module for Windows
PowerShell, the Windows PowerShell console window opens with many text errors
indicating that module packages couldn't be loaded.

Cause
This issue occurs if you don't have the Microsoft .NET Framework 3.51 enabled on your
computer.

Resolution
To resolve this issue, manually enable the .NET Framework 3.51. To do this, follow these
steps, as appropriate for the operating system that you're running:

In Windows 2008 R2:

1. Open Server Manager.

2. Select Features, select Add Features, select .NET Framework 3.51 Features, and
then select .NET Framework 3.51.

In Windows 7:

1. Open Programs and Features.

2. Select Turn Windows features on or off.
3. Select to select the Microsoft NET Framework 3.51 check box, and then select OK.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run Azure PowerShell
cmdlets: Method invocation failed
Article • 10/28/2024

This article discusses an issue in which you receive an error message "Method invocation
failed because [System.Object[]] doesn't contain a method named 'RemoveAll'." when
you run Azure PowerShell cmdlets.

Original product version: Microsoft Entra ID, Cloud Services (Web roles/Worker roles)
Original KB number: 3072418

Symptoms
When you run Windows Azure PowerShell cmdlets, you receive an error message that
resembles the following message:

Method invocation failed because [System.Object[]] doesn't contain a method

named 'RemoveAll'.

Cause
This problem occurs for either of the following reasons:

You are using an outdated version of Azure PowerShell.

You are using a method name that does not exist.

Resolution
To resolve this problem, do either of the following:

Install the latest version of Azure PowerShell. To upgrade the program, see How to
install and configure Azure PowerShell.
Make sure that you are using the correct method name.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to run Azure Active
Directory module for Windows
PowerShell cmdlets: The term <cmdlet
name> is not recognized
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2669552

Symptoms
When you try to run Microsoft Azure Active Directory module for Windows PowerShell
cmdlets, you receive the following error message:

The term <cmdlet name> is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.

For example, you might see the following similar message:

The term 'Connect-MsolService' is not recognized as the name of a cmdlet, function,

script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At line:1 char:20
+ Connect-MsolService <<<<
+ CategoryInfo : ObjectNotFound: (Connect-MsolService:String) [],
CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Cause
This issue can occur if the Azure Active Directory module for Windows PowerShell isn't
loaded correctly.

Resolution
To resolve this issue, follow these steps.

1. Install the Azure Active Directory module for Windows PowerShell on the computer
(if it isn't already installed). To install the Azure Active Directory module for
Windows PowerShell, see Manage Microsoft Entra ID using Windows PowerShell.

2. Select Start > All Programs, select Windows Azure Active Directory, and then
select Windows Azure Active Directory module for Windows PowerShell.

3. At the Windows PowerShell command prompt, type Get-Module , and then press
Enter.

4. In the output, check that the MSOnline module is present. The output should look
similar to the following one:

Output

Module Type Name Exported Commands

-------------- -------- ----------------
Binary MSOnline {Add-MsolRoleMember, Remove-MsolContact...

If the MSOnline module isn't present, use Windows PowerShell to import the
MSOnline module. To do it, follow these steps:

a. Connect to Exchange Online by using remote PowerShell. For more info about
how to do it, see Connect to Exchange Online Using Remote PowerShell.

b. Type the following cmdlet, and then press Enter:

PowerShell

Import-Module MSOnline

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No
Provide product feedback
Troubleshoot dynamic groups
Article • 04/17/2025

This troubleshooting guide helps you diagnose and solve issues with dynamic groups in
Microsoft Entra ID.

） Important

Dynamic membership groups changes are usually processed within a few hours. However,
processing can take more than 24 hours depending on factors such as the number of
groups, the number of changes, and the complexity of the rules. For more information,
see Understanding and Managing Dynamic Group Processing in Microsoft Entra ID.

Dynamic groups identification and management

To verify whether your group is a dynamic group, see Evaluate whether a group is a dynamic
group.

Yes: Proceed to the next section.

No: Create a basic group and add members using Microsoft Entra ID or other applicable
groups.

Dynamic group creation issues

References
Recommended articles for group creation:

Create a new group and add members in Azure portal

Create groups in PowerShell MSOnline
Disable groups creation in PowerShell
Microsoft Entra administrative roles

Common issues in creating a dynamic group or rule:

You're unable to create a dynamic group in the Azure portal, or you receive an error when
creating a dynamic group in PowerShell. See Cannot create a dynamic group.

You can't find the attribute to create a rule. See Create a dynamic membership rule.
 You receive a "max groups allowed" error when trying to create a Dynamic Group in
PowerShell: You have reached 15,000 groups, the maximum limit for Dynamic groups in
your tenant. To create new Dynamic groups, first delete existing Dynamic groups. There's
no way to increase the maximum limit.

Dynamic membership update issues

You've created a dynamic group and configured a rule, but encountered these common issues:

No members appear in the group, some users or devices don't appear in the group, or the
wrong users or devices appear in the group.

Visit Troubleshoot dynamic membership update issues.

Existing members of the rule are removed.

This behavior is expected. Existing members of the group are removed when a rule is
enabled or changed, or attributes are changed. The users returned from the evaluation of
the rule are added as members to the group.

You don't see membership changes instantly after adding or changing a rule.

Membership evaluation is performed periodically as a background process. The duration

of the process is determined by the number of users in your directory, and the size of the
group is created because of the rule. Typically, directories with small numbers of users will
see group membership changes within a few minutes. Directories with a large number of
users can take 30 minutes or longer to populate.

Check the membership processing status to confirm whether the process is complete.
Check the last updated date on the group Overview page in Azure portal to confirm that
the page is updated.

To force the group to be processed, see Force the group to be processed now.

You receive a rule processing error.

See Fix a rule processing error.

Dynamic group deletion or restoration issues

You receive an error when deleting a group.

Before you attempt to delete a group in Microsoft Entra ID, ensure that you have deleted
all assigned licenses. For more information about group deletion in general, see Delete a
 group.

You restored a deleted group but didn't see any update.

When a dynamic group is deleted and restored, it's seen as a new group and re-
populated according to the rule. This process might take up to 24 hours.

Evaluate whether a group is a dynamic group

To determine whether a group is dynamic group:

1. Sign into the Azure portal .

2. Select the group in the Overview of Group tab, then check whether the membership type
is set to Dynamic.

Validate dynamic group membership rules

Microsoft Entra ID provides the means to validate dynamic group rules. On the Validate rules
tab, you can validate your dynamic rule against sample group members to confirm that the
rule is working as expected.

When creating or updating dynamic group rules, you can use this information to help
determine whether a user or device meets the rule criteria for becoming a member of a group.
This can also aid you in troubleshooting when membership isn't expected.

For more information, see Validate a dynamic group membership rule (preview) in Microsoft
Entra ID

Troubleshoot dynamic group creation issues

You've encountered issues when creating a dynamic group or rule.

Cannot create a dynamic group

You don't see option to create a dynamic group in the Azure portal, or there was an error in
creating a dynamic group in PowerShell.

1. Ensure that your tenant has the appropriate license.

Dynamic groups require the tenant to have a Microsoft Entra ID P1 or P2 Premium

license. For more information, check Microsoft Entra ID license plans
 2. Ensure that the user creating the group has the appropriate administrator permissions:

Ensure that you are authorized to create a new group. Global administrators can
disable group creation in the Azure portal or Access Panel. You may need an
administrator create the new group for you, or give you appropriate permissions.

3. Check that group creation permissions are enabled for the type of group being created.

Global administrators can manage group creation permissions for security or Office
365 groups created in the Azure portal or Access Panel, by setting the Users can
create security groups in Azure portals or Users can create Office 365 groups in
Azure portals settings in the Azure portal under All groups > General (Settings).
This setting applies to dynamic groups as well.

4. Check that the specific user is in the list of users that can create a group.

Global administrators can restrict group creation to select a group of users if you
have a Microsoft Entra ID P1 Premium license. You should verify that you have the
appropriate permissions.

You get a max groups allowed error when creating a Dynamic

group in PowerShell
This error means you have reached the max limit for Dynamic groups in your tenant. Check the
number of groups in the tenant. The max number of Dynamic groups per tenant is 15,000.

To create any new Dynamic groups, you'll first need to delete some existing Dynamic groups.
There's no way to increase the limit.

Troubleshoot dynamic group rule creation issues

Cannot find the attribute to create a rule

1. Ensure that the user attributes are in the list of supported properties. If they're not in the
list, they're not currently supported.
2. Ensure that the device attributes are in the list of device attributes. If they're not in the list,
they're not currently supported. For more information, visit Dynamic membership rules
for groups in Microsoft Entra ID.

Cannot create a dynamic membership rule

 1. Ensure that your tenant has the appropriate license. Dynamic groups require the tenant to
have a Microsoft Entra ID P1 Premium license.

The list of Microsoft Entra ID license plans can be accessed at Microsoft Entra
pricing .

Enterprise Mobility + Security licensing plans can be accessed at Enterprise

Mobility+Security pricing options .

2. If you cannot find the built-in User Attributes, ensure that the attribute is in the list of
supported properties. If it's not in the list, it's not currently supported.

3. If you're looking for built-in Device Attributes, ensure that the attribute is in the list of
device attributes. If it's not in the list, it's not currently supported.

4. If the attribute isn't found in the Simple Rule drop-down in the Azure portal, use the
Advanced Rule to construct a rule.

a. Ensure that the syntax is accurate and that both the property type and value match.

b. Also ensure that you have added the appropriate object prefix to select the property.

For example: user.country, device.deviceOSType.

c. Learn about the guidelines on how to create an Advanced Rule including the list of
supported operators and examples for common rules.

5. Also use Extension Attributes for dynamic user rules. These rules will be visible in the
drop-down list while creating a simple rule.

The custom attribute name can be found in the directory by querying a user's
attribute using PowerShell, and searching for the attribute name. These attributes
could also be used when constructing an Advanced Rule.

6. Ensure that the Role of the user creating the Dynamic group, is either a Company
Administrator or a User Administrator.

7. Allow time for the group to populate.

8. The Simple Rule builder supports up to five (5) expressions. To add more than five
expressions to the rule, the text box must be used.

Troubleshoot dynamic membership update issues

You've created a dynamic group and configured a rule, but encountered one of these issues:
 There are no members listed in the group.
Some users or devices don't appear in the group.
Incorrect users or devices don't appear in the group.

Members are not added or removed as expected

1. Check the membership processing status to confirm if it's complete, and check the last
updated date on the group Overview page in Azure portal to confirm it's up-to-date.

2. If membership processing status is processing error and update paused, ask the
administrator or PG team to resume the group from processing error.

3. Verify that the users or devices satisfy the membership rule or not, following the steps in
Evaluate dynamic membership of a user or device.

4. Verify that processing status is not impacted by the issue of guest user addition
disallowed by policy.

If the group is an Office365 group and the user is a guest user, the guest user can't
be added to a group if the directory setting does not allow a guest user addition in
the tenant.

A guest user addition error in one group will block the updates of the same and
other groups in the same tenant. You can choose to:
Allow a guest user addition by following the Manage guest user setting for
groups in a tenant.
Change the group rule to exclude a guest user by adding: (user.userType -eq
"member") .

5. If everything looks correct, allow some time for the group to populate. Depending on the
size of your tenant, the group may take up to 24 hours to populate the first time, or after
a rule change.

6. If problem still exists after 24 hours and the processing status shows as complete, you can
reset the processing for the group to resolve any transient system issue.

If the processing status shows as in processing, continue to wait.

Evaluate dynamic membership of a user or device

To evaluate whether a user or device satisfies the rule to be part of a group, use Manual
validation.
Manual validation
Validate the values for user or device attributes (In Azure portal, or using PowerShell in the rule.

Ensure that there are users that satisfy the rule.

For devices, check the device properties to ensure that synchronized attributes contain
the expected values.

Manage guest user setting in office365 group

First, install the Azure AD PowerShell module

1. Connect to the directory. Visit How to connect to the directory using PowerShell for more
information.

2. Check the directory setting:

a. Read the directory setting of the tenant: Read settings at the directory level.
b. Check the guest user setting: As shown in the following image, if AllowToAddGuests is
true, check the setting in that particular group. If AllowToAddGuests is false, no matter
what group level setting is, guest users can't be added.

3. Update the setting at the tenant level. To change the guest user setting at the tenant
level, visit: How to update setting at tenant level using PowerShell.

4. Check the setting for the group. To change the guest user setting to your target value if
applicable, visit: How to check and update setting for a specific group using PowerShell

Existing members of the rule are removed

This is expected behavior. Existing members of the group are removed when a rule is enabled
or changed, or attributes are changed. The users returned from evaluation of the rule are
added as members to the group.
You don't see membership changes instantly after updating a
rule
Membership evaluation is done periodically in a background process. How long the process
takes is determined by multiple factors.

Force the group to be processed now

Reset processing for a dynamic group. In the Azure portal, manually trigger the re-processing
by updating the membership rule to add a whitespace in the middle of the rule.

Fix a rule processing error

ﾉ Expand table

Rule parser Error usage Corrected usage

error

Error: Attribute (user.invalidProperty -eq (user.department -eq "value")

not supported "Value") Make sure the attribute is on the supported
properties list.

Error: Operator (user.accountEnabled -contains (user.accountEnabled -eq true)

isn't supported true) The operator used isn't supported for the property
on attribute type (in this example, -contains cannot be used on
type boolean). Use the correct operators for the
property type.

Error: Query 1. (user.department -eq "Sales") 1. Missing operator. Use -and or -or two join
compilation error (user.department -eq predicates: (user.department -eq "Sales") -or
"Marketing") (user.department -eq "Marketing")
2. (user.userPrincipalName - 2. Error in regular expression used with -match
match " *@domain.ext ") (user.userPrincipalName -match " .*@domain.ext ")
or alternatively: (user.userPrincipalName -match
"@domain.ext$")

Troubleshoot dynamic groups deletion or

restoration
Before attempting to delete a group in Microsoft Entra ID, ensure you have deleted all
assigned licenses to avoid errors.

(For more information about group deletion in general, see Delete a group.
Delete a group
1. Groups can be deleted from the directory using the Remove-AzureADGroup cmdlet in the
Azure AD PowerShell module.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK and
security fixes. The deprecated modules will continue to function through March, 30
2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft

Entra ID (formerly Azure AD). For common migration questions, refer to the
Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after
June 30, 2024.

2. Before attempting to delete a group in Microsoft Entra ID, ensure you have deleted all
assigned licenses to avoid errors.

Restore a deleted group

If an Office 365 group is deleted, it can only be restored up to 30 days before permanent
deletion occurs. Once permanently deleted, the group can no longer be restored. To learn
more about restoring groups, see Restore a deleted Microsoft 365 group in Microsoft
Entra ID.
This functionality isn't supported for security groups and distribution groups.
Verify that you're authorized to restore an Office 365 group. Only Global administrators,
User account administrators, Intune service administrators, , or the owner of the group
can restore a group.

You restored a deleted dynamic group, but didn't see any

update
When a dynamic group is deleted and restored, it's seen as a new group and re-populated
according to the rule. This process might take up to 24 hours.

Related articles
 Creating Dynamic Membership Rules.
Troubleshooting groups.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Troubleshooting Groups with dynamic
membership processing
Article • 04/24/2025

After you make changes in Microsoft Entra ID that require a re-evaluation of dynamic group
membership, you might experience either of the following issues:

Slow membership update

Unexpected group membership updates

These issues can be caused by:

An unintended membership rule change.

A significant change rollout. For example, updates that are pushed to many devices at the
same time might require some group membership rules to be re-evaluated.

This article provides sample Entra ID PowerShell scripts to pause and resume dynamic group
updates. Pausing dynamic group processing can stop rule processing and prevent unintended
membership updates. Resuming dynamic group processing can restore normal group
functionality.

） Important

Dynamic membership group changes are usually processed within a few hours. However,
processing may take more than 24 hours depending on factors such as tenant size, group
size, number of attribute changes, rule complexity, and operator choice (such as using
CONTAINS , MATCH , or MemberOf ). For more information, see Understanding and Managing

Dynamic Group Processing in Microsoft Entra ID.

Download pause and resume dynamic group

processing scripts
To download the scripts, visit our GitHub repository . To run the scripts, ensure you have the
following prerequisites:

An account on an Azure tenant that has the

microsoft.directory/groups/allProperties/update permission

For applications: the Group.ReadWrite.All permission

Dynamic group management script
We provide four scripts to manage dynamic group processing by using PowerShell:

Pause All Groups: This script pauses all dynamic group processing in your tenant.
Pause Specific Groups: This script pauses dynamic group processing for specific groups
that you specify in the script.
Pause All Groups Except Some: This script pauses dynamic group processing for all
groups in your tenant except those that you specify in the script.
UnPauseSpecificCritical: This script resumes dynamic group processing for specific
groups that you specify in the script.
UnPauseNonCritical: This script enables you to resume processing for noncritical groups
that have dynamic membership, 100 groups at a time.

Follow the instructions within the scripts to make any changes according to your needs. Run
the scripts by using the Entra ID PowerShell module.

） Important

Verify all steps in a test environment before you make any changes in your production
environment.

FAQ

When to use the Pause All Groups script

Use the Pause All Groups script if you suspect that there is an unintended change or you
encounter delays in widespread dynamic membership updates that affect many groups.

When to use the Pause Specific Groups or Pause All Groups

Except Some script
Use these scripts if you have to pause dynamic group processing for specific groups or for all
groups except certain ones.

How to know when it's safe to resume dynamic group

processing
Currently, Microsoft Entra doesn't offer observability for you to monitor the status of dynamic
group processing. We recommend that you wait at least 12 hours before you resume
processing in order to allow the service to recover from any issues.

７ Note

Microsoft Entra Support can help you to resume dynamic group processing only after you
wait for the recommended 12 hours.

How to resume dynamic group processing

Run the unPauseSpecificCritical.ps1 script to resume rule processing for specific groups after
you wait at least 12 hours. To prevent widespread delays from occurring again, start by
resuming dynamic group processing for critical groups to prevent widespread delays, and then
resume processing for the remaining dynamic groups in batches.

Related content
Dynamic group processing sample scripts

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Changes to your password are not saved
in Azure, Office 365, or Intune
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Intune
Original KB number: 2951280

Symptoms
When you change your password in Microsoft Azure, Microsoft Office 365, or Microsoft
Intune and then select Finish to save your changes, the changed password is not saved.

Cause
This problem occurs when you use special characters such as the less-than sign < or the
greater-than sign > as part of your password.

Resolution
To resolve this problem, do not use special characters as part of your password.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't perform a Workplace Join by
using Device Registration Services
Article • 10/28/2024

This article describes an issue in which a user can't join a device to a Workplace by using
Device Registration Services. It provides two resolutions.

Original product version: Windows 8.1 Enterprise, Windows Server 2012 R2 Datacenter,
Windows Server 2012 R2 Standard, Microsoft Entra ID
Original KB number: 3045387

Symptoms
When a user tries to do a Workplace Join by using Device Registration Services, the user
receives one of the following messages:

The user receives the following message before providing the user's user name and
password:

Confirm you are using the current sign-in info, and that your workplace uses
this feature. Also, the connection to your workplace might not be working
right now. Please wait and try again.

The user receives the following message after the user provides the user's user
name and password:

Can't connect to the service.

Resolution
To resolve either of these problems, use the method that's appropriate for the situation.

Method 1
To fix the problem for message 1, review the Event logs on the client computer that's
trying to do a Workplace Join to determine the correct solution.

An administrator may see details in Event Viewer that resemble the following example:
 ﾉ Expand table

Event ID: (See the following table for the Event ID.)

Log Name: Windows 7: Applications and Service Logs/Microsoft-Workplace-Join/Admin

Windows 8 or Windows 10: Applications and Service Logs/Microsoft-Windows-

Workplace-Join/Admin

Source: Microsoft-Windows-Workplace Join

Level: Error

Description: (See the following table for the Event ID description.)

ﾉ Expand table

Event Description Resolution

ID

103 Workplace Join discovery failed. Server returned http status 404. KB
3045386

103 Workplace Join discovery failed. Server returned http status 503. KB
3045388

102 Workplace Join discovery failed. KB

3045385
Exit Code: 0x80072EE7.

The server name or address could not be resolved. Could not connect to
'https://EnterpriseRegistration.domainTEST.com:443/EnrollmentServer/contract?
api-version=1.0' .

102 Workplace Join discovery failed. KB

3045384
Exit Code: 0x80072F19.

It was not possible to connect to the revocation server or a definitive response

could not be obtained. Could not connect to
'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-
version=1.0' .

102 Workplace Join discovery failed. KB

3045383
Exit Code: 0x80072F8A.

The supplied certificate has been revoked. Could not connect to

 Event Description Resolution
ID

'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-
version=1.0' .

102 Workplace Join discovery failed. KB

3045382
Exit Code: 0x80072F0D.

The certificate authority is invalid or incorrect. Could not connect to

'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-
version=1.0' .

102 Workplace Join discovery failed. KB

3045381
Exit Code: 0x80072EFD.

A connection with the server could not be established. Could not connect to
'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-
version=1.0' .

102 Workplace Join discovery failed. KB

3045380
Exit Code: 0x80004005.

An unknown error has occurred. Could not connect to

'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-
version=1.0' .

200 "The maximum number of devices that can be joined to the workplace by the user KB
has been reached." 3045379

Method 2
To fix the problem for message 2, see "Can't connect to the service" error when you try
to register a device .

More Information
To quickly troubleshoot these problems, try one or more of the following things.

Verify DNS
Verify the DNS configuration by using NSlookup , and verify that the answers are correct.
To do so, open a Command Prompt window, and then run the following command:
 Console

Nslookup enterpriseregistration.domain.com

If you use Microsoft Entra join:

Should return CNAME result of EnterpriseRegistration.windows.net as the
target.
If you use Windows Server Workplace Join:
Internal host should return internal ADFS node.
External host should return external ADFS proxy address.

Flush the DNS cache

Open a Command Prompt window as an administrator, and then run the following
command:

Console

ipconfig /FlushDNS

Verify that Device Registration is enabled

If you try to do Workplace Join to Microsoft Entra ID:

1. Sign in to the Azure portal, or start the Microsoft Entra ID console from Microsoft
365 admin center as a Company Administrator.
2. Go to the directory where the user is trying to do the join.
3. Go to Configure.
4. Scroll down to the Device Registration section.
5. Make sure the setting labeled ENABLE WORKPLACE JOIN is toggled to Yes.
("Yes" will be blue.)

If you try to do Workplace Join to your local Active Directory domain, take the following
actions:

Open the Active Directory Federation Services (AD FS) management console.
Select Relying Party Trusts to determine whether the Device Registration
Service trust is enabled on each node of the AD FS farm.

Verify that the Active Directory Federation Services

service and the Device Registration Services service are
running
If you try to do a Workplace Join to your local Active Directory, you should log on to
each node of the AD FS farm and then follow these steps:

1. Go to Control Panel, Administrative Tools, and then Services (Services.msc).

2. Locate the Active Directory Federation Services service, and verify its status.
3. Locate the Device Registration Services service, and verify its status.
4. If either service isn't running, start the services.

Verify that the host name bindings are registered for each
node in the AD FS farm
If you try to do a Workplace Join to your local Active Directory, follow the steps at the
following Microsoft TechNet website:

Configure a Host Header for a Web Site (IIS 7)

Make sure that the host name (such as EnterpriseRegistration. domain_name.

domain_extension) is bound to port 443.

Update the root certificates

Run Windows Update , and make sure that the Updates for Root Certificates are all
installed

Verify that traffic is enabled if you're using a third-party

proxy or firewall server
If you try to do a Workplace Join to your local Active Directory, verify that there's a rule
to enable incoming TCP connections to EnterpriseRegistration. domain_name.
domain_extension. It should allow for traffic to pass through to the DRS server.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to remove a user
from the recycle bin: Remove-MsolUser
User Not Found
Article • 10/28/2024

Original product version: Office 365 Identity Management, Microsoft Entra ID, Cloud
Services (Web roles/Worker roles), Microsoft Intune, Azure Backup
Original KB number: 3019157

Symptoms
When you try to remove a user from the recycle bin (also sometimes known as the
Deleted Users container) in a Microsoft cloud service such as Microsoft Office 365,
Microsoft Intune, or Microsoft Azure, you receive the following error message:

Remove-MsolUser: User Not Found

For example, you experience these symptoms when you run the following cmdlet:

PowerShell

Remove-MsolUser -RemoveFromRecyleBin

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

Cause
This problem occurs if the user who is performing the action is not a global admin.

Resolution
Take one of the following actions:

Have someone assign the global admin role to you, and then remove the user
from the recycle bin.
Have a global admin remove the user from the recycle bin.
Wait 30 days. Deleted users will remain in the recycle bin for 30 days. After 30 days,
they are automatically removed from the recycle bin.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Set up your enterprise for working
remotely in Azure: FAQ
FAQ

This Microsoft Entra ID and cloud services FAQ can help you manage your IT Pro teams
as they work remotely.

Original product version: Microsoft Entra ID Original KB number: 4559203

Frequently asked questions

I'm new to Microsoft Cloud. How can I

enable my employees to start working
remotely by using Microsoft Teams with
the free license that's offered by
Microsoft?
Microsoft offers a free E1 license for six months to enable your employees to increase
their productivity from home through Microsoft Teams. For information about licensing,
and to check your eligibility, go to: Manage the Office 365 E1 Trial.

What guidance is available to set up

Microsoft Teams from a Microsoft Entra
perspective to work with my existing
on-premises deployment?
Microsoft Teams uses identities stored in Microsoft Entra ID. You can integrate Microsoft
Entra ID with on-premises AD environments. For more information, see Microsoft 365
integration with on-premises environments
I work in education, and I have no
existing on-premises infrastructure.
How can I use Microsoft Teams for
educational purposes, such as online
teaching?
Microsoft offers a free A1 license for education. For information about licensing, go to
Get Office 365 free for your entire school . The following documentation provides
useful information about how to enable remote learning at your school or university:

Get started with Microsoft Teams for remote learning

Create your Office 365 tenant account

My administrators also work from

home. How can I enable them to access
our internal servers remotely and in a
secure manner?
The answer depends on your current deployment. If you already have a VPN solution,
you can integrate it by using our multi-factor authentication (MFA) solution to add
another layer of security.

If you don't have a VPN solution yet, you can proceed with the deployment, and use a
Windows gateway to allow remote access by having MFA as an extra layer of security.

Can you provide technical details to

help me enable MFA to allow remote
access to my internal servers if I'm using
a third-party VPN solution or a
Microsoft Windows gateway?
Yes, we provide technical guides.
If you have an Azure MFA server already in operation, and you have to use it, you can
create such a deployment by using an existing VPN solution or a Windows gateway.
(Notice that this kind of deployment has been deprecated, and only existing customers
can use it.)

Here are examples of MFA server integration with third-party VPNs:

Advanced scenarios with Azure MFA Server

Here's how to integrate Azure MFA server with gateway .

If you're using the MFA NPS extension, see the following articles for technical details:

Integrate your Remote Desktop Gateway infrastructure

Integrate your VPN infrastructure with Azure MFA

I want to enable Azure MFA. How can I

choose the type of MFA to use?
The following table provides multiple scenarios in which to deploy MFA.

ﾉ Expand table

Scenario Prerequisite

Cloud-only identity No additional prerequisite tasks

environment that uses modern
authentication

Hybrid identity scenarios Microsoft Entra Connect is deployed, and user identities
are synchronized or federated with the on-premises
Active Directory Domain Services (AD DS) with Microsoft
Entra ID.

On-premises legacy Microsoft Entra Application Proxy is deployed.

applications published for
cloud access

Using Azure MFA with RADIUS A Network Policy Server (NPS) is deployed.
Authentication
 Scenario Prerequisite

Users have Microsoft Office Upgrade to Microsoft Office 2013 or later and Apple
2010 or earlier, or Apple Mail Mail for iOS 12 or later. Conditional access is not
for iOS 11 or earlier supported by legacy authentication protocols.

For more information about how each MFA type works and when to use it, go to Plan an
Azure Multi-Factor Authentication deployment.

How can I enable users to be able to

reset their passwords directly from
Microsoft Entra ID?
Microsoft Entra ID provides several methods to achieve this based on your current
scenario:

If the user has Microsoft Entra ID P1 or P2 and wants to enable SSPR-U (SSPR for
users), we recommend this option:

Enable Microsoft Entra self-service password reset

If the user doesn't have Microsoft Entra ID P1 or P2, and uses an Active Directory
Federation Services (AD FS) for federation but doesn't have any SSPR, we
recommend this option:

If the user doesn't have Microsoft Entra ID P1 or P2 but wants to use ADFS to change
the password endpoint, they must explicitly enable the endpoint (Update password
customization). They can do this also on a proxy endpoint. Doing this enables the
capability on AD FS.

Users can send a claim that is named "passwordchangeurl" for the URL as a claim to
Microsoft Entra ID. Microsoft Entra ID will honor this for Windows 10, Microsoft Entra
joined workstations that are running Windows 10, version 1703 or a later version. The
user will be directed to the URL that is shown in the claim when the user presses
Ctrl+Alt+Del.

Here's are some sample references on claims in the context of AD FS:

Configure AD FS to Send Password Expiry Claims

I have a cloud-only deployment, and I
have to add Azure MFA as an extra layer
of security. Is there a free license for
this?
Yes. Microsoft Entra ID Free or standalone Office 365 licenses use security defaults to
require MFA for users and administrators.

To learn how to manage your users' MFA settings, go to View the status for a user.

Is it worth connecting my user's devices

to Microsoft Entra ID while they are
working remotely?
Microsoft Entra ID enables single sign-on to devices, apps, and services from anywhere
through connected devices. IT professionals get the controls they must have to manage
and secure your organization's resources. For more information, go to Getting devices in
Microsoft Entra ID.

What kinds of device types can connect

to Microsoft Entra ID?
You can connect three kinds of devices to Microsoft Entra ID: Microsoft Entra registered,
Microsoft Entra joined, or Microsoft Entra hybrid joined, depending on your
infrastructure. For more information, go to Getting devices in Microsoft Entra ID.

Is an extra license required to connect

my device to Microsoft Entra ID?
No. An extra license is not required. Because the Microsoft Entra ID Free license is
enabled by default together with the Office 365 license, users can connect devices to
Microsoft Entra ID.
While working remotely, why can't I
access Office 365 services after I reset
my password from my Microsoft Entra
joined device?
After you reset your password, you have to log out and log back in by using the new
password.

While working remotely, why can't I

access Office 365 services after I reset
my password from my Microsoft Entra
hybrid joined device.
When you reset your password on a Microsoft Entra hybrid joined device, you must
have a line of sight to the domain controller. If you're outside the corporate network,
make sure that you're connected through a VPN. Then, log out and log back in by using
the new password.

Do I still have access to Office 365

resources from Microsoft Entra hybrid
joined device when I work outside my
corporate network?
Yes. You still have access to Office 365 resources from Microsoft Entra hybrid joined
devices from outside the corporate network unless you change your password.

Is there a way to keep access to Office

365 resources from Microsoft Entra
hybrid joined devices even if I changed
my password while outside the
corporate network?
If you're using Windows Hello for Business (WHfB) to sign in a Microsoft Entra hybrid
joined device, you will retain access to Office 365 resources even after changing your
password.

How I can verify the health status of my

Microsoft Entra device?
You can verify the health status for all join types (Microsoft Entra hybrid joined,
Microsoft Entra joined, and Microsoft Entra register) by using the Device Registration
Troubleshooter Tool.

How can I verify that Single Sign-On

(SSO) is working as expected on my
device?
Run the dsregcmd /status command from a Microsoft Entra hybrid joined or Microsoft
Entra joined device, and check whether AzureAdPrt is set as YES. For more information,
go to SSO state.

What are the Hybrid Microsoft Entra

device registration steps?
The following are the device registration steps for Microsoft Entra hybrid joined:

1. The device tries to retrieve the tenant ID and domain name from the following
registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD .

2. If step 1 fails, the device communicates with the Local AD (configuration partition)
to get the tenant's information form the Service Connection Point (SCP). (You can
get SCP information by using Device Registration SCP Tool PowerShell.)
3. The device communicates with the Microsoft Entra tenant.
4. The device authenticates against either Microsoft Entra ID or a federation service
(for example, ADFS).
 5. The device registration process finishes.

For more information, go to Hybrid Microsoft Entra Device Registration .

What is the best method to

troubleshoot device registration issues?
The Device Registration Troubleshooter Tool runs more than 30 tests to identify and fix
the most common device registration issues for all join types (Microsoft Entra hybrid
joined, Microsoft Entra joined, and Microsoft Entra register).

While working from home, I can't access

cloud resources. My device's conditional
access policy isn't registered, but the
device seems to be connected to
Microsoft Entra ID. What might be
wrong?
Double-check the device connection to Microsoft Entra ID. Also check the Microsoft
Entra PRT value. For more information, go to SSO state.

When users work from home, is there a

way to allow them to reset their
passwords?
Yes. You can allow users to change their password from home. Here's how to configure
the password writeback feature:

1. Enable the password writeback feature from Microsoft Entra Connect. For more
information, go to Enable password writeback in Microsoft Entra Connect.

2. Set the required permission to the Microsoft Entra Connect account by running the
following PowerShell commands on the Microsoft Entra Connect server:

PowerShell
 Import-Module "C:\Program Files\Microsoft Entra
Connect\AdSyncConfig\AdSyncConfig.psm1"

PowerShell

Set-ADSyncPasswordWritebackPermissions -
ADConnectorAccountNameAADConnectAccount -ADConnectorAccountDomain
domain.local

To get ADConnectorAccountName and ADConnectorAccountDomain values:

PowerShell

Get-ADSyncADConnectorAccount

3. To enable password writeback from Azure portal, go to Enable password writeback

for SSPR.

What is the required license for

password writeback and SSPR?
The required licenses are listed in the following article:

How does self-service password reset writeback work in Microsoft Entra ID?

What are the required ports and URLs

for password writeback and SSPR?
For a Microsoft Entra Connect server that is running behind a firewall or through a
proxy, open the ports and URLs that are listed in this article.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.

Feedback
Was this page helpful?  Yes  No
Troubleshoot user creation and deletion
issues in Microsoft Entra ID
Article • 10/28/2024

This article outlines the methods in Microsoft Entra ID you can use to:

Create a user.
Delete a user.
Create users in bulk.

Prerequisites
One of the following role assignments:
Global Administrator
User Administrator

Methods for user creation and deletion

Microsoft Entra ID has many methods for creating and deleting users, such as:

Azure portal
Microsoft Graph REST API
Azure PowerShell
Azure CLI

These methods refer to users who are created directly in Microsoft Entra ID. The article
doesn't cover users who are created elsewhere and then synced to Microsoft Entra ID or
business-to-business scenarios.

Create a user
Select a method to create a user in Microsoft Entra ID.

Azure portal

To add a new user in the Azure portal:

1. In the Azure portal , sign in as a Global Administrator or a User

Administrator.
 2. Search for and select Microsoft Entra ID.

3. Select Users, and then select New user.

4. On the User page, enter the user's Name, User name, Groups, Directory role,
and Job info.

5. Copy the autogenerated password provided in the Password box. You'll need
to give this password to the user to sign in for the first time.

6. Select Create.

For more information, see Add or delete users - Microsoft Entra ID.

Delete a user
Select a method to delete a user in Microsoft Entra ID.

Azure portal

To delete a user in the Azure portal:

1. In the Azure portal , sign in as a Global Administrator or a User

Administrator.

2. Search for and select Microsoft Entra ID.

3. Select Users.

4. Search for and select the user you want to delete from your Microsoft Entra
tenant (for example, Mary Parker).

5. Select Delete user.

The user is deleted and no longer appears on the Users - All users page. You can
view the user on the Deleted users page for the next 30 days. You may also restore
the deleted user during that time. For more information about restoring a user, see
Restore or remove a recently deleted user using Microsoft Entra ID.

After you delete a user, any licenses that the user consumes are made available for
other users.

Create users in bulk

For more information about creating or deleting users in bulk, see Bulk create users in
Microsoft Entra ID.

Permissions required to manage users with a

service principal
If you want to automate the creation and deletion of your Microsoft Entra users on
Microsoft Graph, your application needs the following permissions:

User.ReadWrite.All
Directory.ReadWrite.All

For more information about who can manage each aspect of user management, see
Least privileged roles by task in Microsoft Entra ID—Users.

Error messages and remediation actions

The following table contains a list of common error messages when you attempt to
create or delete a user in Microsoft Entra ID, and describes the proper remediation
actions for them. The error messages are as shown for the Microsoft Graph REST API,
Azure PowerShell, or Azure CLI. Similar, but briefer error messages are shown in the
Azure portal, and the remedial actions are identical.

ﾉ Expand table

Error message Action

Another object with the same Make the user principal name (UPN) unique. This error occurs
value for property when the administrator attempts to create a user with an existing
userPrincipalName already user name in Microsoft Entra ID. For more information, see User
exists. name policies.

Insufficient privileges to Find a Global Administrator or a User Administrator to add or

complete the operation. delete the user. This error occurs when the security principal tries
to create or delete users, but doesn't have the needed
permissions. A Global admin can create or delete any user,
including other admins. A User admin can create users and delete
any non-admin users, Helpdesk administrators, and other User
admins.

Property userPrincipalName See User name policies for a list of allowed and disallowed
is invalid. characters. This error occurs when you create a new user with
unacceptable characters in the UPN. The user name and email
address properties also can't contain accent characters.
 Error message Action

The specified password does Avoid using a password that:

not comply with password Doesn't follow the Microsoft Entra password policies.
complexity requirements. Is on the custom banned password list.
Please provide a different Contains the user name of the user.
password.

The domain portion of the Make sure the domain you're using to create the user is on the
userPrincipalName property list of verified domains in the Microsoft Entra admin center. The
is invalid. You must use one of status of the domain needs to be Verified. If you've verified the
the verified domain names in domain status, see whether the domain is Federated (has a
your organization. checkmark) or Managed (doesn't have a checkmark). You can
only create users in Microsoft Entra ID for managed domains. For
federated domains, you must create the user on the identity
provider (IdP), and then sync to Microsoft Entra ID. You can't
assign a federated domain to a user.

Directory quotas
For the Free edition of Microsoft Entra ID, you can create a maximum of 50,000
Microsoft Entra resources in a single tenant by default. If you use at least one verified
domain, the default Microsoft Entra service quota for your organization is extended to
300,000 Microsoft Entra resources. For organizations that are created by self-service
sign-up, the Microsoft Entra service quota remains 50,000 Microsoft Entra resources.
This limit applies even if you made an internal admin takeover and converted the
organization to a managed tenant with one or more verified domains. This service limit
is unrelated to the pricing tier limit of 500,000 resources on the Microsoft Entra pricing
page. To go beyond the default quota, you must contact Microsoft Support.

For more information, see Microsoft Entra service limits and restrictions.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Unknown actors in Audit reports
Article • 11/14/2024

The following are common examples of Microsoft first-party service principal actors that
may be found in Microsoft Entra audit logs, including a description of actions that these
actors may take on Microsoft Entra objects in your tenant.

For more commonly used first-party Microsoft applications, see Application IDs of
commonly used Microsoft applications.

Unknown actors
ﾉ Expand table

Actor Name Services Description

Azure Credential Configuration Endpoint Service Auth Used when authentication

Methods methods are registered. It can
Registration be displayed as an actor in
audit logs when enabling the
combined registration.

cxpweb_service@support.onmicrosoft.com CXP This account is from our

internal Microsoft Support
tenant. It's used to facilitate
the management and
maintenance of customers'
tenants. Microsoft Support is
currently transitioning to a
unified platform for customer
support and case
management. For the change
in question, the account sets
a flag on the tenant to initiate
the migration of support
cases to the unified platform.
This change doesn't directly
affect any settings on your
tenant or affect your existing
or future support cases.

DaRT Team Partner The Set Partnership operation

Center means that DAP is terminated
by Microsoft. This scenario is
expected to be part of the
Actor Name Services Description

Microsoft-led DAP
deprecation.

fim_password_service@support.onmicrosoft.com Self-Service Used to perform the Self

Password Service Password Reset
Reset operation for end users.

Microsoft Approval Management Self-Service Used by self-service group

Group management service (SSGM)
Management for Microsoft Entra ID
Service dynamic groups, and Office
365 Group expiration policy
operations.

Microsoft Azure AD Internal - Jit Provisioning Microsoft Used when the service
Entra ID principal for a Microsoft
service is automatically
created or updated, typically
in response to changes that
are made in subscriptions.
These automatic service
principal updates sometimes
occur through a background
asynchronous process. They
do not necessarily occur
immediately following a
subscription event or change.

Microsoft Azure Management ARM If the directory doesn't

already have an account for
the Service Administrators,
the "Windows Azure Service
Management API" ARM
service principal will send and
redeem invitations to the
Service Administrators of the
Azure subscription list. This
process ensures that the
Service Administrator of the
subscription can access and
view the subscription in the
portal.

Microsoft Entra Subscription Lifecycle Process License Used by the license manager
Manager service to remove licenses
Service and subscriptions from
Microsoft Entra ID when a
subscription has expired or
Actor Name Services Description

when the subscription state

changes.

Microsoft Exchange Online Protection Security and Used by Exchange Online

Compliance Protection to write changes
Center to Microsoft Entra ID. As an
example, MIP labels can only
be modified in Security and
Compliance Center (SCC).
SCC logs contain the user
actor. SCC then pushes these
labels to Microsoft Entra
offline, so there's no user
context.

Microsoft Managed Policy Manager Microsoft Used to create and manage

Managed Microsoft-managed
Conditional Conditional Access policies.
Access

Microsoft Substrate Management Exchange Used by Exchange Online

during dual write operations
to Microsoft Entra ID. When
an object in Exchange Online
is written to Microsoft Entra
ID, this principal will show up
as the actor in Microsoft
Entra audit logs. For more
information about dual write
operations, see Exchange
Online Improvements to
Accelerate Replication of
Changes to Microsoft Entra
ID .

MS-CE-CXG-MAC-AadShadowRoleWriter License Used by commerce platform

Manager to assign Microsoft 365
Service, commerce role permissions
Purchase to Microsoft Entra ID. An
Service, example of a role this service
Marketplace would add is Modern
Commerce Administrator.
- Reference 1 - Microsoft
Entra built-in roles
- Reference 2 - Who can buy
through self-service
purchase?
 Actor Name Services Description

Signup Commerce Used by commerce licensing

Licensing service during self-service
(LMS) subscription signup. For more
information about self-service
subscriptions, see Manage
self-service sign-up
subscriptions.

spo_service@support.onmicrosoft.com SharePoint This account is used to create

Online Azure Access Control Service
(ACS) principles. These are
required for the installation of
the SharePoint app (add-in).

Windows Azure Service Management API Azure Used by the Azure Resource
Resource Manager (ARM) service. This
Manager service principal may be used
for any Microsoft Entra
operations needed to
maintain proper access to
your Azure subscription and
resources, such as ensuring
the subscription's Service
Administrator has a Microsoft
Entra account in your tenant.
You can see this actor when a
customer registers a resource
provider in an Azure
subscription in their tenant.
For more information about
how and why this actor
appears, see resource
providers and types. More
than 1,000 App IDs are
connected to resource
providers, and new IDs are
added regularly. The REST API
can be used to return the
App ID dynamically.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Verify first-party Microsoft applications in
sign-in reports
Article • 04/07/2025

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback button on
this page to let us know how well this article worked for you or how we can improve it.

When you review your sign-in reports, you might see an application in your sign-in report that
you don't own and want to identify. You also might wonder how you signed in to that app, if
you don't remember accessing the app.

Here's an example sign-in report:

For example, when you access learn.microsoft.com , the application that's shown in the sign-in
log may show dev-rel-auth-prod , but this isn't descriptive of learn.microsoft.com .

Although the apps that are listed in sign-in reports are owned by Microsoft and aren't
suspicious applications, you can determine whether Microsoft owns a Microsoft Entra service
principal that's found in your Microsoft Entra logs.

７ Note
 First-party Microsoft applications don't always result in a service principal that's created in
your tenant. In this case, you'll likely continue to see the applications in your sign-in
reports. This article lists the application IDs of commonly used Microsoft applications.

Verify a first-party Microsoft service principal in

your Microsoft Entra tenant
1. Open the list of enterprise applications in Microsoft Entra ID .

2. In the navigation pane, select All applications.

3. In the Application Type drop-down list, select Microsoft Applications, and then select
Apply. All applications that are listed here are owned by Microsoft.

4. In the search box below the drop-down lists, filter the Microsoft application list by adding
a specific Display Name or Application ID.

5. Select the desired app, and then select Properties in the navigation pane to view the
listed app's properties. Verify that you see the following error message:

Output

You can't delete this application because it's a Microsoft first party
application.
Verify a first-party Microsoft service principal
through PowerShell

Using Microsoft Graph PowerShell SDK

1. Open PowerShell, import Microsoft Graph PowerShell SDK and then connect to Microsoft
Entra ID:

Windows Command Prompt

Import-Module Microsoft.Graph.Applications
Connect-MgGraph

2. In the PowerShell command-line, enter the display name of the application and run the
following cmdlet:

Windows Command Prompt

$appDisplayName = '<display name>'

Get-MgServicePrincipal -Filter "DisplayName eq '$appDisplayName'" | Select-
Object Id, DisplayName, SignInAudience, AppOwnerOrganizationId

3. Review the AppOwnerTenantId value in the output.

In the screenshot, f8cdef31-a31e-4b4a-93e4-5f571e91255a is the Microsoft Service's

Microsoft Entra tenant ID.
Using Microsoft Entra PowerShell
1. Open PowerShell, import Microsoft Graph PowerShell SDK and connect to Microsoft Entra
ID:

Windows Command Prompt

Import-Module Microsoft.Entra
Connect-Entra

2. In the PowerShell command-line, enter the display name of the application and run the
following cmdlet:

Windows Command Prompt

$appDisplayName = '<display name>'

Get-EntraServicePrincipal -SearchString $appDisplayName | Select-Object Id,
DisplayName, SignInAudience, AppOwnerOrganizationId

3. Review the result's AppOwnerTenantId .

In the screenshot, f8cdef31-a31e-4b4a-93e4-5f571e91255a is the Microsoft Service's

Microsoft Entra tenant ID.

Application IDs of commonly used Microsoft

applications
The following table lists some, but not all, first-party Microsoft applications. You may see these
applications in the Sign-ins report in Microsoft Entra ID.

ﾉ Expand table

Application Name Application IDs

ACOM Azure Website 23523755-3a2b-41ca-9315-f81f3f566a95

ADIbizaUX 74658136-14ec-4630-ad9b-26e160ff0fc6
Application Name Application IDs

AEM-DualAuth 69893ee3-dd10-4b1c-832d-
4870354be3d8

App Service 7ab7862c-4c57-491e-8a45-d52a7e023983

ASM Campaign Servicing 0cb7b9ec-5336-483b-bc31-b15b5788de71

Azure Advanced Threat Protection 7b7531ad-5926-4f2d-8a1d-38495ad33e17

Azure Data Lake e9f49c6b-5ce5-44c8-925d-015017e9f7ad

Azure Lab Services Portal 835b2a73-6e10-4aa5-a979-21dfda45231c

Azure Portal c44b4083-3bb0-49c1-b47d-974e53cbdf3c

Azure SQL Database 022907d3-0f1b-48f7-badc-1ba6abab6d66

AzureSupportCenter 37182072-3c9c-4f6a-a4b3-b3f91cacffce

Bing 9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7

ContactsInferencingEmailProcessor 20a11fe0-faa8-4df5-baf2-f965f8f9972e

CPIM Service bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4

CRM Power BI Integration e64aa8bc-8eb4-40e2-898b-cf261a25954f

Dataverse 00000007-0000-0000-c000-000000000000

Enterprise Roaming and Backup 60c8bde5-3167-4f92-8fdb-059f6176dc0f

Exchange Admin Center 497effe9-df71-4043-a8bb-14cf78c4b63b

FindTime f5eaa862-7f08-448c-9c4e-f4047d4d4521

Focused Inbox b669c6ea-1adf-453f-b8bc-6d526592b419

GroupsRemoteApiRestClient c35cb2ba-f88b-4d15-aa9d-37bd443522e1

HxService d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0

IAM Supportability a57aca87-cbc0-4f3c-8b9e-dc095fdc8978

IrisSelectionFrontDoor 16aeb910-ce68-41d1-9ac3-9e1673ac9575

MCAPI Authorization Prod d73f4b35-55c9-48c7-8b10-651f6f2acb2e

Media Analysis and Transformation Service 944f0bd1-117b-4b1c-af26-804ed95e767e

0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e

Microsoft 365 Security and Compliance Center 80ccca67-54bd-44ab-8625-4b79c4dc7775

Application Name Application IDs

Microsoft 365 Support Service ee272b19-4411-433f-8f28-5c13cb6fd407

Microsoft App Access Panel 0000000c-0000-0000-c000-000000000000

Microsoft Approval Management 65d91a3d-ab74-42e6-8a2f-0add61688c74

38049638-cc2c-4cde-abe4-4479d721ed44

Microsoft Authentication Broker 29d9ed98-a469-4536-ade2-f981bc1d605e

Microsoft Azure CLI 04b07795-8ddb-461a-bbee-02f9e1bf7b46

Microsoft Azure PowerShell 1950a258-227b-4e31-a9cf-717495945fc2

MicrosoftAzureActiveAuthn 0000001a-0000-0000-c000-000000000000

Microsoft Bing Search cf36b471-5b44-428c-9ce7-313bf84528de

Microsoft Bing Search for Microsoft Edge 2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8

Microsoft Bing Default Search Engine 1786c5ed-9644-47b2-8aa0-7201292175b6

Microsoft Defender for Cloud Apps 3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7

Microsoft Defender for Identity (formerly Radius Aad 60ca1954-583c-4d1f-86de-39d835f3e452

Syncer)

Microsoft Docs 18fbca16-2224-45f6-85b0-f7bf2b39b3f3

Microsoft Dynamics ERP 00000015-0000-0000-c000-000000000000

Microsoft Edge Insider Addons Prod 6253bca8-faf2-4587-8f2f-b056d80998a7

Microsoft Exchange ForwardSync 99b904fd-a1fe-455c-b86c-2f9fb1da7687

Microsoft Exchange Online Protection 00000007-0000-0ff1-ce00-000000000000

Microsoft Exchange ProtectedServiceHost 51be292c-a17e-4f17-9a7e-4b661fb16dd2

Microsoft Exchange REST API Based Powershell fb78d390-0c51-40cd-8e17-fdbfab77341b

Microsoft Exchange Web Services 47629505-c2b6-4a80-adb1-

9b3a3d233b7b

Microsoft Exchange Message Tracking Service 6326e366-9d6d-4c70-b22a-34c7ea72d73d

Microsoft Forms c9a559d2-7aab-4f13-a6ed-e7e9c52aec87

Microsoft Graph 00000003-0000-0000-c000-000000000000

Microsoft Intune Web Company Portal 74bcdadc-2fdc-4bb3-8459-76d06952a0e9

Application Name Application IDs

Microsoft Intune Windows Agent fc0f3af4-6835-4174-b806-f7db311fd2f3

Microsoft Office d3590ed6-52b3-4102-aeff-aad2292ab01c

Microsoft Office 365 Portal 00000006-0000-0ff1-ce00-000000000000

Microsoft Office Web Apps Service 67e3df25-268a-4324-a550-0de1c7f97287

Microsoft Online Syndication Partner Portal d176f6e7-38e5-40c9-8a78-3998aab820e7

Microsoft Outlook 5d661950-3475-41cd-a2c3-d671a3162bc1

Microsoft password reset service 93625bc8-bfe2-437a-97e0-3d0060024faa

Microsoft Power BI 871c010f-5e61-4fb1-83ac-98610a7e9110

Microsoft Storefronts 28b567f6-162c-4f54-99a0-6887f387bbcc

Microsoft Stream Portal cf53fce8-def6-4aeb-8d30-b158e7b1cf83

Microsoft Substrate Management 98db8bd6-0cc0-4e67-9de5-f187f1cd1b41

Microsoft Support fdf9885b-dd37-42bf-82e5-c3129ef5a302

Microsoft Teams 1fec8e78-bce4-4aaf-ab1b-5451cc387264

Microsoft Teams Services cc15fd57-2c6c-4117-a88c-83b1d56b4bbe

Microsoft Teams Web Client 5e3ce6c0-2b1f-4285-8d4b-75ee78787346

Microsoft Whiteboard Services 95de633a-083e-42f5-b444-a4295d8e9314

O365 SkypeSpaces Ingestion Service dfe74da8-9279-44ec-8fb2-2aed9e1c73d0

O365 Suite UX 4345a7b9-9a63-4910-a426-35363201d503

Office 365 Exchange Online 00000002-0000-0ff1-ce00-000000000000

Office 365 Management 00b41c95-dab0-4487-9791-b9d2c32c80f2

Office 365 Search Service 66a88757-258c-4c72-893c-3e8bed4d6899

Office 365 SharePoint Online 00000003-0000-0ff1-ce00-000000000000

Office Delve 94c63fef-13a3-47bc-8074-75af8c65887a

Office Online Add-in SSO 93d53678-613d-4013-afc1-62e9e444a0a5

Office Online Client Microsoft Entra ID- Augmentation Loop 2abdc806-e091-4495-9b10-b04d93c3f040

Office Online Client Microsoft Entra ID- Loki b23dd4db-9142-4734-867f-3577f640ad0c

Application Name Application IDs

Office Online Client Microsoft Entra ID- Maker 17d5e35f-655b-4fb0-8ae6-86356e9a49f5

Office Online Client MSA- Loki b6e69c34-5f1f-4c34-8cdf-7fea120b8670

Office Online Core SSO 243c63a3-247d-41c5-9d83-7788c43f1c43

Office Online Search a9b49b65-0a12-430b-9540-c80b3332c127

Office.com 4b233688-031c-404b-9a80-a4f3f2351f90

Office365 Shell WCSS-Client 89bee1f7-5e6e-4d8a-9f3d-ecd601259da7

OfficeClientService 0f698dd4-f011-4d23-a33e-b36416dcb1e6

OfficeHome 4765445b-32c6-49b0-83e6-1d93765276ca

OfficeShredderWacClient 4d5c2d63-cf83-4365-853c-925fd1a64357

OMSOctopiPROD 62256cef-54c0-4cb4-bcac-4c67989bdc40

OneDrive SyncEngine ab9b8c07-8f02-4f72-87fa-80105867a763

OneNote 2d4d3d8e-2be3-4bef-9f87-7875a61c29de

Outlook Mobile 27922004-5251-4030-b22d-91ecd9a37ea4

Partner Customer Delegated Admin Offline Processor a3475900-ccec-4a69-98f5-a65cd5dc5306

Password Breach Authenticator bdd48c81-3a58-4ea9-849c-ebea7f6b6360

PeoplePredictions 35d54a08-36c9-4847-9018-93934c62740c

Power BI Service 00000009-0000-0000-c000-000000000000

Scheduling ae8e128e-080f-4086-b0e3-4c19301ada69

SharedWithMe ffcb16e8-f789-467c-8ce9-f826a080d987

SharePoint Online Web Client Extensibility 08e18876-6177-487e-b8b5-cf950c1e598c

Signup b4bddae8-ab25-483e-8670-df09b9f1d0ea

Skype for Business Online 00000004-0000-0ff1-ce00-000000000000

SpoolsProvisioning 61109738-7d2b-4a0b-9fe3-660b1ff83505

Sticky Notes API 91ca2ca5-3b3e-41dd-ab65-809fa3dffffa

Substrate Context Service 13937bba-652e-4c46-b222-3003f4d1ff97

SubstrateDirectoryEventProcessor 26abc9a8-24f0-4b11-8234-e86ede698878
 Application Name Application IDs

Substrate Search Settings Management Service a970bac6-63fe-4ec5-8884-8536862c42d4

Sway 905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba

Transcript Ingestion 97cb1f73-50df-47d1-8fb0-0271f2728514

Universal Store Native Client 268761a2-03f3-40df-8a8b-c3db24145b6b

Viva Engage (formerly Yammer) 00000005-0000-0ff1-ce00-000000000000

Viva Insights fe93bfe1-7947-460a-a5e0-7a5906b51360

WeveEngine 3c896ded-22c5-450f-91f6-3d1ef0848f6e

Windows Azure Active Directory 00000002-0000-0000-c000-000000000000

Windows Azure Security Resource Provider 8edd93e1-2103-40b4-bd70-

6e34e586362d

Windows Azure Service Management API 797f4846-ba00-4fd7-ba43-dac1f8f63013

WindowsDefenderATP Portal a3b79187-70b2-4139-83f9-6016c58cd27b

Windows Search 26a7ee05-5602-4d76-a7ba-eae8b7b67941

Windows Spotlight 1b3c667f-cde3-4090-b60b-3d2abd0117f0

Windows Store for Business 45a330b1-b1ec-4cc1-9161-9f03992aa49f

Yammer Web c1c74fed-04c9-4704-80dc-9f79a2e515cb

Yammer Web Embed e1ef36fd-b883-4dbf-97f0-9ece4b576fc6

Application IDs of Microsoft tenant-owned

applications
The following table lists some, but not all, Microsoft tenant-owned applications (tenant ID:
72f988bf-86f1-41af-91ab-2d7cd011db47).

ﾉ Expand table

Application Name Application IDs

Graph Explorer de8bc8b5-d9f9-48b1-a8ad-b748da725064

Microsoft Graph Command Line Tools 14d82eec-204b-4c2f-b7e8-296a70dab67e

 Application Name Application IDs

OutlookUserSettingsConsumer 7ae974c5-1af7-4923-af3a-fb1fd14dcb7e

Vortex [wsfed enabled] 5572c4c0-d078-44ce-b81c-6cbf8d3ed39e

More information
For more information, see Sign-in activity reports in the Microsoft Entra admin center.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Code 403 (Forbidden) when you use
Azure Seamless Single Sign-On on
Windows 10
Article • 10/28/2024

This article can help you resolve a problem in which you receive Code 403 (Forbidden)
when using Azure Seamless Single Sign-On on Windows 10.

Original product version: Microsoft Entra ID, Windows 10

Original KB number: 4135083

Symptoms
The Azure Seamless Single Sign-On authentication does not work after you upgrade to
Windows 10. When this problem occurs, you may receive the following error message:

Integrated Windows Authentication failed with status code 403 (Forbidden).

Resolution
To resolve this problem, follow these steps:

1. Check the following Group Policy object, and make sure that it is set to not
defined:

Network security: Configure encryption types allowed for Kerberos

If you update the Group Policy setting, run gpupdate /force to push the changes
to the devices.

2. Start Registry Editor, and browse to the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\k

erberos\parameters

3. Delete the supportedencryptiontypes DWORD entry if it exists.

4. Restart the device.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

A faulty split-brain DNS configuration
can prevent a seamless SSO sign-in
experience
Article • 10/28/2024

This article describes the conditions in which Active Directory Federation Services (AD
FS) doesn't behave as expected when you sign in to Office 365 services by using a single
sign-on (SSO)-enabled user ID.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2715326

Symptoms
When you sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or
Microsoft Intune by using a single sign-on (SSO) enabled user ID, the connection to
Active Directory Federation Services (AD FS) does not behave as expected. The
connection fails together with one of the following results:

Computers that sign in from inside the on-premises network connect to the AD FS
proxy IP address, and a forms-based authentication prompt appears. However, an
Integrated Windows Authentication experience is expected.
Computers that sign in from inside the on-premises network and then try to
connect to the AD FS proxy service are denied because of firewall settings.

Cause
These symptoms can be caused by a faulty split-brain DNS configuration that is required
for correct internal and external name resolution of DNS services. One of the following
causes is most likely:

The split-brain internal DNS resolution isn't set up for the domain in which the AD
FS service resides.
AD FS service name resolution isn't set in the split-brain internal DNS resolution of
the on-premises environment.

Resolution
To resolve this issue, follow these steps:

Step 1: Establish the split-brain DNS zone in internal DNS

To do this, follow these steps on the on-premises DNS server:

1. Open the DNS Management Console. To do this, open Administrative Tools, and
then double-click DNS.

2. In the left navigation pane, expand DNS, expand the server name, and then select
Forward Lookup Zones.

3. If there's no entry that's displayed for the DNS zone within which the AD FS service
endpoint is hosted, create the zone. To do this, right-click Forward Lookup Zones,
and then select New Zone.

4. Complete the wizard. When you do this, select Primary Zone, and then name the
zone for the DNS domain of the AD FS server.

２ Warning

Completing this step effectively stops on-premises computers from resolving

server names to public IP addresses by using the DNS server that resolves
public requests for the domain. Any extranet service endpoints that have to
be used by on-premises clients must have an A record created within the
split-brain DNS configuration to enable the connection.

Step 2: Advertise the AD FS service endpoint in the split-

brain DNS domain
In the DNS Management Console that you opened earlier, follow these steps:

1. Browse to and then select the DNS zone for the domain of the AD FS server.
2. Right-click the domain name, and then select New Host (A or AAAA).
3. Enter the following values:

Name: The AD FS service name

IP address: The on-premises private IP address of the AD FS Federation
Service farm.
Step 3: Clear the DNS cache on the server and client to
test the solution
1. In the DNS Management Console that you opened earlier, right-click the server
name, and then select Clear Cache.

2. On the client computer, select Start, select All Programs, select Accessories, right-
click Command Prompt, and then select Run As Administrator.

3. Type the following command, and then press Enter:

Console

Ipconfig /flushdns

Retest SSO sign-in to confirm that this resolves the issue.

More information
Split-brain DNS is a common configuration that's used to make sure that on-premises
client computers resolve a server name to internal IP addresses, even though public DNS
resolution resolves the same service name to a different public IP address. When you set
up AD FS for on-premises service, this configuration is needed to make sure that on-
premises client computers' authentication experience to the AD FS service is handled
differently (by the AD FS Federation Service farm) than external client computers that
are being serviced by the AD FS Proxy Service.

Without this configuration, all AD FS clients will be serviced by the same IP address
when they connect to the AD FS service, whether they are connected from the on-
premises network or are accessing remotely from an Internet location. This limits the
seamless authentication experience possible for on-premises, Active Directory-
authenticated clients, because the AD FS Proxy Service that is exposing the AD FS
service to the Internet does not expect the accessing client to be able to provide an
Integrated Windows Authentication response without a prompt (because remote
computers are not authentication to Active Directory).

To overcome this limitation, it's desirable to override the default name resolution that is
given to on-premises clients by creating an identically named domain in on-premises
DNS. Because the DNS distributed architecture returns the first response that is found to
a forward lookup query, this effectively masks the public DNS domain advertisements
for that domain for all on-premises client computer requests because their requests are
handled by on-premises DNS servers first.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you perform a Workplace
Join: Confirm you are using the current
sign-in info
Article • 10/28/2024

This article describes a problem in which an error occurs when you perform a Workplace
Join operation.

Original product version: Windows 8.1 Enterprise, Windows Server 2012 R2 Datacenter,
Windows Server 2012 R2 Standard, Microsoft Entra ID
Original KB number: 3045386

Symptoms
When you try to perform a Workplace Join operation, you receive this error message:

Confirm you are using the current sign-in info, and that your workplace uses this
feature. Also, the connection to your workplace might not be working right now.
Please wait and try again.

Additionally, an administrator may see the following event details in Event Viewer:

Event ID: 103

Log Name: Microsoft-Windows-Workplace Join/Admin
Source: Microsoft-Windows-Workplace Join
Level: Error
Description: Workplace Join discovery failed. Server returned http status 404.
https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-

version=1.0

Cause
This problem occurs for one of the following reasons:

The client is being redirected to the internal Device Registration Service (DRS)
instance where the DRS endpoint is disabled or stopped.
The DNS records for the EnterpriseRegistration service are missing or
misconfigured.
 The domain suffix of the currently logged-on user is not accounted for in the SSL
certificate of DRS.
The network or firewall is blocking traffic, or transient network issues are causing
packet loss.

Resolution

Verify DNS
Verify the DNS configuration by using the NSlookup tool, and verify that the answers are
correct.

To do this, open a Command Prompt window, and then run the following command:

Console

Nslookup enterpriseregistration.domain.com

If you use Microsoft Entra join

This should return the CNAME result of EnterpriseRegistration.windows.net as
the target.
If you use Windows Server Workplace Join
The internal host should return the internal AD FS node.
The external host should return the external AD FS proxy address.

Verify that Device Registration is enabled

If you try to perform Workplace Join to Microsoft Entra ID, follow these steps:

1. Sign in to Azure portal, or launch the Microsoft Entra ID console from the M365
admin center as a Company Administrator.
2. Locate the directory where the user is trying the join operation.
3. Go to Configure.
4. Scroll down to the Device Registration section.
5. Make sure that the setting that's labeled ENABLE WORKPLACE JOIN is toggled to
Yes (Yes will be blue).

If you try to perform a Workplace Join to your local Active Directory domain, follow
these steps:
 1. Start the AD FS Management console, and then select Relying Party Trusts to
determine whether the Device Registration Service trust is Enabled on each node
of the AD FS farm.
2. If Device Registration Service is Enabled, check the Services Console to make sure
that the Device Registration Service is started.

Check the SSLCertificate bindings

If you try to perform Workplace Join to your local Active Directory domain, follow these
steps:

1. Open a Command Prompt window as an administrator, type the following

commands, and press Enter after each command to display the bindings on the
ADFS Proxy or ADFS Server:

Console

Netsh

Console

Http Show SSLCert

2. Determine whether the IP Port Binding (not Name binding) is present.

3. If the IP Port binding is not present, review to determine whether the

EnterpriseRegistration Name binding is present.

More information
For more troubleshooting information, see the following article in the Microsoft
Knowledge Base:

Diagnostic logging for troubleshooting Workplace Join issues .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't sync SystemMailbox or
DiscoveryMailboxSearch accounts using
Azure Active Directory Sync tool
Article • 10/28/2024

This article provides information about resolve a problem in which you receive errors
when trying to use the Azure Active Directory Sync tool to synchronize the
SystemMailbox and DiscoverySearchMailbox user accounts.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2804688

Symptoms
When you use the Microsoft Azure Active Directory Sync tool to sync the following user
accounts, you receive directory synchronization errors:

SystemMailbox{1f05a927-beed-480c-b962-
da8d1d7e16a8}@<DomainNameName>
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@<DomainName>
DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-
7E09334BB852}@<DomainNameName>

Cause
This issue occurs if the three user accounts that were created during Microsoft Exchange
Server 2010 installation are missing the attribute data. In this case, the attribute data is
used by the Azure Active Directory Sync tool to filter out these user accounts and stop
them from being synced to the cloud.

Resolution
To resolve this issue, use one of the following methods, as appropriate for your
situation.

Method 1
On the domain controller or a computer on which the Active Directory Domain Services
Administration Tools are installed, follow these steps:

1. Open Active Directory Users and Computers.

2. On the View menu, select Advanced Features.

3. Select the Users container.

4. Double-click each SystemMailbox user account, and then follow these steps for
each account:
a. Select Attribute Editor.
b. Find the mailNickName attribute, and then populate the attribute by using the
value that's included in the mail attribute.
c. Select OK.

5. Double-click each DiscoverySearchMailbox user account, and then follow these

steps for each account:
a. Select Attribute Editor.
b. Find the mailNickName attribute, and then populate the attribute by using the
value that is included in the mail attribute.
c. Find the msExchRecipientTypeDetails attribute, and then set the value of the
attribute to 536870912.
d. Select OK.

Method 2

On the computer on which the Directory Sync tool is installed, follow these steps:

1. Open an elevated command prompt.

2. Open Windows PowerShell, type Import-Module DirSync , and then press Enter.

3. After the Windows PowerShell session starts, run the following cmdlet:

PowerShell

Start-OnlineCoexistenceSync

If the methods did not work, see Recreate missing arbitration mailboxes.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

ESR settings don't sync with multi-factor
authentication enabled
Article • 10/28/2024

Original product version: Windows 10 version 1709 all editions, Windows 10 version
1703 all editions, Windows 10 version 1511 all editions, Windows 10 version 1607 all
editions
Original KB number: 3193683

Symptoms
You have enabled Enterprise State Roaming (ESR) in the Microsoft Entra admin center
and on some Windows 10 clients. Any supported settings for sync, such as the desktop
background or task bar position, don't sync between devices for the same user. The
following events 1098 and 1097 are logged in the Microsoft-Windows-AAD/Operational
event log:

Console

Log Name: Microsoft-Windows-AAD/Operational

Source: Microsoft-Windows-AAD
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Error,
Error Computer: Win10client.contoso.com
Description: Error: 0xCAA2000C The request requires user interaction. Code:
interaction_required Description: AADSTS50076: The user is required to use
multi-factor authentication to access this resource. Please retry with a new
authorize request for the resource 'https://syncservice.windows.net/*'.
Trace ID: <Trace ID GUID> Correlation ID: <Correlation ID GUID> Timestamp:
yyyy-mmmm-dddd 01:30:38Z
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Authority: https://login.microsoftonline.com/common
Client ID: <Client ID GUID>
Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<Client ID GUID>
Resource: https://syncservice.windows.net/*
Correlation ID (request): <Correlation ID GUID>
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Event ID: 1097 Task Category: AadTokenBrokerPlugin
Operation Level: Warning
Keywords: Operational,
Operational Computer: Win10client.contoso.com
Description: Error: 0xCAA90004 Getting token by refresh token failed.
Authority: https://login.microsoftonline.com/common
 Client ID: <Client ID GUID> Redirect URI: ms-appx-
web://Microsoft.AAD.BrokerPlugin/<Client ID GUID>
Resource: https://syncservice.windows.net/*
Correlation ID (request): <Correlation ID GUID>

Cause
Multi-factor authentication (MFA) is enabled, and that's why Enterprise State Roaming
won't prompt the user for additional authorization.

Resolution
If your device is configured to require multi-factor authentication on the Microsoft Entra
admin center, you may fail to sync settings while you sign in to a Windows 10 device
using a password. This type of multi-factor authentication configuration is intended to
protect an Azure administrator account. Admin users may still be able to sync by signing
in to their Windows 10 devices with their Microsoft Passport for Work PIN or by
completing multi-factor authentication while accessing other Azure services, such as
Microsoft Office 365.

Sync can fail if the Microsoft Entra Administrator configures the Active Directory
Federation Services multi-factor authentication conditional access policy, and the access
token on the device expires. Make sure that you sign in and sign out using the Microsoft
Passport for Work PIN, or complete multi-factor authentication when accessing other
Azure services like Office 365.

More Information
Microsoft is investigating how to improve the experience with Enterprise State Roaming
and MFA authorization enabled on the device.

For more information, see Settings and data roaming FAQ.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Enable support for TLS 1.2 in your
environment for Microsoft Entra TLS 1.1 and
1.0 deprecation
Article • 01/24/2025

To improve the security posture of your tenant, and to remain in compliance with industry standards,
Microsoft Entra ID will soon stop supporting the following Transport Layer Security (TLS) protocols and
ciphers:

TLS 1.1
TLS 1.0
3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

How this change might affect your organization

Do your applications communicate with or authenticate against Microsoft Entra ID? Then those
applications might not work as expected if they can't use TLS 1.2 to communicate. This situation includes:

Microsoft Entra Connect

Microsoft Graph PowerShell
Microsoft Entra application proxy connectors
PTA agents
Legacy browsers
Applications that are integrated with Microsoft Entra ID

Why this change is being made

These protocols and ciphers are being deprecated for the following reasons:

To follow the latest compliance standards for the Federal Risk and Authorization Management
Program (FedRAMP) .
To improve security when users interact with our cloud services.

The TLS 1.0, TLS 1.1, and 3DES Cipher suite services are being deprecated on the following schedule.

ﾉ Expand table

Instance type Deprecation date Status

U.S. government instances March 31, 2021 COMPLETED

Public instances January 31, 2022 COMPLETED

Microsoft Entra instances operated by 21Vianet in China January 31, 2025 ONGOING

TLS 1.3 support for Microsoft Entra services

In addition to supporting TLS 1.2, Microsoft Entra is also rolling out support for TLS 1.3 for its endpoints to
align with security best practices (NIST - SP 800-52 Rev. 2 ). With this change, Microsoft Entra endpoints
will support both TLS 1.2 and TLS 1.3 protocols.

Enable support for TLS 1.2 in your environment

To ensure a secure connection to Microsoft Entra ID and Microsoft 365 services, configure your client apps
and both the client and server operating systems (OS) to support TLS 1.2 and contemporary cipher suites.

Guidelines for enabling TLS 1.2 on clients

Update Windows and the default TLS that you use for "WinHTTP".
Identify and reduce you dependency on the client apps and operating systems that don't support TLS
1.2.
Enable TLS 1.2 for applications and services that communicate with Microsoft Entra ID.
Update and configure your .NET Framework installation to support TLS 1.2.
Make sure that applications and PowerShell (that use Microsoft Graph and Microsoft Graph
PowerShell) scripts are hosted and run on a platform that supports TLS 1.2.
Make sure that your web browser has the latest updates. We recommend that you use the new
Microsoft Edge browser (based on Chromium). For more information, see the Microsoft Edge release
notes for Stable Channel.
Make sure that your web proxy supports TLS 1.2. For more information about how to update a web
proxy, check with the vendor of your web proxy solution.

For more information, see the following articles:

How to enable TLS 1.2 on clients

Preparing for TLS 1.2 in Office 365 and Office 365 GCC - Microsoft 365 Compliance

Update the Windows OS and the default TLS that you use for
WinHTTP
These operating systems natively support TLS 1.2 for client-server communications over WinHTTP:

Windows 8.1, Windows 10, and later versions

Windows Server 2012 R2, Windows Server 2016, and later versions

Verify that you haven't explicitly disabled TLS 1.2 on these platforms.

By default, earlier versions of Windows (such as Windows 8 and Windows Server 2012) don't enable TLS
1.2 or TLS 1.1 for secure communications by using WinHTTP. For these earlier versions of Windows:

1. Install Update 3140245 .

2. Enable the registry values from the Enable TLS 1.2 on client or server operating systems section.

You can configure those values to add TLS 1.2 and TLS 1.1 to the default secure protocols list for WinHTTP.

For more information, see How to enable TLS 1.2 on clients.

７ Note
 By default, an OS that supports TLS 1.2 (for example, Windows 10) also supports legacy versions of
the TLS protocol. When a connection is made by using TLS 1.2 and it doesn't get a timely response, or
when the connection is reset, the OS might try to connect to the target web service by using an older
TLS protocol (such as TLS 1.0 or 1.1). This usually occurs if the network is busy, or if a packet drops in
the network. After the temporary fallback to the legacy TLS, the OS will try again to make a TLS 1.2
connection.

What will be the status of such fallback traffic after Microsoft stops supporting the legacy TLS? The OS
might still try to make a TLS connection by using the legacy TLS protocol. But if the Microsoft service
is no longer supporting the older TLS protocol, the legacy TLS-based connection won't succeed. This
will force the OS to try the connection again by using TLS 1.2 instead.

Identify and reduce dependency on clients that don't support TLS

1.2
Update the following clients to provide uninterrupted access:

Android version 4.3 and earlier versions

Firefox version 5.0 and earlier versions
Internet Explorer versions 8-10 on Windows 7 and earlier versions
Internet Explorer 10 on Windows Phone 8.0
Safari 6.0.4 on OS X 10.8.4 and earlier versions

For more information, see Handshake Simulation for various clients connecting to www.microsoft.com,
courtesy SSLLabs.com.

Enable TLS 1.2 on common server roles that communicate with

Microsoft Entra ID
Microsoft Entra Connect (install the latest version)
Do you also want to enable TLS 1.2 between the sync engine server and a remote SQL Server?
Then make sure you have the required versions installed for TLS 1.2 support for Microsoft SQL
Server .

Microsoft Entra Connect Authentication Agent (pass-through authentication) (version 1.5.643.0 and
later versions)

Azure Application Proxy (version 1.5.1526.0 and later versions enforce TLS 1.2)

Active Directory Federation Services (AD FS) for servers that are configured to use Azure multifactor
authentication (Azure MFA)

NPS servers that are configured to use the NPS extension for Microsoft Entra multifactor
authentication

MFA Server version 8.0.x or later versions

Microsoft Entra Password Protection proxy service

Action required
 1. We highly recommend that you run the latest version of the agent, service, or connector.

2. By default, TLS 1.2 is enabled on Windows Server 2012 R2 and later versions. In rare instances,
the default OS configuration might have been modified to disable TLS 1.

To make sure that TLS 1.2 is enabled, we recommend that you explicitly add the registry values
from the Enable TLS 1.2 on client or server operating systems section on servers that are
running Windows Server and that communicate with Microsoft Entra ID.

3. Most of the previously listed services are dependent on .NET Framework. Make sure it's updated
as described in the Update and configure .NET Framework to support TLS 1.2 section.

For more information, see the following articles:

TLS 1.2 enforcement - Enforce TLS 1.2 for the Microsoft Entra Registration Service
Microsoft Entra Connect: TLS 1.2 enforcement for Microsoft Entra Connect
Understand Microsoft Entra application proxy connectors

Enable TLS 1.2 on client or server operating systems

Registry strings
For Windows 2012 R2, Windows 8.1, and later operating systems, TLS 1.2 is enabled by default. Thus, the
following registry values aren't displayed unless they were set with different values.

To manually configure and enable TLS 1.2 at the operating system level, you can add the following
DWORD values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client
DisabledByDefault : 00000000

Enabled : 00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server
DisabledByDefault : 00000000

Enabled : 00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SchUseStrongCrypto : 00000001

To enable TLS 1.2 by using a PowerShell script, see TLS 1.2 enforcement for Microsoft Entra Connect.

How to check which TLS protocol is being used

Here are two ways to check which TLS is being used:

Browser security settings

Internet Properties in Windows

To check which TLS protocol is being used by using Internet Properties, follow these steps:

1. Press Windows + R to open the Run box.

 2. Type inetcpl.cpl and then select OK. Then, the Internet Properties window is opened.

3. In the Internet Properties window, select the Advanced tab and scroll down to check the settings
related to TLS.

Update and configure .NET Framework to support TLS

1.2
Managed Microsoft Entra integrated applications and Windows PowerShell scripts (using Microsoft Graph
PowerShell and Microsoft Graph ) may use .NET Framework.

Install .NET updates to enable strong cryptography

Determine the .NET version

First, determine the installed .NET versions.

For more information, see Determine which versions and service pack levels of .NET Framework are
installed.

Install .NET updates

Install the .NET updates so that you can enable strong cryptography. Some versions of .NET Framework
might have to be updated to enable strong cryptography.
Use these guidelines:

.NET Framework 4.6.2 and later versions support TLS 1.2 and TLS 1.1. Check the registry settings. No
other changes are required.

Update .NET Framework 4.6 and earlier versions to support TLS 1.2 and TLS 1.1.

For more information, see .NET Framework versions and dependencies.

Do you use .NET Framework 4.5.2 or 4.5.1 on Windows 8.1 or Windows Server 2012? Then the
relevant updates and details are also available from Microsoft Update Catalog .
Also see Microsoft Security Advisory 2960358.

For any computer that communicates across the network and runs a TLS 1.2-enabled system, set the
following registry DWORD values.

For 32-bit applications that are running on a 32-bit OS and 64-bit applications that are running on a
64-bit OS, update the following subkey values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
SystemDefaultTlsVersions : 00000001

SchUseStrongCrypto : 00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SystemDefaultTlsVersions : 00000001

SchUseStrongCrypto : 00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
SystemDefaultTlsVersions : dword:00000001
SchUseStrongCrypto : dword:00000001

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
SystemDefaultTlsVersions : dword:00000001

SchUseStrongCrypto : dword:00000001

For example, set these values on:

Configuration Manager clients

Remote site system roles that aren't installed on the site server
The site server itself

For more information, see the following articles:

TLS Cipher Suites supported by Microsoft Entra ID

How to enable TLS 1.2 on clients
Transport Layer Security (TLS) best practices with the .NET Framework
Solving the TLS 1.0 Problem - Security documentation

Overview of new telemetry in the sign-in logs

To help you identify any clients or apps that still use legacy TLS in your environment, view the Microsoft
Entra sign-in logs. For clients or apps that sign in over legacy TLS, Microsoft Entra ID marks the Legacy TLS
field in Additional Details with True. The Legacy TLS field only appears if the sign-in occurred over legacy
TLS. If you don't see any legacy TLS in your logs, you're ready to switch to TLS 1.2.

To find the sign-in attempts that used legacy TLS protocols, an administrator can review the logs by:

Exporting and querying the logs in Azure Monitor.

Downloading the last seven days of logs in JavaScript Object Notation (JSON) format.
Filtering and exporting sign-in logs using PowerShell.

These methods are described below.

Azure Monitor

You can query the sign-in logs using Azure Monitor. Azure Monitor is a powerful log analysis,
monitoring, and alerting tool. Use Azure Monitor for:

Microsoft Entra logs

Azure resources logs
Logs from independent software tools

７ Note

You need a Microsoft Entra ID P1 or P2 license to export reporting data to Azure Monitor.

To query for legacy TLS entries using Azure Monitor:

1. In Integrate Microsoft Entra logs with Azure Monitor logs, follow the instructions for how to
access the Microsoft Entra sign-in logs in Azure Monitor.

2. In the query definition area, paste the following Kusto Query Language query:

Kusto

// Interactive sign-ins only

SigninLogs
| where AuthenticationProcessingDetails has "Legacy TLS"
and AuthenticationProcessingDetails has "True"
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails)
| mv-apply JsonAuthProcDetails on (
where JsonAuthProcDetails.key startswith "Legacy TLS"
| project HasLegacyTls=JsonAuthProcDetails.value
)
| where HasLegacyTls == true

// Non-interactive sign-ins
AADNonInteractiveUserSignInLogs
| where AuthenticationProcessingDetails has "Legacy TLS"
and AuthenticationProcessingDetails has "True"
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails)
| mv-apply JsonAuthProcDetails on (
where JsonAuthProcDetails.key startswith "Legacy TLS"
| project HasLegacyTls=JsonAuthProcDetails.value
)
| where HasLegacyTls == true

// Workload Identity (service principal) sign-ins

AADServicePrincipalSignInLogs
 | where AuthenticationProcessingDetails has "Legacy TLS"
and AuthenticationProcessingDetails has "True"
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails)
| mv-apply JsonAuthProcDetails on (
where JsonAuthProcDetails.key startswith "Legacy TLS"
| project HasLegacyTls=JsonAuthProcDetails.value
)
| where HasLegacyTls == true

3. Select Run to execute the query. The log entries that match the query appear in the Results tab
below the query definition.

4. To learn more about the source of the legacy TLS request, look for the following fields:

UserDisplayName
AppDisplayName
ResourceDisplayName
UserAgent

View details about log entries in the Microsoft Entra admin center
After you obtain the logs, you can get more details about legacy TLS-based sign-in log entries in the
Microsoft Entra admin center. Follow these steps:

1. In the Azure portal , search for and select Microsoft Entra ID.

2. In the Overview page menu, select Sign-in logs.

3. Select a sign-in log entry for a user.

4. Select the Additional details tab. (If you don't see this tab, first select the ellipsis (...) in the right
corner to view the full list of tabs.)

5. Check for a Legacy TLS (TLS 1.0, 1.1, or 3DES) value that's set to True. If you see that particular field
and value, the sign-in attempt was made using legacy TLS. If the sign-in attempt was made using TLS
1.2, that field doesn't appear.

For more information, see Sign-in logs in Microsoft Entra ID.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community support. You can
also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Federated user is prompted
unexpectedly to enter account
credentials
Article • 10/28/2024

This article describes a scenario in which a federated user is prompted unexpectedly to

enter their work or school account credentials when accessing Office 365, Azure, or
Microsoft Intune.

Original product version: Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365
Identity Management
Original KB number: 2535227

Symptoms
When a federated user signs in Office 365, Microsoft Azure, or Microsoft Intune, the user
is prompted unexpectedly to enter the work or school account credentials. After the
user enters the credentials, the user is granted access to the cloud service.

７ Note

Not all federated user authentication experiences are without a credential prompt.
In certain scenarios, it's by design and expected that federated users are prompted
to enter their credentials. Make sure that the credential prompt is unexpected
before you continue.

Cause
This issue may occur for internal domain clients if one or more of the following
conditions are true:

An internal client resolves the Active Directory Federation Services (AD FS)
endpoint to the IP address of the AD FS proxy service instead of to the IP address
of the AD FS federation service.
The security settings in Internet Explorer are not configured for single sign-on to
AD FS.
The proxy server settings in Internet Explorer are not configured for single sign-on
to AD FS.
 The web browser does not support integrated Windows authentication.
The client computer cannot connect to the on-premises Active Directory domain.

Resolution 1: Make sure that the DNS server

has a host record for the AD FS endpoint
Make sure that the DNS server has a host record for the AD FS endpoint that is
appropriate to the client computer that is experiencing this issue. For internal clients,
this means that the internal DNS server should resolve the AD FS endpoint name to an
internal IP address. For Internet clients, this means that the endpoint name should
resolve to a public IP address. To test this on the client, follow these steps:

1. Select Start, select Run, type cmd, and then press Enter.

2. At the command prompt, type the following command, where the placeholder
sts.contoso.com represents the AD FS endpoint name:

Console

nslookup sts.contoso.com

3. If the output of the command shows an incorrect IP address, update the A record
on the internal or external DNS server. For more information about how to do this,
see Internet browser can't display the AD FS sign-in webpage for federated users
Internet browser can't display the AD FS webpage when a federated user tries to
sign in to Office 365, Azure, or Intune

Resolution 2: Check the local intranet zone and

proxy server settings in Internet Explorer
Use one of the following procedures, as appropriate for your situation.

Procedure A
Check the local intranet zone and proxy server settings in Internet Explorer. To do this,
follow these steps:

1. Start Internet Explorer.

2. On the Tools menu, select Internet Options.

 3. Select the Security tab, select the Local intranet zone, and then select Sites.

4. In the Local intranet dialog box, select Advanced. In the Websites list, make sure
that an entry (such as sts.contoso.com ) exists for the fully qualified DNS name of
the AD FS service endpoint.

5. Select Close, and then select OK.

７ Note

Use the following additional steps only if a network administrator configured

a web proxy server in the on-premises environment:

6. Select the Connections tab, and then select LAN Settings.

7. Under Automatic configuration, select to clear the Automatically detect settings

check box, and then select to clear the Use automatic configuration script check
box.

8. Under Proxy server, select to select the Use a proxy server for your LAN check
box, type the proxy server address and the port that it uses, and then select
Advanced.

9. Under Exceptions, add your AD FS endpoint (such as sts.contoso.com ).

10. Select OK three times.

Procedure B
Manually configure the security settings for the security zone in Internet Explorer. The
default security setting that causes the local intranet zone not to prompt for Windows
authentication can be configured manually for any security zone in Internet Explorer. To
customize the security zone of which the AD FS service name is already a part, follow
these steps:

２ Warning

We highly discourage this configuration because it could result in the unintended

submission of Integrated Windows Authentication traffic to websites.

1. Start Internet Explorer.

2. On the Tools menu, select Internet options.
 3. Select the Security tab, select the security zone in which the AD FS service name is
already contained, and then select Custom level.
4. In the Security Settings dialog box, scroll to the bottom to locate the User
Authentication entry.
5. Under Logon, select Automatic logon with current user name and password.
6. select OK two times.

Resolution 3: Use Internet Explorer or a third-

party web browser
Use Internet Explorer or a third-party web browser that supports integrated Windows
authentication.

Resolution 4: Verify connectivity to Active

Directory
Log off from the client computer and then log on as an Active Directory user. If logon is
successful, verify the connectivity to Active Directory by using the Nltest command-line
tool. Nltest.exe is included in the Remote Server Administration Tools for Windows 10 .

1. At a command prompt, type the following command, and then press Enter: Nltest
/dsgetdc:<FQDN Of Domain> . If the settings are correct, you receive output that

resembles the following:

DC: \DC.contoso.com Address:\ <IP Address> Dom Guid: <GUID> Dom Name:
contoso.com Forest Name: contoso.com Dc Site Name: Default-First-Site-
Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC
TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
CLOSE_SITE The command completed successfully

2. Check the computer's site membership. To do this, type the following command,
and then press Enter: nltest /dsgetsite . A successful result resembles the
following:

Default-First-Site-Name The command completed successfully

More information
Accessing Office 365 resources by using a non-federated account or a federated
account from a public Internet connection may not result in a single sign-on experience.

The experience for logging on to Microsoft Outlook connections is also not expected to
be a single sign-on experience.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Federated users in Microsoft Entra ID
may have to sign in two times before
being prompted for MFA
Article • 10/28/2024

This article discusses an issue in which federated users in Microsoft Entra ID must sign in
two times before they can run MFA.

Original product version: Microsoft Entra ID

Original KB number: 4037806

Symptoms
Consider the following scenario:

You have a Microsoft Entra tenant in which users are federated through Active
Directory Federated Services (AD FS).
In this tenant, Azure MFA Server or a third-party MFA provider is deployed in AD
FS.

In this scenario, users may be forced to sign in by providing their user name and
password two times before they are prompted for multi-factor authentication (MFA) and
can complete the logon.

Cause
If the MsolDomainFederationSettings -SupportsMFA value is set to $true and the -
PromptLoginBehavior value is set to TranslateToFreshPasswordAuth, Microsoft Entra ID
sends the MFA request to the Identity Provider for step-up authentication. Microsoft
Entra ID also asks for a fresh user login. This is accomplished by sending the following
parameters to AD FS:

wauth=http://schemas.microsoft.com/claims/multipleauthn
wfresh=0

When this occurs, user is prompted a second time for their user name and password
regardless of whether they just logged in. Users are prompted for MFA only after they
enter their credentials a second time.
Resolution
To resolve this issue, you must configure Microsoft Entra ID to let AD FS natively handle
this request by changing the -PromptLoginBehavior setting to NativeSupport. To do
this, follow these steps:

） Important

Your AD FS deployment must be running on Windows Server 2016 or Windows

Server 2012 R2, and must have the July 2016 update KB 3172614 installed.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

1. Run the following Connect command to sign in to your Microsoft Entra

ID administrator account:

PowerShell

Connect-Msolservice

７ Note

Run this command every time that you start a new session.

2. Configure Microsoft Entra ID to run federated user authentication by using the

prompt=login behavior. This prevents the user from having to begin a new
authentication. For example, run a command such as the following that includes
your tenant-specific information:
 PowerShell

Set-MsolDomainFederationSettings -DomainNameyour_domain_name-
PreferredAuthenticationProtocol <current auth setting such as WsFed> -
SupportsMfa $True -PromptLoginBehavior NativeSupport

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to set up another
federated domain in Office 365, Azure,
or Intune: Federation service identifier
specified in the AD FS 2.0 server is
already in use
Article • 10/28/2024

This article provides information about resolving an issue in which you receive an error
message when running the New-MSOLFederatedDomain command or the Convert-
MSOLDomainToFederated command using Azure Active Directory module for Windows

PowerShell.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2618887

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

Symptoms
In a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune, you
can't set up a second federated domain on an Active Directory Federation Services (AD
FS) server. When you use the Azure Active Directory module for Windows PowerShell to
run the New-MSOLFederatedDomain command or the Convert-MSOLDomainToFederated
command, you receive the following error message:
 The federation service identifier specified in the Active Directory Federation Services
2.0 server is already in use. Please correct this value in the AD FS 2.0 Management
console and run the command again.

Cause
The Microsoft Entra authentication system requires a unique federation brand uniform
resource identifier (URI) for each federated domain. By default, AD FS uses a global
value for all federated trusts. When you try to federate a second domain in a scenario
where a federated trust already exists, the request fails because the URI is already being
used.

Resolution
To resolve the issue, you must use the -supportmultipledomain switch to add or convert
every domain that's federated by the cloud service. This includes federated domains that
already exist.

Step 1: Install Update Rollup 1 for AD FS 2.0

On each node of the AD FS 2.0 Federation Service farm, download and install Update
Rollup 1 for AD FS 2.0. For more information about how to download and install Update
Rollup 1 for AD FS 2.0, see Description of Update Rollup 1 for Active Directory
Federation Services (AD FS) 2.0 .

７ Note

This update requires a restart of the computer. If you do not restart the computer,
you will experience the issue "Sorry, but we're having trouble signing you in" and
"8004789A" error when a federated user tries to sign in to Office 365, Azure, or
Intune .

Step 2: Check that the Update-MSOLFederatedDomain

command can be run successfully against the AD FS
environment
1. Select Start > All Programs > Windows Azure Active Directory, right-click
Windows Azure Active Directory module for Windows PowerShell and select Run
As Administrator.
 2. At the command prompt, run the following commands in the order in which they
are presented. Press Enter after each command.

PowerShell

Connect-MSOLService

７ Note

When you are prompted, enter your cloud service global administrator
credentials.

PowerShell

Set-MSOLADFSContext -Computer <AD FS 2.0 server name>

７ Note

In this command, <AD FS 2.0 server name> is the computer name of a node
in the AD FS Federation Service farm.

PowerShell

Update-MSOLFederatedDomain -DomainName <Federated Domain Name>

７ Note

In this command, <Federated Domain Name> is the name of the domain

that's already federated with Microsoft Entra ID for single sign-On (SSO).

3. If the Update-MSOLFederatedDomain command is successful and you do not receive

error messages, go to step 3 to remove the federated trust from the AD FS server.

Step 3: Update the federated trust on the AD FS server

２ Warning

The following steps should be planned carefully. Users for which SSO functionality
is enabled in the federated domain will be unable to authenticate between the
 completion of steps C and D. If the Update-MSOLFederatedDomain command test in
step 2 was not completed successfully, step D of this procedure will not finish
correctly. Federated users will be unable to authenticate until the Update-
MSOLFederatedDomain command can be run successfully.

1. Log on to the console of the AD FS server, select Start > All Programs >
Administrative Tools, and then select AD FS (2.0) Management.

2. In the left navigation pane, select AD FS (2.0), select Trust Relationships, and then
select Relying Party Trusts.

3. In the pane on the right side, delete the Microsoft Office 365 Identity Platform
entry.

4. Re-create the deleted trust object by using the -supportmultipledomain switch. In

the PowerShell window that's open from step 1C, run the following command, and
then press Enter:

PowerShell

Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -

supportmultipledomain

７ Note

In this command, <Federated Domain Name> is the name of the domain that's
already federated with the cloud service for SSO.

Step 4: Use the -supportmultipledomain switch to add or

convert additional federated domains
After you update the existing trust in step 2, use the -supportmultipledomain switch to
add or convert additional federated domains. This switch informs the command to use a
unique URI namespace for each domain that's federated by the cloud service. To do this,
use one of the following command syntaxes:

PowerShell

New-MSOLFederatedDomain -domainname <domain name> -supportmultipledomain

PowerShell
 Convert-MSOLDomainToFederated -domainname <domain name> -
supportmultipledomain

７ Note

In this command, <domain name> represents the name of the domain that you are
trying to federate.

Workaround
Implement an AD FS Federation Service farm to federate every cloud service domain for
which SSO features will be used. AD FS implementation guidance for Office 365 can be
found at the following article:

Step-by-step implementation guidance: Plan for and deploy Active Directory Federation
Services 2.0 for use with single sign-on

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot account lockout in AD FS
on Windows Server
Article • 10/28/2024

This article provides steps to troubleshoot an account lockout issue in Microsoft Active
Directory Federation Services (AD FS) on Windows Server.

Original product version: Windows Server 2019, Windows Server 2016, Windows Server
2012 R2, Windows Server 2012
Original KB number: 4471013

You may experience an account lockout issue in AD FS on Windows Server. To

troubleshoot this issue, check the following points first:

If you have Microsoft Entra Connect Health configured for AD FS servers, go to the
Use Connect Health to generate data for user login activities section.
If you don't have Microsoft Entra Connect Health configured for AD FS servers, go
to the Collect AD FS event logs from AD FS and Web Application Proxy servers
section.

Use Connect Health to generate data for user

login activities
You can use Connect Health to generate data about user login activity. Connect Health
produces reports about the top bad password attempts that are made on the AD FS
farm.

Refer to the information in this article to analyze the list of user accounts and IPs of the
bad password attempt. Then, go to Analyze the IP and username of the accounts that
are affected by bad password attempts.

Collect AD FS event logs from AD FS and Web

Application Proxy servers

Step 1: Collect AD FS event logs from AD FS and Web

Application Proxy servers
To collect event logs, you first must configure AD FS servers for auditing. If you have a
load balancer for your AD FS farm, you must enable auditing on each AD FS server in
the farm. Auditing does not have to be configured on the Web Application Proxy
servers.

To configure AD FS servers for auditing, you can use the following method:

Manually configure AD FS servers for auditing

Step 2: Search the AD FS logs

For Windows Server 2012 R2 or Windows Server 2016 AD FS, search all AD FS Servers'
security event logs for "Event ID 411 Source AD FS Auditing" events. Be aware of the
following information about "411 events":

You can download the ADFS Account Lockout and Bad Cred Search (AD
FSBadCredsSearch.ps1)PowerShell script to search your AD FS servers for "411"
events. The script provides a CSV file that contains the UserPrincipalName, IP
address of the submitter, and time of all bad credential submissions to your AD FS
farm. Open the CSV file in Excel, and quickly filter by user name, IP address, or
time.
These events contain the user principal name (UPN) of the targeted user.
These events contain a message "token validation failed" message that states
whether the event indicates a bad password attempt or an account lockout.
If the server has "411" events displayed but the IP address field isn't in the event,
make sure that you have the latest AD FS hotfix applied to your servers. For more
information, see MS16-020: Security update for Active Directory Federation
Services to address denial of service: February 9, 2016 .

For Windows Server 2008 R2 or Windows Server 2012 AD FS, you won't have the
necessary Event 411 details. Instead, download and run the following PowerShell script
to correlate security events 4625 (bad password attempts) and 501 (AD FS audit details)
to find the details about the affected users.

You can download the ADFS Security Audit Events Parser (ADFSSecAuditParse.ps1)
PowerShell script to search your AD FS servers for events. The script provides a CSV
file that contains the UserPrincipalName, IP address of the submitter, and time of
all bad credential submissions to your AD FS farm.
You can also use this method to investigate which connections are successful for
the users in the "411" events. You can search the AD FS "501" events for more
details.
 When you run the PowerShell script to search the events, pass the UPN of the user
who is identified in the "411" events, or search by account lockout reports.
The IP address of the malicious submitters is displayed in one of two fields in the
"501" events.
For web-based scenarios and most application authentication scenarios, the
malicious IP will be in the x-ms-client-ip field.

Analyze the IP and username of the accounts

that are affected by bad password attempts
After you enumerate the IP addresses and user names, identify the IPs that are for
unexpected locations of access.

Are the attempts made from external unknown IPs?

If the attempts are made from external unknown IPs, go to Update AD FS servers
with latest hotfixes.
If the attempts are not made from external unknown IPs, go to Make sure that
credentials are updated in the service or application.

Update AD FS servers with latest hotfixes

To make sure that AD FS servers have the latest functionality, apply the latest hotfixes
for the AD FS and Web Application Proxy servers. Additionally, hotfix 3134222 is
required on Windows Server 2012 R2 to log IP addresses in Event 411 that will be used
later.

Check whether the extranet lockout is enabled

Use Get-ADFSProperties to check whether the extranet lockout is enabled.

If the extranet lockout is enabled, go to Check extranet lockout and internal

lockout thresholds.
If the extranet lockout isn't enabled, start the steps below for the appropriate
version of AD FS.

Steps to check the lockout status

For Windows Server 2012 R2 or newer version

Smart lockout is a new feature that will be available soon in AD FS 2016 and 2012 R2
through an update. This section will be updated with the appropriate steps for enabling
smart lockout as soon as the feature is available. Then, go to Check extranet lockout and
internal lockout thresholds.

For Windows Server 2008 R2 Windows or older version

We recommend that you upgrade the AD FS servers to Windows Server 2012 R2 or

Windows Server 2016. For more information, see Upgrading to AD FS in Windows Server
2016. Then, follow the steps for Windows Server 2012 R2 or newer version.

Step 1: Check extranet lockout and internal lockout thresholds

Make sure that extranet lockout and internal lockout thresholds are configured correctly.
For more information, see Recommended security configurations. Generally, the
ExtranetLockoutThreshold should be less than the lockout threshold for AD so that user
gets locked out for extranet access only without also getting locked out in Active
Directory for internal access.

Step 2: Enable modern authentication and Certificate-based

authentication

We recommend that you enable modern authentication, certificate-based

authentication, and the other features that are listed in this step to lower the risk of
brute force attacks.

Deploy modern authentication

In addition to removing one of the attack vectors that are currently being used through
Exchange Online, deploying modern authentication for your Office client applications
enables your organization to benefit from multifactor authentication. Modern
authentication is supported by all the latest Office applications across the Windows, iOS,
and Android platforms.

For more information, see How to deploy modern authentication for Office 365 .

Because user name and password-based access requests will continue to be vulnerable
despite our proactive and reactive defenses, organizations should plan to adopt non-
password-based access methods as soon as possible.

The following non-password-based authentication types are available for AD FS and the
Web Application Proxy.
Certificate-based authentication

When certificate-based authentication is used as an alternative to user name and

password-based access, user accounts and access are protected in the following
manner:

Because users do not use their passwords over the Internet, those passwords
are less susceptible to disclosure. User name and password endpoints can be
blocked completely at the firewall. This removes the attack vector for lockout or
brute force attacks.

Even if user name and password endpoints are kept available at the firewall,
malicious user name and password-based requests that cause a lockout do not
affect access requests that use certificates. Therefore, the legitimate user's
access is preserved.

For more information about certificate-based authentication for Microsoft Entra

ID and Office 365, see this Microsoft Entra identity Blog article .

Azure Multi-Factor Authentication (MFA)

Azure MFA is another non-password-based access method that you can use in the
same manner as certificate-based authentication to avoid using password and
user-name endpoints completely.

Azure MFA can be used to protect your accounts in the following scenarios.

ﾉ Expand table

Scenarios Advantage

Using Azure MFA as Adding Azure MFA or any additional authentication provider to
additional AD FS and requiring that the additional method be used for
authentication over the extranet requests protects your accounts from access by using a
extranet stolen or brute-forced password. This can be done in AD FS 2012
R2 and 2016.

Using Azure MFA as This is a new capability in AD FS 2016 to enable password-free

primary authentication access by using Azure MFA instead of the password. This guards
against both password breaches and lockouts.

For more information about how to configure Azure MFA by using AD FS, see
Configure AD FS 2016 and Azure MFA

Windows Hello for Business

 Windows Hello for Business is available in Windows 10. Windows Hello for
Business enables password-free access from the extranet, based on strong
cryptographic keys that are tied to both the user and the device.

Windows Hello for Business is supported by AD FS in Windows Server 2016. See

Authenticating identities without passwords through Windows Hello for Business.

Step 3: Disable legacy authentication and unused endpoints

Disable the legacy endpoints that are used by EAS clients through Exchange Online,
such as the following:

/adfs/services/trust/13/usernamemixed endpoint

７ Note

Doing this might disrupt some functionality. However, it can help reduce the
surface vectors that are available for attackers to exploit. Also, we recommend that
you disable unused endpoints.

Check whether the issue is resolved.

Make sure that credentials are updated in the

service or application
If the user account is used as a service account, the latest credentials might not be
updated for the service or application. In this situation, the service might keep trying to
authenticate by using the wrong credentials. This causes a lockout condition.

To resolve this issue, check the service account configuration in the service or
application to make sure that the credentials are correct. If not, follow the next step.

Clear cached credentials in the application

If user credentials are cached in one of the applications, repeated authentication
attempts can cause the account to become locked. To resolve this issue, clear the
cached credentials in the application. Check whether the issue is resolved.

ADFS Account Lockout and Bad Cred Search

PARAM ($PastDays = 1, $PastHours)
#************************************************
# ADFSBadCredsSearch.ps1
# Version 1.0
# Date: 6-20-2016
# Author: Tim Springston [MSFT]
# Description: This script will parse the ADFS server's (not proxy) security
ADFS
# for events which indicate an incorrectly entered username or password.
The script can specify a
# past period to search the log for and it defaults to the past 24 hours.
Results will be placed into a CSV for
# review of UPN, IP address of submitter, and timestamp.
#************************************************

cls
if ($PastHours -gt 0)
{$PastPeriod = (Get-Date).AddHours(-($PastHours))}
else
{$PastPeriod = (Get-Date).AddDays(-($PastDays)) }
$Outputfile = $Pwd.path + "\BadCredAttempts.csv"
$CS = get-wmiobject -class win32_computersystem
$Hostname = $CS.Name + '.' + $CS.Domain
$Instances = @{}
$OSVersion = gwmi win32_operatingsystem
[int]$BN = $OSVersion.Buildnumber
if ($BN -lt 9200){$ADFSLogName = "AD FS 2.0/Admin"}
else {$ADFSLogName = "AD FS/Admin"}

$Users = @()
$IPAddresses = @()
$Times = @()
$AllInstances = @()
Write-Host "Searching event log for bad credential events..."
if ($BN -ge 9200) {Get-Winevent -FilterHashTable @{LogName= "Security";
StartTime=$PastPeriod; ID=411} -ErrorAction SilentlyContinue | Where-Object
{$_.Message -match "The user name or password is incorrect"} | % {
$Instance = New-Object PSObject
$UPN = $_.Properties[2].Value
$UPN = $UPN.Split("-")[0]
$IPAddress = $_.Properties[4].Value
$Users += $UPN
$IPAddresses += $IPAddress
$Times += $_.TimeCreated
add-member -inputobject $Instance -membertype noteproperty -name
"UserPrincipalName" -value $UPN
add-member -inputobject $Instance -membertype noteproperty -name "IP
Address" -value $IPAddress
add-member -inputobject $Instance -membertype noteproperty -name "Time" -
value ($_.TimeCreated).ToString()
$AllInstances += $Instance
$Instance = $null
}
 }

$AllInstances | select * | Export-Csv -Path $Outputfile -append -force -

NoTypeInformation
Write-Host "Data collection finished. The output file can be found at
$outputfile`."
$AllInstances = $null

ADFS Security Audit Events Parser

PARAM ($SearchCriteria, $PastDays = 1, $PastHours)

#************************************************
# ADFSSecAuditParse.ps1
# Version 1.0
# Date: 2-2-2016
# Author: Tim Springston [MSFT]
# Description: This script will parse an ADFS Security event log file (EVTX)
# and search for audit events related to a specific user or other criteria.
# The script will work for the each ADFS login instance for a given
criteria during a stated time frame.
# If you need to locate a second then filter and save the event log to
focus in.
# Return an array of initial instance IDs with the criteria, run the search
function against each and output
# a unique text file for each.
#************************************************

cls
if ($PastHours -gt 0)
{
$PastPeriod = (Get-Date).AddHours(-($PastHours))
}
else
{$PastPeriod = $PastDays}

$CS = get-wmiobject -class win32_computersystem

$Hostname = $CS.Name + '.' + $CS.Domain
$Instances = @()
Get-Winevent -ComputerName $Hostname -LogName Security | Where-Object
{(($_.ID -eq 501) `
-and ($_.Properties.Value -contains $SearchCriteria) -and ($_.TimeCreated -
gt $PastPeriod))} | % { $Instances += $_.Properties[0].Value}

function FindADFSAuditEvents {
param ($valuetomatch, $counter, $instance, $PastPeriod)
$Results = $pwd.Path + "\" + $SearchCriteria + "-ADFSSecAudit" + '-' +
$Counter + ".txt"
 $SearchString = $SearchCriteria + " and instance " + $Instance + " in
Security event log."
"Security Audit Events which match $SearchString" | Out-File $Results -
Encoding UTF8
Get-WinEvent -ComputerName $Hostname -LogName Security -WarningAction
SilentlyContinue | `
Where-Object -ErrorAction SilentlyContinue {($_.TimeCreated -gt
$PastPeriod) -and (($_.Properties -contains $ValueToMatch) -or
($_.Properties[0].Value -match $Instance))} | % {
$Event = New-object PSObject
add-member -inputobject $Event -membertype noteproperty -name "Event ID" -
value $_.ID
add-member -inputobject $Event -membertype noteproperty -name "Provider" -
value $_.ProviderName
add-member -inputobject $Event -membertype noteproperty -name "Machine
Name" -value $_.MachineName
add-member -inputobject $Event -membertype noteproperty -name "User ID" -
value $_.UserID
add-member -inputobject $Event -membertype noteproperty -name "Time
Created " -value $_.TimeCreated
$Event | FL *
$Event | Out-File $Results -Encoding UTF8 -Append
$_.Properties | FL *
$_.Properties | Out-File $Results -Encoding UTF8 -Append
$DateTimeExport = $_.TimeCreated
}
$DateTime = (($DateTimeExport.ToShortDateString()).Replace('/','-') + '@' +
(($DateTimeExport.ToShortTimeString()).Replace(' ','')))
$DateTime = $DateTime.Replace(':','')
$Results2 = $pwd.Path + "\" + $SearchCriteria + '-' + $DateTime + "-
ADFSSecAudit" + $Counter + ".txt"
Rename-Item -Path $Results -NewName $Results2
}

$Counter = 1
foreach ($instance in $Instances)
{
FindADFSAuditEvents -ValueToMatch $SearchCriteria -Instance $Instance -
PastPeriod $PastPeriod -Counter $Counter
$Counter++
}

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Some users who are enabled for Azure
Multi-Factor Authentication aren't
prompted for a second verification
method
Article • 10/28/2024

This article describes a scenario in which users who are enabled for Azure Multi-Factor
Authentication aren't prompted for a second verification factor when they sign in.

Original product version: Microsoft Entra ID, Cloud Services (Web roles/Worker roles),
Microsoft Intune
Original KB number: 3124671

Symptoms
When conditional access policies are set up so that Azure Multi-Factor Authentication is
expected to be enforced, some users aren't prompted to verify their identities through a
second verification method. This issue may occur in the following two scenarios.

Scenario 1: Multi-factor authentication is suspended on a remembered device:

In this scenario, an admin sets up trusted networks for multi-factor authentication and
enables the Allow users to suspend multi-factor authentication by causing a device to
be remembered option.

Scenario 2: The user is a member of the exception group:

In this scenario, the user is a member of an exception group for the app. When an
admin sets up multi-factor authentication access policies for an app, an admin can select
the Except box to set up groups as exceptions. Even though the settings in these
scenarios are configured, you expect users to be prompted for the second verification
method because of the conditional access policies that you applied.

Resolution
For Scenario 1:

1. Confirm that the Allow users to suspend multi-factor authentication option is

enabled.
 2. If the option is enabled, have the user try one or more of the following:

Delete browser cookies.

Use a different browser.
Use an InPrivate browsing session.

For Scenario 2:

Remove the user from the exception group.

Remove the group from the list of exception groups.

More information
For Scenario 1:

This option lets users who have successfully authenticated through multi-factor
authentication avoid future multi-factor authentication prompts for the next 1-60 days,
depending on the value that's configured in the Days before a device must re-
authenticate setting.

This is true even if the app is set to Require multi-factor authentication, Require multi-
factor authentication when not at work, or Block access when not at work, and the
user's device isn't on a trusted network.

For Scenario 2:

For users who are members of the exception group, the requirement for multi-factor
authentication on the user account is overridden.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Authentication fails with an error stating
"The requested federation realm object
'< Object ID >' does not exist"
Article • 10/28/2024

Authentication fails with the error "The requested federation realm object '< Object ID
>' does not exist" for users who are part of domain that is federated with a third party
identity provider in either Microsoft Entra ID or Microsoft 365 .

This failure happens when the third Party identity provider returns the wrong IssuerURI
within the Issuer field in the Security Assertion Markup Language (SAML) response.

Resolution 1
Contact the support team for the third party identity provider and have them correct the
IssuerURI, returned as Issuer, in the SAML the response returned to either Microsoft
Entra ID or Microsoft 365, through the client.

Resolution 2
Use the command Set-MsolDomainFederationSettings to modify the IssuerURI of the
federated domain to match the realm object listed in the error.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

1. Connect to Microsoft Entra ID using the MSONLINE module. To check that the
module is installed, open PowerShell and execute the get-module MSONLINE -
ListAvailable command.

2. Follow the steps outlined in Install the Azure AD module to install the module.

3. Run the following commands to verify the preferred authentication protocol of the
federated domain.

PowerShell

$federationSettings=Get-MsolDomainFederationSettings -DomainName
domain.com

$federationSettings.PreferredAuthenticationProtocol

4. If the PreferredAuthenticationProtocol value listed in step 3 is shown as WSFED,

run the following command to update the IssuerURI.

PowerShell
 Set-MsolDomainFederationSettings -DomainName domain.com -IssuerUri
"value of federated realm object listed in the authentication failure
message"

The necessary IssuerURI value is listed by Microsoft Entra ID in the authentication

failure message.

5. If the PreferredAuthenticationProtocol value listed in step 3 is SAMLP (SAML

Protocol), run the following command to update the IssuerURI.

PowerShell

Set-MsolDomainFederationSettings -DomainName domain.com -IssuerUri

"value of federated realm object listed in the authentication failure
message" -PreferredAuthenticationProtocol samlp

The necessary IssuerURI value is listed by Microsoft Entra ID in the authentication

failure message.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Using ADAL to authenticate from
Android devices fails if additional
certificate downloads are required
Article • 10/28/2024

This article describes an issue in which Azure Active Directory Authentication Library
(ADAL) authentication from Android devices fails if additional certificate downloads are
required.

Original product version: Microsoft Entra ID

Original KB number: 3203929

Symptoms
When you try to authenticate by using the ADAL for Android, Federation sign-in may
fail. Specifically, the application triggers an AuthenticationException error when it tries
to display the login page. In Google Chrome, the STS login page might be called out as
unsafe. This issue occurs only on Android devices, for any application that uses ADAL for
Android to connect to a Federation server.

To determine whether you are experiencing this issue, run the following test:

1. Obtain your Security Token Service (STS) server's fully qualified domain name
(FQDN). To do this, follow these steps:
a. Go to https://login.microsoftonline.com on a non-Android device.
b. Enter your work or school account.
c. When you're redirected to your federated STS login page, note the URL address
in the browser. It looks like https://sts.contoso.com . The FQDN is
sts.contoso.com .

2. Go to the following URL, replacing <STS_SERVER_FQDN_HERE> with your STS

FQDN:

https://www.ssllabs.com/ssltest/analyze.html?d=

<STS_SERVER_FQDN_HERE>&hideResults=on&latest

For example:

https://www.ssllabs.com/ssltest/analyze.html?
d=sts.contoso.com&hideResults=on&latest
 3. See whether any of the following messages are displayed:

Extra download
Sent by server
In trust store

If any of the SSL certificates displays the "Extra download" message, you are
experiencing the issue that's described earlier in this section, per the following
screenshot:

Here's a screenshot showing a certificate with the "Sent by server" message,

illustrating successful authentication on an Android device:

Cause
Android does not support downloading additional certificates from the
authorityInformationAccess field of the certificate. This is true across all Android
versions and devices, and for the Chrome browser. Any server authentication certificate
that's marked for extra download based on the authorityInformationAccess field will
trigger this error if the entire certificate chain is not passed from Active Directory
Federation Services (AD FS).
Resolution
To resolve this issue, configure your STS and Web Application Proxy (WAP) servers to
send the necessary intermediate certificates together with the SSL certificate. To do this,
follow these steps:

1. When you export the SSL certificate from a computer to the computer's personal
store of the AD FS and WAP server (or servers), make sure that you export the
Private key and that you select Personal Information Exchange - PKCS #12. Also
make sure that the Include all certificates in the certificate path if possible and
Export all extended properties check boxes are selected.
2. Run certlm.msc on the Windows servers, and then import the *.PFX file into the
computer's personal certificate store. When you do this, the server will pass the
entire certificate chain when a client application uses ADAL for authentication.

７ Note

The certificate store of Network Load Balancers should also be updated to include
the entire certificate chain.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't set up MFA because five devices
are already registered to use an
authenticator app
Article • 10/28/2024

This article discusses how to resolve a scenario in which you can't set up multifactor
authentication (MFA) because you already registered five devices to use authenticator
apps.

Symptoms
When you try to set up MFA, you receive the following error message:

You cannot have more than 5 hardware tokens or authenticator apps. Please delete
one or more of your authenticator apps and then add a new authenticator app. If
you need to delete your hardware token, please contact your administrator.
Disabling a hardware token will not allow you to add new authenticator app.

You have too many devices registered.

Cause
You previously set up five different phones or other devices to be registered for MFA by
using an authenticator app. As a result, the maximum allowed number of device tokens
(5) are already persisted in the StrongAuthenticationPhoneAppDetail property of your
directory user object.

Solution 1: Delete the sign-in methods directly

in a web browser
To delete the device tokens, you can delete the sign-in methods from your security
settings directly within a web browser. However, if you aren't an administrator, or you
aren't the only administrator for your Microsoft Entra ID, you must first have someone
else (the administrator or another administrator user) set the requirement for re-
registering MFA in the procedure in the following section.
Part 1: Have your administrator or another administrator
user set the MFA re-registration requirement

７ Note

This procedure isn't required if you're the only administrator for your Microsoft
Entra ID.

1. In the Azure portal , search for and select Microsoft Entra ID.

2. In the Microsoft Entra navigation pane, locate the Manage heading, and then
select Users.

3. In the list of Microsoft Entra users, select the Display name of the user.

4. In the navigation pane for the Microsoft Entra user, locate the Manage heading,
and then select Authentication methods.

5. In the Microsoft Entra user menu, select Require re-register multifactor

authentication.

Part 2: Delete some or all of your sign-in methods

You can delete the device tokens by deleting the corresponding sign-in methods. Follow
these steps:

1. To view your sign-in methods, go to https://aka.ms/mysecurityinfo .

For example, the sign-in method list might include a phone method that's
associated with a phone number, and an authenticator app method that's
associated with a particular device. For more information, see What authentication
and verification methods are available in Microsoft Entra ID?

2. Delete any or all five of the sign-in methods that are listed.

２ Warning

If you try to delete a passwordless sign-in method, you receive the following
error message in a dialog box that contains the Sign in and Cancel buttons:

Delete authenticator app

 To delete this authenticator app, you need to sign in with two-factor
authentication.

To be able to delete the passwordless sign-in method, set up another two-

factor authentication method (such as a phone call or an SMS text message)
beforehand. Then, when you retry deleting the passwordless sign-in method,
use that two-factor authentication method to sign in.

Solution 2: Delete the authenticator apps by

using Microsoft Graph
Global Administrators can delete a user's authenticator app by using the Microsoft
Graph API. In some instances, the Microsoft Graph API is the only available solution (for
example, if you're using the security defaults). To use this solution, you or your Global
Administrator should sign in to Graph Explorer as a Global Administrator, and then
follow these steps:

1. In the query area of Graph Explorer, take the following actions:

a. In the HTTP methods list, select GET.

b. In the query box, enter https://graph.microsoft.com/beta/users/<user-

principal-name>/authentication/microsoftAuthenticatorMethods . Replace the

placeholder of the user principal name (UPN) with the UPN of the user whose
authentication app has to be deleted.

c. Select the Run query button.

２ Warning

If you experience a permission error when run the query, follow these steps
to get the necessary permission:

i. Select the Modify permissions tab.

ii. Select the Open the permissions panel link.

iii. In the permissions panel, expand the UserAuthenticationMethod node,

and then select the UserAuthenticationMethod.ReadWrite.All
permission.
 iv. Select the Consent button.

After you complete these steps, try again to run the query.

In the response pane, the Response header tab displays JSON code that shows
the authenticator method information. In the following example code snippet,
the user is associated with a total of one authenticator method:

JSON

{
"@odata.context":
"https://graph.microsoft.com/beta/$metadata#users('user%40contoso.com')
/authentication/microsoftAuthenticatorMethods",
"value": [
{
"id": "01234567-89ab-cdef-0123-456789abcdef",
"displayName": "SM-G973F",
"deviceTag": "SoftwareTokenActivated",
"phoneAppVersion": "6.2102.0762",
"createdDateTime": null
}
]
}

2. In the response pane's Response header tab, copy and save the id property (a
GUID) of each authenticator method that you want to delete.

3. In the query area, set HTTP methods to DELETE, and set Query box to
https://graph.microsoft.com/beta/users/<user-principal-

name>/authentication/microsoftAuthenticatorMethods/<authenticator-id-guid> .

Enter the UPN and authenticator GUID to replace the placeholder values.

4. Select the Run query button. If this deletion query successfully deletes the
authenticator app, the status message "No Content - 204 - <query-execution-
time>" appears.

5. Repeat steps 2–4 for each of the authenticator apps that you want to delete.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't connect to Office 365, Azure, or
Intune using the Azure Active Directory
module for Windows PowerShell
Article • 10/28/2024

This article describes an issue in which you can't connect to a Microsoft cloud service
such as Office 365, Azure, or Microsoft Intune by using the Connect-MSOLService cmdlet.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

Original product version: Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365
User and Domain Management, Office 365 Identity Management
Original KB number: 2494043

Symptoms
When you try to use the Connect-MSOLService cmdlet in the Microsoft Azure Active
Directory module for Windows PowerShell to connect to a Microsoft cloud service such
as Office 365, Microsoft Azure, or Microsoft Intune, your attempt is unsuccessful.
Instead, you receive one of the following error messages:

Connect-MsolService : Exception of type

'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.

Connect-MsolService : Access Denied. You do not have permissions to call this

cmdlet.
 Connect-MsolService : The user name or password is incorrect. Verify your user
name, and then type your password again.`

Resolution
To resolve this issue, refer one of the following articles, as appropriate for your situation:

"Connect-MsolService: Exception of type was thrown" error

"Access Denied" error
"The user name or password is incorrect" error

More information
For more information about Azure Active Directory module for Windows PowerShell, see
Manage Microsoft Entra ID using Windows PowerShell.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't use Azure Multi-Factor
Authentication to sign in to cloud
services after you lose your phone or
the phone number changes
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2834954

Symptoms
Assume that you're a Microsoft cloud services admin who has Microsoft Azure Multi-
Factor Authentication enabled. If you lose your phone or your phone number has
changed, you can't sign in to your cloud services account (such as Office 365, Azure, or
Microsoft Intune) because you didn't receive the text message or voice call from the
Multi-Factor Authentication service.

Resolution
Ask another cloud services admin to reset your Multi-Factor Authentication settings. To
do this, the admin should follow these steps:

1. Sign in to the cloud service portal as an admin.

2. Go to
https://account.activedirectory.windowsazure.com/usermanagement/multifactorve
rification.aspx .
3. Select the check box for the admin account whose Multi-Factor Authentication
settings you want to reset.
4. Select Manage user settings.
5. Select the Require selected users to provide contact methods again check box,
and then select Save.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when Windows 10 devices settings
fail to sync: This user can't sign in
because this account is currently
disabled
Article • 10/28/2024

This article describes an issue in which error "Event ID 6065:80070533 This user can't
sign in because this account is currently disabled" is logged when Windows 10 settings
fail to sync.

Original product version: Windows 10, version 1803, version 1709, version 1703, version
1511, version 1607, all editions
Original KB number: 3193791

Symptoms
You have enabled Enterprise State Roaming in the Microsoft Entra admin center and on
some Windows 10 clients. Any supported settings for sync, such as the desktop
background or the task bar position, do not sync between devices for the same user.

Additionally, Event ID 6065 is logged in the Microsoft-Windows-SettingSync/Debug

event log:

Log Name: Microsoft-Windows-SettingSync/Debug

Source: Microsoft-Windows-SettingSync
Date: <date and time>
Event ID: 6065
Task Category: None
Level: Error
Keywords: User: <User SID>
Computer: WIN10DESKTOP
Description:
shell\roaming\cloudsync\cloudsyncengine\cloudsyncengine.cpp(990)\SettingSyncH
ost.exe!00007FF701A2A8C2: (caller: 00007FF701A2A3D9) ReturnHr[PreRelease](17)
tid(1060) 80070533 This user can't sign in because this account is currently disabled.
CallContext:[\AttemptSyncActivity]
Cause
The tenant has not been provisioned with the RMSBASIC subscription. This happens
automatically when Enterprise State Roaming is enabled in the Microsoft Entra admin
center and is used to encrypt the synchronized data. If AllowAdHocSubscriptions is set to
False on the tenant, this configuration can prevent the tenant from being provisioned
with the RMSBASIC subscription.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

Resolution

Verify RMSBASIC subscription is enabled on the tenant

1. Open PowerShell and sign in to Microsoft Entra ID using your Microsoft Entra
credentials. The first line will prompt you for your credentials. The second line
connects to Microsoft Entra ID.

PowerShell

$msolcred = get-credential connect-msolservice -credential $msolcred

2. Run the following cmdlet to see all the SKUs that the company owns.

PowerShell

Get-MsolAccountSku
 3. If RMSBASIC is listed, as in the example output below, you do not need to proceed
with the rest of the steps in this article.

ﾉ Expand table

AccountSkuId ActiveUnits WarningUnits ConsumedUnits

--------------- ------------ --------------- -----------------

tenantname:ENTERPRISEPACK 25 0 14

tenantname:INTUNE_A 25 0 23

tenantname:AAD_PREMIUM 100 0 21

tenantname:RIGHTSMANAGEMENT_ADHOC 1000 0 18

tenantname: RMSBASIC 1000 0 18

4. If RMSBASIC is not present, as in the example output below, proceed with the
steps in the next section.

ﾉ Expand table

AccountSkuId ActiveUnits WarningUnits ConsumedUnits

--------------- ------------ --------------- -----------------

tenantname:ENTERPRISEPACK 25 0 14

tenantname:INTUNE_A 25 0 23

tenantname:AAD_PREMIUM 100 0 21

tenantname:RIGHTSMANAGEMENT_ADHOC 1000 0 18

Verify AllowAdHocSubscriptions is set to "True" on the

tenant
The tenant cannot be provisioned with the RMSBASIC subscription if
AllowAdHocSubscriptions is set to False on the tenant. Use these steps to verify the

configuration of AllowAdHocSubscriptions and temporarily set it to True to obtain the

RMSBASIC subscription.

1. Open PowerShell and sign in to Microsoft Entra ID using your Microsoft Entra
credentials. The first line will prompt you for your credentials. The second line
 connects to Microsoft Entra ID.

PowerShell

$msolcred = get-credential connect-msolservice -credential $msolcred

2. Run the following cmdlet to determine if your tenant has AllowAdHocSubscriptions

set to True or False.

PowerShell

Get-MsolCompanyInformation | fl AllowAdHocSubscriptions

3. If AllowAdHocSubscriptions is set to True, you do not need to proceed with rest of

the steps. If it is False, you can run the following command to enable
AllowAdHocSubscriptions . You can set it back to False in a later step.

PowerShell

Set-MsolCompanySettings -AllowAdHocSubscriptions $true

4. In the Microsoft Entra admin center, disable and re-enable Enterprise State
Roaming. See the Verify USERS MAY SYNC SETTINGS AND ENTERPRISE APP
DATA is enabled on the tenant section.

5. Run the Get-MsolAccountSku cmdlet to see if the RMSBASIC subscription has been
added:

PowerShell

Get-MsolAccountSku

Verify USERS MAY SYNC SETTINGS AND ENTERPRISE APP

DATA is enabled on the tenant
After obtaining a Premium Microsoft Entra subscription, follow these steps to enable
Enterprise State Roaming:

1. Sign in to the Azure classic portal.

2. On the left side, select ACTIVE DIRECTORY, and then select the directory for which
you want to enable Enterprise State Roaming.
3. Go to the CONFIGURE tab.
 4. Scroll down the page, look for USERS MAY SYNC SETTINGS AND ENTERPRISE
APP DATA, and verify that ALL or SELECTED is selected.
5. If All or SELECTED is already selected, select None, save, and go back to the
previously selected ALL or SELECTED with the original SG option, and then save
again. For a reference with screenshots, see Enable Enterprise State Roaming in
Microsoft Entra ID.

(Optional) Set AllowAdHocSubscriptions to "False" on the

tenant
If you want to set AllowAdHocSubscriptions back to False, use this cmdlet after the
RMSBASIC subscription has been provisioned on the tenant:

PowerShell

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

More information
Azure Active Directory PowerShell Module
Get-MsolAccountsku
Set-MsolCompanySettings
How administrators can control the accounts created for RMS for individuals
50,000 seats are assigned to the RIGHTSMANAGEMENT_ADHOC SKU in your Office
365 organization

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

A user is displayed as disabled or
enabled for Microsoft Azure Multi-
Factor Authentication but behaves as
the opposite
Article • 10/28/2024

Original product version: Active Directory

Original KB number: 2934588

This article provides a solution to an issue in which a user is displayed as disabled or

enabled for Microsoft Azure Multi-Factor Authentication but behaves as the opposite.
This is an expected behavior.

Symptoms

Issue 1
When Microsoft Azure Multi-Factor Authentication is enabled, a user may be displayed
as disabled even though the user behaves as enabled.

Issue 2
When Microsoft Azure Multi-Factor Authentication is disabled, a user may be displayed
as enabled even though the user behaves as disabled

Cause
This problem occurs if the user is added in another directory as a guest user. Consider
the following example:

User John ( John@contoso.com ) is created in contoso.onmicrosoft.com . This is his home

directory. John is then added to a guest directory at fabrikam.onmicrosoft.com as a
guest user. When the administrator of fabrikam.onmicrosoft.com examines the guest
user, the user is displayed as disabled for Multi-Factor Authentication.

Resolution
This behavior is by design. Multi-Factor Authentication behavior is always based on the
user's home directory status. If you want to change the desired Multi-Factor
Authentication behavior, you or an administrator should make this change from the
user's home directory.

More information
Guest users are users from one directory who are added to another directory. For
example, a user from contoso.onmicrosoft.com may be added to
fabrikam.onmicrosoft.com . In this case, the user is still authenticated by using the

settings that are defined in the user's home directory ( contoso.onmicrosoft.com ).

７ Note

To quickly check whether a user is a guest user, notice whether the check box next
to the user on the Manage Multi-Factor Auth screen is dimmed. A dimmed check
box indicates that the user is a guest user.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot Azure Multi-Factor
Authentication issues
Article • 10/28/2024

This article contains information to help you troubleshoot common issues that you may
encounter when you use Windows Multi-Factor Authentication for Microsoft Office 365
or Microsoft Azure.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2937344

Summary
ﾉ Expand table

Scenario Content

You don't receive a text or voice call that contains the verification code for Azure 2834956
Multi-Factor Authentication

"Sorry! We can't process your request" error when you try to set up security 2909939
verification settings for Azure Multi-Factor Authentication

Can't use Azure Multi-Factor Authentication to sign in to cloud services after you 2834954
lose your phone or the phone number changes

"We did not receive the expected response" error message when you try to sign in 2834968
by using Azure Multi-Factor Authentication

"Account verification system is having trouble" error message when you try to sign 2834966
in by using a work or school account

Can't sign in to an Office app by using a work or school account 2834958

2412085
You can't sign in to Office 365, Azure, or Intune

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

You don't receive a text or voice call that
contains the verification code for
Microsoft Entra multifactor
authentication
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2834956

Symptoms
Consider the following scenario:

You're a global admin who has Microsoft Entra multifactor authentication (MFA)
enabled
You don't receive the text message or voice call that contains your verification
code.

In this scenario, you can't sign in to your work or school account, such as Office 365,
Azure, or Microsoft Intune.

Resolution
To fix this problem, follow these steps:

1. If you have set up other options for security verification, select Other verification
options, and then try again by selecting a different option. Also, make sure that
your phone numbers are correct in your user account settings.
2. Ask another global admin to confirm whether your phone numbers are set
correctly in your user settings.

If steps 1 and 2 don't resolve the problem, your user account may be blocked from
using Microsoft Entra multifactor authentication. To check whether your user account is
blocked, ask a global admin for your Microsoft cloud service to perform the following
steps:

If you have a Microsoft Entra multifactor authentication or Microsoft Entra ID P1 or P2

subscription
 1. Go to the Azure portal , and then open Microsoft Entra ID.
2. If you want to change the default active directory, click Manage tenants, choose
the active directory, and then click Switch.
3. Choose Users, open the profile of the user that has the problem.
4. Check whether the Block sign in is enabled. If yes, disable the option.

If you have Office 365 and don't have a Microsoft Entra multifactor authentication or
Microsoft Entra ID P1 or P2 subscription, contact Office 365 Support.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Authorization_RequestDenied error
when you try to change a password
using Graph API
Article • 10/28/2024

This article provides information about troubleshooting a problem in which you receive
Authorization_RequestDenied error when trying to change a password using Graph API.

Original product version: Microsoft Entra ID

Original KB number: 3004133

Symptoms
You try to change the password of a Microsoft Entra user. If the Organizational Role
setting for that user is set to any "Administrator" option, the process fails. It generates
the following error message:

{"odata.error":{"code":"Authorization_RequestDenied","message":
{"lang":"en","value":"Insufficient privileges to complete the operation." }} }

When you give the Read and write directory data permission to your application or
Application Service Principal, the application can change the password of a typical
Microsoft Entra user by using Graph API. This setting is shown in the following
screenshot.

You can delegate a Microsoft Entra user as an administrator by changing the user's
Organizational Role setting, as shown in the following screenshot.
Cause
This problem occurs because the users who have any of the Administrator
organizational roles aren't members of Company Administrator or User Account
Administrator in the Office 365 administrative roles.

Resolution

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

To resolve this problem, add your application to Company Administrator in the Office
365 administrative roles. To do so, run all the following Azure AD module for Windows
PowerShell (MSOL) cmdlets:

PowerShell

Connect-MsolService
It will prompt you for your tenant's credential. You should be able to use your Microsoft
Entra administrative user name in the admin@tenant.onmicrosoft.com format.

PowerShell

$displayName = "Application Name"

$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId

Replace the "Application Name" with the name of your "Application Service Principal".

PowerShell

$roleName = "Company Administrator"

Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -
RoleMemberObjectId $objectId

It will add your "Application Service Principal" to the Company Administrator role.

Also, you must add your application to User Account Administrator in the Office 365
administrative roles if the Microsoft Entra user has any of the following Administrator
organizational roles:

Global Administrator
Billing Administrator
Service Administrator

To do so, run all the following MSOL cmdlets:

PowerShell

Connect-MsolService
$displayName = "Application Name"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId
$roleName = "User Account Administrator"
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -
RoleMemberObjectId $objectId

After you run both sets of cmdlets, your application will be enabled to change the
password of all Administrator organizational roles.

７ Note
 It can take up to 30 minutes for the permissions to be applied to the Application
Service Principal after you add the permissions to the Office 365 administrative
roles.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to reset your
password in Azure, Office 365, or
Intune: We could not verify your
account
Article • 10/28/2024

This article describes a problem in which you receive an error message "We could not
verify your account" when you try to reset your password in Microsoft Azure, Office 365,
or Microsoft Intune. To resolve this problem, work with your administrator to update
your telephone number.

Original product version: Microsoft Entra ID, Microsoft Intune, Cloud Services (Web
roles/Worker roles)
Original KB number: 2951246

Symptoms
When you use Microsoft Azure, Microsoft Office 365, or Microsoft Intune, you may
receive the following error message when you try to reset your password:

We could not verify your account.

Cause
This problem may occur because there are no telephone numbers on file for you.

Resolution
To resolve this problem, work with your administrator to update your telephone
number(s).

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Federated users in Microsoft Entra ID
are forced to sign in frequently
Article • 10/28/2024

This article discusses an issue in which federated users in Microsoft Entra ID are forced
to sign in frequently.

Original product version: Microsoft Entra ID

Original KB number: 4025960

Symptoms
After federated users sign in to Microsoft Entra ID, they are forced to continually sign
back in instead of being kept signed in.

Cause
Federated users who do not have the LastPasswordChangeTimestamp attribute synced
are issued session cookies and refresh tokens that have a Max Age value of 12 hours.
This means that the program can silently retrieve new tokens to keep the user's session
alive only up to 12 hours. After that time, the users are returned to the original IdP to re-
authenticate.

This occurs because Microsoft Entra ID cannot determine when to revoke tokens that
are related to an old credential (such as a password that has been changed). Therefore,
Microsoft Entra ID must check more frequently to make sure that the user and
associated tokens are still in good standing. For more information about token lifetimes
and how they are managed, see the following Microsoft Azure article:

Configurable token lifetimes in Microsoft Entra ID (Public Preview)

Resolution
To resolve this problem, tenant admins must make sure to sync the
LastPasswordChangeTimestamp attribute. Syncing this attribute improves the user
experience and security status.

This setting can be made on the user object by using PowerShell or through Microsoft
Entra Connect.
PowerShell
You can use the Azure AD PowerShell V1 (MSOnline) module to set the
StsRefreshTokensValidFrom attribute for a user. This will inform the Microsoft Entra
authentication flow to give the user a longer lasting Refresh Token or one based on your
Microsoft Entra policies. To do this, follow these steps:

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

1. Download the latest Azure AD PowerShell V1 release.

2. Run the Connect command to sign in to your Microsoft Entra admin account every
time that you start a new session:

PowerShell

Connect-msolservice

3. Set the StsRefreshTokensValidFrom attribute by using the following commands:

PowerShell

$RefreshTokensValidFrom = Get-Date
Set-MsolUser -UserPrincipalName<UPN of user>-StsRefreshTokensValidFrom
$RefreshTokensValidFrom

For example:

PowerShell

$RefreshTokensValidFrom = Get-Date
Set-MsolUser -UserPrincipalName john@contoso.com -
 StsRefreshTokensValidFrom $RefreshTokensValidFrom

７ Note

StsRefreshTokenValidFromwill appear to accept any date, but it will always set

to the current date and time.

4. For more help, contact Azure Support .

Microsoft Entra Connect

Microsoft Entra Connect syncs this attribute by default. However, Microsoft Entra
Connect can be configured to sync or not sync this attribute either by using the
attribute filtering feature or by disabling the out-of-box synchronization rules.

Using the Microsoft Entra app and attribute filtering feature

If you have previously disabled synchronization of the PwdLastSet attribute by using the
Microsoft Entra app and attribute filtering feature, follow these steps to re-enable the
process:

Disabling the out-of-box synchronization rules

1. Log in to the Microsoft Entra Connect server, and then start the Microsoft Entra
Connect wizard.

2. Click Customize synchronization options task.

3. Navigate to the Optional Features screen, and verify that the Microsoft Entra app
and attribute filtering feature is enabled. If it isn't, this means that the feature
hasn't been used to disable synchronization of the PwdLastSet attribute.

4. Navigate to Microsoft Entra Attributes screen, and enable the PwdLastSet

attribute. If it's already enabled, this means that the feature hasn't been used to
disable synchronization of the PwdLastSet attribute.

5. Complete the wizard, and then save the configuration.

6. Run a Full Synchronization cycle by running the following cmdlet in PowerShell:

PowerShell
 Start-ADSyncSyncCycle -policyType initial

７ Note

If the Microsoft Entra app and attribute filtering feature is disabled (see step
3) or the PwdLastSet attribute is already enabled (see step 4), this means that
the feature hasn't been used to disable the PwdLastSet attribute. In this
situation, you can skip steps 5 and 6.

Microsoft Entra Connect implements the synchronization of PwdLastSet attribute by

using the following out-of-box synchronization rules.

ﾉ Expand table

Out-of-box sync Details

rule

In from AD User Common Imports on-premises AD PwdLastSet attribute to Metaverse

PwdLastSet attribute.

Out of Microsoft User Join Exports Metaverse PwdLastSet

Entra ID attribute to the Microsoft Entra ID LastPasswordChangeTimestamp
attribute.

In the following screen shot, you can see how the attribute flow is implemented in both
synchronization rules by using the Microsoft Entra Connect Synchronization Rules Editor.
Customers may disable the synchronization of PwdLastSet attribute by disabling these
out-of-box sync rules and replacing them with custom sync rules. To enable
synchronization of the PwdLastSet attribute, consider re-enabling these out-of-box sync
rules or implementing the same attribute flow in existing custom sync rules.

For more information about how to implement and verify sync rule changes, see to
article Microsoft Entra Connect Sync: How to make a change to the default
configuration.

Password hash synchronization

If the Password Hash Synchronization feature is enabled on Microsoft Entra Connect, the
Password Synchronization Manager synchronizes the on-premises Active Directory
PwdLastSet attribute with the Microsoft Entra ID LastPasswordChangeTimestamp
attribute. This is true even if the PwdLastSet attribute has been filtered by using the two
methods in this section.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when trying to reset password in
Azure, Office 365, or Intune: We did not
receive your response in time, or you
hung up the call
Article • 10/28/2024

This article describes a problem in which you receive an error message when you try to
reset your password in Microsoft Azure, Office 365, or Microsoft Intune.

Original product version: Microsoft Entra ID, Microsoft Intune, Cloud Services (Web
roles/Worker roles)
Original KB number: 2951259

Symptoms
When you try to reset your password in Microsoft Azure, Microsoft Office 365, or
Microsoft Intune, you receive the following error message:

We did not receive your response in time, or you hung up the call.

Cause
This problem occurs because of any of the following:

You pressed the wrong button instead of the pound (#) button.
You hung up before hitting the pound (#) button.
You did not answer.
The telephone number that we have on file may be incorrect, and we were unable
to reach you.

You pressed the wrong button instead of the

pound (#) button
To resolve this problem, press the pound button after you answer the call.
You hung up before hitting the pound (#)
button
To resolve this problem, press the pound button after you answer the call.

You did not answer

Maybe you missed the call. To resolve this problem, you must answer the call.

The telephone that we have on file may be

incorrect, and we were not able to reach you
To resolve this problem, work with your administrator to update your telephone
number(s).

７ Note

If available, try to use another method such as using your mobile phone, office
telephone, or mobile app.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you reset your password in
Azure, Office 365, or Intune: Your
request could not be processed
Article • 10/28/2024

This article describes a problem in which you receive a "Your request could not be
processed" message when you reset your password in Microsoft Azure, Office 365, or
Microsoft Intune. To resolve this problem, work with your administrator to update your
telephone number(s).

Original product version: Microsoft Entra ID, Microsoft Intune, Cloud Services (Web
roles/Worker roles)
Original KB number: 2951268

Symptoms
When you try to reset your password in Microsoft Azure, Microsoft Office 365, or
Microsoft Intune, you receive the following error message:

There was an error processing your request. Please try resetting your password
again by clicking here.
If you are unable to reset your password after retrying, please contact Support for
assistance.

Cause
This problem occurs because the telephone number that we have on file may be
incorrect, and we were unable to reach you.

Resolution
To resolve this problem, work with your administrator to update your telephone
number(s).

７ Note
 If available, try to use another method such as using your mobile phone, office
telephone, or mobile app.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run the Azure Active
Directory Sync tool Configuration
Wizard: The user name or password is
incorrect
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Office 365 Identity Management
Original KB number: 2965539

Symptoms
When you run the Azure Active Directory Sync tool Configuration Wizard, you receive
the following error message:

The user name or password is incorrect.

Additionally, event ID 611 is logged to the Application log in Event Viewer:

Event ID: 611

Level: Information
Source: Directory Synchronization
Description:
Password synchronization failed for domain: ChildDomain.Contoso.Com . Details:
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException:
Unable to open connection to domain: ChildDomain.Contoso.Com . Error: An
 exception occurred while attempting to locate a domain controller for domain
ChildDomain.Contoso.Com . --->

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCommun
icationException: An exception occurred while attempting to locate a domain
controller for domain ChildDomain.Contoso.Com . --->
System.Security.Authentication.AuthenticationException: The user name or password
is incorrect.
---> System.Runtime.InteropServices.COMException: The user name or password is
incorrect.

Cause
This problem occurs if the enterprise admin account credentials that are specified in the
wizard are not unique in the Active Directory forest. Password mismatches between two
or more identically named accounts in multi-domain forests can cause the wizard to fail.

Consider the following example scenario:

Contoso\admin is the enterprise admin account that's specified in the Azure Active
Directory Sync tool Configuration Wizard.
Contoso\admin and Fabrikam\admin are two accounts that have the same name
but that exist in different domains.
Each account has a different password.

In this scenario, the password of Contoso\admin is used for all domains in the Active
Directory forest during the configuration process. For example, if the password is
"Password1," "Password1" is used for Fabrikam\admin. This causes the wizard to fail.

Resolution
To resolve this problem, do one of the following:

Create an enterprise admin account in which the value of the sAMAccountName

attribute is unique and does not exist in each domain.
Update the passwords of all accounts that have identical names so that the
password is the same for all those accounts.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to reset your
password in Azure, Office 365, or
Intune: Oops! We encountered an
unexpected error while contacting you
Article • 10/28/2024

This article describes an issue in which you receive an error message when you try to
reset your password in Microsoft Azure, Office 365, or Microsoft Intune. To resolve this
problem, work with your administrator to update your telephone number(s).

Original product version: Microsoft Entra ID, Microsoft Intune, Cloud Services (Web
roles/Worker roles)
Original KB number: 2951260

Symptoms
When you try to reset your password in Microsoft Azure, Microsoft Office 365, or
Microsoft Intune, you receive the following error message:

Oops! We encountered an unexpected error while contacting you.

Cause
This issue occurs because the telephone number that we have on file may be incorrect,
and we were unable to reach you.

Resolution
To resolve this problem, work with your administrator to update your telephone
number(s).

７ Note

If available, try to use another method such as using your mobile phone, office
telephone, or mobile app.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when trying to reset password in
Azure, Office 365, or Intune: We could
not verify your account
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2951274

Symptoms
When a new user tries to reset password in Microsoft Azure, Microsoft Office 365, or
Microsoft Intune, the user receives the following error message:

Reset your password

We could not verify your account

If you'd like, we can contact an administrator in your organization to reset your

password for you..

Resolution
Assign a Microsoft Entra ID P1 or P2 license to the user. Users must have a Microsoft
Entra ID P1 or P2 license to be able to reset their own password.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Handling errors in Microsoft Graph API
Requests with Invoke-RestMethod
Article • 01/02/2025

This article provides a code sample that demonstrates how to handle errors and
implement retry logic when you make requests to the Microsoft Graph API by using the
Invoke-RestMethod cmdlet in PowerShell.

Prerequisites
An Azure app registration with a client secret
The user.read.all permission for Microsoft.Graph for the Azure app. For more
information, see List users.

Code sample
To demonstrate the retry logic, this sample tries to query the signInActivity data for
guest users. When you run this code, you can expect to receive a "403" error.

Get-AccessTokenCC This function requests an access token from Microsoft Entra

ID (formerly Azure Active Directory). The token will be used to authenticate API
requests to Microsoft Graph. You have to provide values for the $clientSecret ,
$clientId , and $tenantId variables of your Azure registration app.

Get-GraphQueryOutput ($Uri) This function makes a request to the Microsoft

Graph API to retrieve data. It also handles paging. The function retries the request
if a "403" error is generated.

PowerShell

Function Get-AccessTokenCC

{
$clientSecret = ''
$clientId = ''
$tenantId = ''
# Construct URI
$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Construct Body
$body = @{
client_id = $clientId
client_secret = $clientSecret
scope = 'https://graph.microsoft.com/.default'
 grant_type = 'client_credentials'
}
# Get OAuth 2.0 Token
$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType
'application/x-www-form-urlencoded' -Body $body -UseBasicParsing
# Access Token
$token = ($tokenRequest.Content | ConvertFrom-Json).access_token
#$token = "Junk" #uncomment this line to cause a 401 error -- you can
set that status in the error handler to test the pause and retry
#Write-Host "access_token = $token"
return $token
}

Function Get-GraphQueryOutput ($Uri)

{
write-host "uri = $Uri"
write-host "token = $token"

$retryCount = 0
$maxRetries = 3
$pauseDuration = 2

$allRecords = @()
while ($Uri -ne $null){
Write-Host $Uri
try {
# todo: verify that the bearer token is still good -- hasn't
expired yet -- if it has, then get a new token before making the request
$result=Invoke-RestMethod -Method Get -Uri $Uri -ContentType
'application/json' -Headers @{Authorization = "Bearer $token"}

Write-Host $result

if($query.'@odata.nextLink'){
# set the url to get the next page of records. For more
information about paging, see https://docs.microsoft.com/graph/paging
$Uri = $query.'@odata.nextLink'
} else {
$Uri = $null
}

} catch {
Write-Host "StatusCode: "
$_.Exception.Response.StatusCode.value__
Write-Host "StatusDescription:"
$_.Exception.Response.StatusDescription

if($_.ErrorDetails.Message){
Write-Host "Inner Error: $_.ErrorDetails.Message"
}

# check for a specific error so that we can retry the request

otherwise, set the url to null so that we fall out of the loop
if($_.Exception.Response.StatusCode.value__ -eq 403 ){
# just ignore, leave the url the same to retry but pause
 first
if($retryCount -ge $maxRetries){
# not going to retry again
$Uri = $null
Write-Host 'Not going to retry...'
} else {
$retryCount += 1
Write-Host "Retry attempt $retryCount after a
$pauseDuration second pause..."
Start-Sleep -Seconds $pauseDuration
}

} else {
# not going to retry -- set the url to null to fall back out
of the while loop
$Uri = $null
}
}
}

$output = $allRecords | ConvertTo-Json

if ($result.PSObject.Properties.Name -contains "value") {

return $result.value
} else {
return $result
}
}

# Graph API URIs

$uri = 'https://graph.microsoft.com/v1.0/users?$filter=userType eq
''Guest''&$select=displayName,UserprincipalName,userType,identities,signInAc
tivity'

# Pull Data
$token = Get-AccessTokenCC
Get-GraphQueryOutput -Uri $uri|out-file c:\\temp\\output.json

Capturing a specific header

For advanced scenarios, such as capturing specific header values such as Retry-After
during throttling responses (HTTP 429), use:

PowerShell

$retryAfterValue = $_.Exception.Response.Headers["Retry-After"]

To handle the "429 - too many requests" error, see Microsoft Graph throttling guidance.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

） Note: The author created this article with assistance from AI. Learn more

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot
Authorization_RequestDenied error with
Microsoft Graph
Article • 03/17/2025

When you use Microsoft Graph API to manage users, you might receive the following
error message:

Authorization_RequestDenied. Insufficient privileges to complete the

operation.

This article demonstrates how to troubleshoot the Authorization_RequestDenied error in

Microsoft Graph API by using Postman, through a "disable user" scenario.

Cause of the Authorization_RequestDenied

error
This error typically occurs because the user or app doesn't have sufficient permissions.
To call Graph APIs, your app registration must have the following permissions:

The appropriate Microsoft Entra RBAC role for the required access level. For more
information, see Microsoft Entra built-in roles.
The necessary API permissions to access Microsoft Graph.

Troubleshooting Microsoft Graph API by using

Postman

Step 1: Assign Microsoft Entra RBAC role to the app

registration (Service Principal)
1. Log in to the Azure portal , and go to Microsoft Entra ID.
2. In the Manage section, select Roles and administrators.
3. Select the appropriate role based on the required level of access. In this article, the
app will manage the users. Therefore, User Administrator is selected.
4. Select Add assignments, select your app registration, and then select Add.
Step 2: Locate the application ID, client secret, and token
endpoints of your app
1. In the Azure portal , go to App registrations, and then select your app
registration.

2. On the Overview page, record the Application (client) ID.

3. Select Endpoints. This selection provides information, such as token endpoints,

that will be used in the Postman configuration. This article uses OAuth 2.0 and
token-based authentication together with Entra ID. In this case, you should record
the OAuth 2.0 token endpoint (v2).

4. In the Manage section, select Certificates & secrets. Create a client secret or use
an existing client secret for testing.

In the Postman configuration, ensure you use the Client secret value, not the Secret
ID. The client secret value cannot be viewed, except immediately after it's created.

Step 3: Configure Postman

1. In Postman, select a request or collection, and then select Authorization.

2. Set Auth type to OAuth 2.0.

3. In the Configure New Token section, specify the following configuration:

Grant type: Client Credentials

Access Token URL: <OAuth 2.0 token endpoint>.
Client ID: <Application (client) ID>
Client secret: <Client secret value>
 Scope: https://graph.microsoft.com/.default
Client Authentication: Send as Basic Auth header

4. Select Get New Access Token. If the configuration is correct, you should receive a
token that will be used to run the Microsoft Graph API call.

5. Select Proceed, and then select Use token.

Step 4: Test and troubleshoot the Microsoft Graph API

1. Send the following PATCH request to disable a user. 1f953789-0000-0000-0000-
6f21508fd4e2 is the object ID of a user in the Entra ID.

HTTP

Patch https://graph.microsoft.com/v1.0/users/1f953789-0000-0000-0000-
6f21508fd4e2

JSON

{
"accountEnabled": false
}

2. The Authorization_RequestDenied error message is received in the response:

Output

{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the
operation.",
 "innerError": {
"date": "2024-12-24T03:25:32",
"request-id": "096361b2-75be-479b-b421-078610030949",
"client-request-id": "096361b2-75be-479b-b421-078610030949"
}
}
}

3. Check the Update user scenario in Microsoft Graph REST API v1.0 endpoint
reference. The following permission is required to enable and disable a user, as
described in the Microsoft Graph REST API v1.0 endpoint reference.

ﾉ Expand table

Property Type Description

accountEnabled Boolean true if the account is enabled; otherwise, false . This property
is required when a user is created.
- User.EnableDisableAccount.All + User.Read.All is the least
privileged combination of permissions required to update this
property.
- In delegated scenarios, Privileged Authentication
Administrator is the least privileged role that's allowed to
update this property for all administrators in the tenant.

4. Check whether the app registration has the required permissions:

a. Locate your app registration in the Azure portal.

b. In the Manage section, select API permissions

c. Check the configured API permissions. In this case, the app registration doesn't
have the User.EnableDisableAccount.All permission that is the root cause of the
issue.


 5. Select Add a permission to add User.EnableDisableAccount.All to the app
registration.

6. You must also select Grant admin consent for default directory for the
permissions. Select Yes to confirm that you want to grant admin consent.

7. Send the PATCH request to disable a user. If the request is successful, you should
receive a 204 No Content response.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot 403 error when adding a user
to a group by using Microsoft Graph API
Article • 05/06/2025

This article provides guidance for troubleshooting a "403 Authorization_RequestDenied" error

that occurs when you try to add a user to a group by using the Microsoft Graph API.

Symptoms
When you try to add a user to a group by using Microsoft Graph API, you receive the following
"403" error message:

Output

{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2024-05-07T15:39:39",
"request-id": "aa324f0f-b4a3-4af6-9c4f-996e195xxxx",
"client-request-id": "aa324f0f-b4a3-4af6-9c4f-996e1959074e"
}
}
}

Cause
This issue occurs if the group that you tried to add the user to can't be managed by Microsoft
Graph. Microsoft Graph supports only Microsoft 365 groups and Security groups.

Solution

Step 1: Check the group type

Make sure that the group you trying to modify is supported by Microsoft Graph.

1. In Microsoft Graph, the group type can be determined by the settings of its groupTypes ,
mailEnabled , and securityEnabled properties. Use the Microsoft Graph Explorer to check
the group's attributes:
 HTTP

https://graph.microsoft.com/v1.0/groups/<Group Object ID>?

$select=displayName,groupTypes,mailEnabled,securityEnable

Example response:

Output

{
"@odata.context":
"https://graph.microsoft.com/v1.0/$metadata#groups(displayName,groupTypes,mai
lEnabled,securityEnabled)/$entity",
"displayName": "Test group A",
"groupTypes": [],
"mailEnabled": true,
"securityEnabled": false
}

2. Review the following table to verify that the group type is supported by Microsoft Graph
API. In the example response, the "Test group A" group is a Distribution group that can't
be supported by Microsoft Graph. For more information, see Working with groups in
Microsoft Graph.

ﾉ Expand table

Type groupTypes mailEnabled securityEnabled Can be managed by using

Microsoft Graph APIs

Microsoft 365 ["Unified"] true true or false Yes

groups

Security groups [] false true Yes

Mail-enabled [] true true No; read-only through

security groups Microsoft Graph

Distribution [] true false No; read-only through

groups Microsoft Graph

７ Note

Group type can't be changed after creation. For more information, see Edit
group settings.
 The membership of a dynamic group (groupTypes contains
"DynamicMembership") can't be managed through Microsoft Graph.

Step 2: Verify required permissions

Different group member types require specific permissions. For user-type membership, make
sure that the application or account that performs the operation has the
GroupMember.ReadWrite.All permission.

For detailed permission requirements, see Add members documentation.

Step 3: Check whether the group is a role-assignable group

1. Role-assignable groups require extra permissions to manage their members. You can
verify that the group is role-assignable by using Azure portal or Microsoft Graph Explorer:

Azure portal
a. In the Azure portal , go to Microsoft Entra ID, select Groups, and then select All
groups.
b. Locate the target group, select Properties, and then check whether Microsoft Entra
role can be assigned to the group is set to Yes.

Microsoft Graph Explorer

To check the isAssignableToRoles value, run the following request:

HTTP

GET https://graph.microsoft.com/v1.0/groups/<group object="" id="">?

$select=displayName,groupTypes,mailEnabled,securityEnabled,isAssignableToRole

Example response:

Output

{
"@odata.context":
"https://graph.microsoft.com/v1.0/$metadata#groups(displayName,groupTypes,mai
lEnabled,securityEnabled,isAssignableToRole)/$entity",
"displayName": "Test group B",
"groupTypes": [],
"mailEnabled": false,
"securityEnabled": true,
 "isAssignableToRole": true
}

2. If the group is role-assignable, you need the RoleManagement.ReadWrite.Directory

permission in addition to GroupMember.ReadWrite.All . For more information, see Add
members documentation.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
404 error when managing objects using
Microsoft Graph
Article • 01/07/2025

This article provides a solution to a 404 (object not found) error that occurs when you
try to manage a Microsoft Entra object that was just created using Microsoft Graph.

Symptoms
Suppose you create an object, such as a user, group, or application, in Microsoft Entra ID
using Microsoft Graph. When trying to manage the object, such as getting, updating, or
patching it, shortly after its creation, you receive a 404 (object not found) error.

Cause
The Microsoft Entra ID architecture ensures that all data is replicated across
geographically distributed data centers. This issue occurs due to a replication delay in
propagating the newly created object across all data centers. This replication process
might take several minutes to complete.

As shown in the following diagram, when your application makes a request via Microsoft
Graph to create a user in Microsoft Entra ID, the service begins the replication process
and returns an object for that user, which includes the user's ID and other relevant data
used in your request. If your application immediately tries to update this user, it might
connect to a replica that hasn't yet been updated with the new user object. So, you
receive a 404 error because the user isn't found on that replica.
Solution
To resolve this issue, wait some time and retry the update request. If the 404 error still
occurs after retrying, double your waiting time and try again. By allowing sufficient time
for replication, you can prevent this error from happening again.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Use managed identities to call Microsoft
Graph APIs in VB.Net and C#
Article • 01/17/2025

This article explains how to use managed identities to obtain access tokens for calling
Microsoft Graph APIs in both VB.Net and C#.

Configure permissions for managed identities

All managed identities (User Assigned or System Assigned) will have a service principal
that appears in the Enterprise Apps blade. To get permissions for Microsoft Graph on
those identities, you must make an OAuth Permission Grant. To do this, run the
following PowerShell script:

PowerShell

# Your tenant id (in Azure Portal, under Azure Active Directory -> Overview
)
$TenantID = "{your tenant id}"

# Name of the manage identity

$DisplayNameOfApp = "{your managed identity name}"

# Check the Microsoft Graph documentation for the permission you need for
the operation
$Permissions = @("User.Read.All")

# Main script

# Microsoft Graph App ID

$MSGraphAppId = "00000003-0000-0000-c000-000000000000"

# Uncomment the next line if you need to Install the module (You need admin
on the machine)
# Install-Module Microsoft.Graph
Connect-MgGraph -TenantId $TenantID -scopes Application.ReadWrite.All

# Get the application we want to modify

$sp = (Get-MgServicePrincipal -Filter "displayName eq '$DisplayNameOfApp'")

# If assigning MS Graph Permissions

$GraphServicePrincipal = Get-MgServicePrincipal -Filter "appId eq
'$MSGraphAppId'"

# Add permissions
foreach($permission in $Permissions)
{
 $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq
$permission -and $_.AllowedMemberTypes -contains "Application"}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -

PrincipalId $sp.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId
$AppRole.Id
}

<# Remove permissions - this portion of the script show how to remove those
same permissions
$AppRoleAssignments = Get-MgServiceAppRoleAssignedTo -ObjectId $sp.ObjectId

foreach($permission in $Permissions)
{

$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq

$permission -and $_.AllowedMemberTypes -contains "Application"}

foreach($AppRoleAssignment in $AppRoleAssignments)
{
if($AppRole.Id -eq $AppRoleAssignment.Id) {
Remove-MgServiceAppRoleAssignment -ObjectId $sp.ObjectId -
AppRoleAssignmentId $AppRoleAssignment.objectid
}

}
}
#>

Get access token

After the permissions are configured in the service principal, make a token request from
the following resource: https://graph.microsoft.com .

７ Note

After you make a token request for a resource, you'll get the same token for the
next 24 hours, even if you make permissions changes. In order to get a token
together with any new permissions, you must wait for the current token to expire.

vbnet

Dim at As AccessToken = credential.GetToken(New TokenRequestContext(New

String() {"https://graph.microsoft.com"}))

C#
 AccessToken at = credential.GetToken(new TokenRequestContext(new string[] {
"https://graph.microsoft.com" }));

Call Graph APIs

This example shows how to request an access token for a resource such as Microsoft
Graph. When you use the Microsoft Graph service client in your code, you don't have to
specify the resource explicitly because the Microsoft Graph service client handles that
automatically. In VB.Net, you have to add the Microsoft.Graph NuGet package and then
add the Imports Microsoft.Graph at the top of the code file.

VB.Net
vbnet

Sub Main()

Do While True
Get_AccessToken_With_UserAssigned_MSI()
Make_GraphRequest_withUserMSI_Token()
Get_Secret_With_UserAssigned_MSI()

Get_AccessToken_With_SystemAssigned_MSI()
Get_Secret_With_SystemAssigned_MSI()
Make_GraphRequest_withSystemMSI_Token()

Console.WriteLine("Press Enter to try again or any other key to

exit")
Dim key As ConsoleKeyInfo = Console.ReadKey()

If Not key.Key = ConsoleKey.Enter Then

Return
End If
Loop

End Sub

Sub Get_AccessToken_With_UserAssigned_MSI()
Console.WriteLine($"Getting access token with user assigned msi:")

Dim credential As New

ManagedIdentityCredential(userAssignedClientId)

Dim at As AccessToken = credential.GetToken(New

TokenRequestContext(New String() {"https://graph.microsoft.com"}))
 Dim accessToken As String = at.Token.ToString()
Console.WriteLine($"Access Token = {accessToken}")

End Sub

Sub Make_GraphRequest_withUserMSI_Token()
Console.WriteLine($"Making graph request with User MSI Token:")

Dim credential As New

ManagedIdentityCredential(userAssignedClientId)

Dim graphClient As New GraphServiceClient(credential)

Dim users As IGraphServiceUsersCollectionPage

Try
users = graphClient.Users().Request.GetAsync().Result
Console.WriteLine($"Number of users in tenant: {users.Count}
{vbCrLf}")
Catch ex As Exception
Console.WriteLine($"Exception: {ex.Message}")
End Try

End Sub

Sub Get_AccessToken_With_SystemAssigned_MSI()
Console.WriteLine($"Getting access token with system assigned msi:")

Dim credential As New ManagedIdentityCredential()

Dim at As AccessToken = credential.GetToken(New
TokenRequestContext(New String() {"https://graph.microsoft.com"}))

Dim accessToken As String = at.Token.ToString()

Console.WriteLine($"Access Token = {accessToken}")
End Sub

Sub Make_GraphRequest_withSystemMSI_Token()
Console.WriteLine($"Making graph request with system MSI token:")

Dim credential As New ManagedIdentityCredential()

Dim graphClient As New GraphServiceClient(credential)

Dim users As IGraphServiceUsersCollectionPage

Try
users = graphClient.Users().Request.GetAsync().Result
Console.WriteLine($"Number of users in tenant: {users.Count}
{vbCrLf}")
Catch ex As Exception
Console.WriteLine($"Exception: {ex.Message}")
End Try

End Sub
C#
C#

static void Main(string[] args)

{
while (true)
{
Console.Clear();

Get_AccessToken_With_UserAssigned_MSI();
Get_Secret_With_UserAssigned_MSI();
Make_GraphRequest_With_UserMSI_Token();

Get_AccessToken_With_SystemAssigned_MSI();
Get_Secret_With_SystemAssigned_MSI();
Make_GraphRequest_With_SystemMSI_Token();

Console.WriteLine("Press Enter to try again or any other key

to exit");
ConsoleKeyInfo key = Console.ReadKey();
if (key.Key != ConsoleKey.Enter)
{
return;
}
}

static void Get_AccessToken_With_UserAssigned_MSI()

{
Console.WriteLine($"Getting access token with user assigned
msi:");

ManagedIdentityCredential credential = new

ManagedIdentityCredential(userAssignedClientId);

AccessToken at = credential.GetToken(new TokenRequestContext(new

string[] { "https://database.windows.net" }));
string accessToken = at.Token;

Console.WriteLine($"Access Token = {accessToken}");

static void Get_AccessToken_With_SystemAssigned_MSI()

{
Console.WriteLine($"Getting access token with system assigned
msi:");

ManagedIdentityCredential credentail = new

ManagedIdentityCredential();

AccessToken at = credentail.GetToken(new TokenRequestContext(new

string[] { "https://database.windows.net" }));
string accessToken = at.Token;

Console.WriteLine($"Access token = {accessToken}");

static void Make_GraphRequest_With_UserMSI_Token()

{
Console.WriteLine($"Making graph request with User MSI Token:");

ManagedIdentityCredential credential = new

ManagedIdentityCredential(userAssignedClientId);
GraphServiceClient graphClient = new
GraphServiceClient(credential);

IGraphServiceUsersCollectionPage users;

try
{
users = graphClient.Users.Request().GetAsync().Result;
Console.WriteLine($"Number of users in tenant:
{users.Count}\n");
} catch(Exception ex)
{
Console.WriteLine($"\nException:
{ex.InnerException.Message}");
}

static void Make_GraphRequest_With_SystemMSI_Token()

{
Console.WriteLine($"Making graph request with system MSI
Token:");

ManagedIdentityCredential credential = new

ManagedIdentityCredential();
GraphServiceClient graphClient = new
GraphServiceClient(credential);

IGraphServiceUsersCollectionPage users;

try
{
users = graphClient.Users.Request().GetAsync().Result;
Console.WriteLine($"Number of users in tenant:
{users.Count}\n");
}
catch (Exception ex)
{
Console.WriteLine($"\nException:
{ex.InnerException.Message}");
}
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Graph API memberOf returns
null values for some properties
Article • 04/03/2025

This article provides a solution to an issue where some properties are indicated as null
when you call the Microsoft Graph API memberOf .

Symptoms
When calling one of the following APIs that can return the list of groups and directory
roles that a user is a direct member of, you see null values for all properties except the
object type and ID in the JSON response:

msgraph

GET https://graph.microsoft.com/v1.0/me/memberOf

msgraph

GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf

Here's a sample JSON response:

JSON

{
"@odata.context":
"https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.group",
"id": "00000003-0000-0000-c000-000000000000",
"deletedDateTime": null,
"classification": null,
"createdDateTime": null,
"creationOptions": [],
"description": null,
"displayName": null,
"expirationDateTime": null,
"groupTypes": [],
"isAssignableToRole": null,
"mail": null,
"mailEnabled": null,
"mailNickname": null,
 "membershipRule": null,
"membershipRuleProcessingState": null
}
]
}

Cause
When an application queries the membership that returns a directoryObject type
collection, if it doesn't have permission to read a resource type, members of that type
are returned with limited information. For example, only the object type and ID might be
returned, and other properties are indicated as null. Complete information is returned
for the object types that the application has permission to read.

For more information, see List a user's direct memberships and Limited information
returned for inaccessible member objects.

Solution
To get complete information, configure at least the Directory.Read.All permission for
your application.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Add an owner to an application using
Microsoft Graph
Article • 04/03/2025

When an application is authenticated, you might want to be able to update its own
properties such as the client secret or certificate. To do so, the application must be an
owner of itself. You can implement this using the Microsoft Graph API - Add owner.

This article outlines the required permission and step-by-step instructions to add a
service principal associated with an application as an owner of the application using
Microsoft Graph.

Required permission
The least privileged permissions for adding an owner to an application are described in
the Add owner - Permissions table. These permissions, such as
Application.ReadWrite.OwnedBy , allow an application to manage applications of which it

is an owner.

Add an owner
Application owners can be individual users, the associated service principal, or another
service principal. The following sections describe how to add the related service
principal to an application as an owner.

Step 1: Get the application's Object ID

To get the Object ID of the application you want to add an owner to, follow these steps:

1. Sign in to the Azure portal .

2. Navigate to the Microsoft Entra admin center.

3. Browse to Identity > Applications > App registrations.

4. Locate the application and copy its Object ID.

Step 2: Get the owner (service principal's Object ID)
To get the Object ID of the service principal associated with the application, follow these
steps:

1. Sign in to the Azure portal .

2. Navigate to the Microsoft Entra admin center.

3. Browse to Identity > Applications > Enterprise registrations.

4. Locate the application and copy its Object ID.

Step 3: Add the owner to the application

Here're two methods to do this:

Method 1: Using Microsoft Graph Explorer

 Method 2: Using Microsoft Graph PowerShell

Method 1: Using Microsoft Graph Explorer

1. Navigate to Microsoft Graph Explorer.

2. Sign in with a user account that has the necessary permissions to update
application owners, such as a Global Administrator or Application Administrator.

3. Use the following request:

msgraph

POST https://graph.microsoft.com/v1.0/applications/{application-object-
id}/owners/$ref

Content-Type: application/json

{
"@odata.id":
"https://graph.microsoft.com/v1.0/directoryObjects/{service-principal-
id}"
}

７ Note

Replace {application-object-id} with the Object ID of your application and

{service-principal-id} with the Object ID of the service principal.

Here's an example of what it looks like in Microsoft Graph Explorer:

Troubleshoot Forbidden (403) error

You might encounter the following error during this process:

Output

"error": {
"code": "Authorization_RequestDenied",
 "message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-12-09T17:41:54",
"request-id": "b1909fc0-aa5c-4b43-8a1f-xxxxxxxxxxxx",
"client-request-id": "836e08bb-a12d-4ade-c761-xxxxxxxxxxxx"
}
}

To resolve the issue, consent to the API permission Application.ReadWrite.All for

Microsoft Graph Explorer under the Modify permissions tab.

Method 2: Using Microsoft Graph PowerShell

Here's an example of Microsoft Graph PowerShell scripts to add an owner to an

application:

PowerShell

Connect-MgGraph -Scopes Application.ReadWrite.All

# Owner
$OwnerServicePrincipalObjectId = "96858eb3-xxxx-xxxx-xxxx-33a6b0dc2430"

# Application to add owner to

$ApplicationObjectId = "b7463aa1-xxxx-xxxx-xxxx-0963d6c00485"

$Owner = @{
"@odata.id" =
"https://graph.microsoft.com/v1.0/directoryObjects/$($OwnerServicePrincipalO
bjectId)"
}

New-MgApplicationOwnerByRef -ApplicationId $ApplicationObjectId -

BodyParameter $Owner

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't modify user mail or phone number
information
Article • 04/08/2025

This article provides a solution to an issue where you can't modify certain personal information
for another user, such as mail and phone number.

Symptoms
You can't modify the following user attributes for another user:

mobilePhone
businessPhones / telephoneNumber

otherMails

Most users experiencing this issue are service principals (Microsoft Graph scenario) or
Microsoft Entra users that use the client credentials grant type. Additionally, they get a 403
error.

Cause
This issue occurs due to insufficient permissions. For Microsoft Entra users, the
User.ReadWrite.All permission can change a user profile except the three user attributes. For

service principals (Microsoft Graph scenario), having the Directory.ReadWrite.All permission

isn't sufficient to modify the three user attributes.

Solution
To resolve this issue, assign a Helpdesk Administrator, User Administrator, or Global
Administrator role to the service principal or user that changes the three attributes, depending
on the user that tries to modify the role. Only the three admin roles can make changes to the
three attributes.

Ｕ Caution

When you assign one of the three admin roles to the service principal or user, you give
them the ability to perform tasks at that level.
Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Error "The identity of the calling
application could not be established"
Article • 04/03/2025

This article provides solutions to the error message "The identity of the calling
application could not be established" when using Microsoft Graph.

Symptoms
When using Microsoft Graph or some services that rely on it, you encounter the
following error message:

The identity of the calling application could not be established

Cause
This error occurs because the oid and sub claims are missing from the access token.
The root cause is that the service principal doesn't exist in the tenant or the tenant isn't
aware of the application.

Solution
To resolve this error, add the service principal to the tenant and consent to the
permissions required by the application.

You can build an admin consent URL like the following one:

https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-
id}

Then, sign in with a Global Administrator account of the tenant where you are trying to
access resources.

７ Note

Replace {organization} with the tenant ID, for example, aaaaaaaaaaaa-bbbb-

cccc-1111-22222222.
 Replace {client-id} with the application ID, for example, dddddddddddd-
eeee-ffff-3333-44444444.

References
Understanding Microsoft Entra application consent experiences
Overview of permissions and consent in the Microsoft identity platform
Retire Service Principal-Less Authentication

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

401 HTTP response when looking up users
using the Microsoft Graph /users endpoint
Article • 04/30/2025

You can use the Microsoft Graph endpoint to interact programmatically with your tenant data.
A common scenario is to use a Microsoft Graph /users endpoint to look up users in the
tenant. In this case, if you use delegated permissions in your access token, the User.Read.All
permission is necessary. There are ways to prevent you from looking up other users, such as
using an authorizationPolicy object that can control Microsoft Entra authorization settings,
unless you're a tenant administrator.

This article provides a solution to an issue where you can't look up other users using the
Microsoft Graph /users endpoint after a tenant policy configuration restricts access to other
users.

Symptoms
After you enable an authorizationPolicy object in your tenant to prevent the user lookup
action, a new application receives a 401 HTTP response when it performs this action. This issue
occurs even though the proper permissions are consented to during app registration and the
access token has the proper permissions.

Cause
The allowedToReadOtherUser property in the authorizationPolicy is set to false . This setting
prevents the default user role from reading other users. You can check its value via a GET
request:

GET https://graph.microsoft.com/v1.0/policies/authorizationPolicy

Solution
To resolve this issue, set the value of the allowedToReadOtherUser property to true via a PATCH
request as follows:

msgraph

PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
{
"defaultUserRolePermissions": {
 "allowedToReadOtherUsers": true
}
}

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Add an owner to an application using
Microsoft Graph
Article • 04/03/2025

When an application is authenticated, you might want to be able to update its own
properties such as the client secret or certificate. To do so, the application must be an
owner of itself. You can implement this using the Microsoft Graph API - Add owner.

This article outlines the required permission and step-by-step instructions to add a
service principal associated with an application as an owner of the application using
Microsoft Graph.

Required permission
The least privileged permissions for adding an owner to an application are described in
the Add owner - Permissions table. These permissions, such as
Application.ReadWrite.OwnedBy , allow an application to manage applications of which it

is an owner.

Add an owner
Application owners can be individual users, the associated service principal, or another
service principal. The following sections describe how to add the related service
principal to an application as an owner.

Step 1: Get the application's Object ID

To get the Object ID of the application you want to add an owner to, follow these steps:

1. Sign in to the Azure portal .

2. Navigate to the Microsoft Entra admin center.

3. Browse to Identity > Applications > App registrations.

4. Locate the application and copy its Object ID.

Step 2: Get the owner (service principal's Object ID)
To get the Object ID of the service principal associated with the application, follow these
steps:

1. Sign in to the Azure portal .

2. Navigate to the Microsoft Entra admin center.

3. Browse to Identity > Applications > Enterprise registrations.

4. Locate the application and copy its Object ID.

Step 3: Add the owner to the application

Here're two methods to do this:

Method 1: Using Microsoft Graph Explorer

 Method 2: Using Microsoft Graph PowerShell

Method 1: Using Microsoft Graph Explorer

1. Navigate to Microsoft Graph Explorer.

2. Sign in with a user account that has the necessary permissions to update
application owners, such as a Global Administrator or Application Administrator.

3. Use the following request:

msgraph

POST https://graph.microsoft.com/v1.0/applications/{application-object-
id}/owners/$ref

Content-Type: application/json

{
"@odata.id":
"https://graph.microsoft.com/v1.0/directoryObjects/{service-principal-
id}"
}

７ Note

Replace {application-object-id} with the Object ID of your application and

{service-principal-id} with the Object ID of the service principal.

Here's an example of what it looks like in Microsoft Graph Explorer:

Troubleshoot Forbidden (403) error

You might encounter the following error during this process:

Output

"error": {
"code": "Authorization_RequestDenied",
 "message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-12-09T17:41:54",
"request-id": "b1909fc0-aa5c-4b43-8a1f-xxxxxxxxxxxx",
"client-request-id": "836e08bb-a12d-4ade-c761-xxxxxxxxxxxx"
}
}

To resolve the issue, consent to the API permission Application.ReadWrite.All for

Microsoft Graph Explorer under the Modify permissions tab.

Method 2: Using Microsoft Graph PowerShell

Here's an example of Microsoft Graph PowerShell scripts to add an owner to an

application:

PowerShell

Connect-MgGraph -Scopes Application.ReadWrite.All

# Owner
$OwnerServicePrincipalObjectId = "96858eb3-xxxx-xxxx-xxxx-33a6b0dc2430"

# Application to add owner to

$ApplicationObjectId = "b7463aa1-xxxx-xxxx-xxxx-0963d6c00485"

$Owner = @{
"@odata.id" =
"https://graph.microsoft.com/v1.0/directoryObjects/$($OwnerServicePrincipalO
bjectId)"
}

New-MgApplicationOwnerByRef -ApplicationId $ApplicationObjectId -

BodyParameter $Owner

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

NoPermissionsInAccessToken when calling
/me endpoint
Article • 04/18/2025

This article discusses an issue in which you receive a NoPermissionsInAccessToken error

message when you call the /me endpoint in Microsoft Graph. This article also explains why you
can't call the /me endpoint by using a token that is acquired through the client credentials
grant flow.

Symptoms
When you try to call the /me endpoint from your Microsoft Entra ID-based application that
uses client credentials grant flow, you receive the following error message:

Output

{
"error": {
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be
understood.",
"innerError": {
"oAuthEventOperationId": "48f66de9-xxx-xxxx1-xxxx-399ea6608ec0",
"oAuthEventcV": "MkVd0xxxxxvjGFVJkoA.1",
"errorUrl": "https://aka.ms/autherrors#error-InvalidGrant",
"requestId": "80f8a0e9-xxxx-xxxx-xxxx-88e5d4bb5bb2",
"date": "2021-07-30T04:04:38"
}
}
}

Cause
The /me endpoint is designed to enable signed-in users to retrieve their own information. To
call the /me endpoint, you must provide some user context because the endpoint uses
delegated permissions. That is, a token that's generated by using the client credentials grant
flow can't use the /me endpoint because the user context information is absent.

Tokens that are obtained by using the client credentials grant flow represent application
identities, not user identities. These tokens contain a roles claim for application permissions
instead of a scp (scopes) claim for delegated permissions. The absence of user context makes it
impossible for the /me endpoint to determine the user who is associated with the request.
Example tokens
Token with user context (delegated flow with a user signed in)

This token is granted by using delegated flow to which a user signed in. It contains user-
specific information and a scp claim that contains the current user's permissions.

Token with application identity (client_credentials grant flow)

This token is generated by using the client credentials grant flow. It doesn't contain user-
specific information. Instead, it contains a roles claim for application permissions.
 

Solution
When you use the client credentials grant flow in your application, you must use the /users
endpoint instead of the /me endpoint. The /users endpoint enables you to retrieve user-
specific information by using application tokens.

For example, if you want to call GET https://graph.microsoft.com/v1.0/me/memberOf to

generate a list of groups that a user is a member of, use the following method:

1. Obtain an application token by using the client credentials grant flow.

2. Make sure that the application has the User.Read.All permission to query user
information.
3. Use the users endpoint to query specific user details. Replace {upn} with the User
Principal Name (UPN) or User Object ID of the user.

HTTP

GET https://graph.microsoft.com/v1.0/users/{upn or userID}/memberOf

Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
"Neither tenant is B2C or tenant doesn't
have premium license" error when you
query sign-in activities
Article • 05/06/2025

This article discusses the error that occurs when you make Microsoft Graph API calls that are
related to user sign-in activities or user registration details.

Symptoms
You run one of the following Microsoft Graph API calls:

HTTP

GET https://graph.microsoft.com/v1.0/auditLogs/signIns

GET https://graph.microsoft.com/v1.0/users?
$select=displayName,userPrincipalName,signInActivity

GET https://graph.microsoft.com/v1.0/reports/UserRegistrationDetails

After you run the call, your receive an error response that resembles the following text:

Output

'error': {
'code': 'Authentication\_RequestFromNonPremiumTenantOrB2CTenant',
'message': 'Neither tenant is B2C or tenant doesn't have premium license',
'innerError': {
'date': '2021-03-04T07:53:51',
'request-id': 'a0a074e6-xxx-c511669fa420',
'client-request-id': 'a0a074e6-xxx-c511669fa420'
}
}

Solution

Scenario 1: Query user sign-in activities

1. Make sure that the target tenant has an Entra ID Premium P1 or P2 license. In the Azure
portal, go to Microsoft Entra ID, select Overview, and then check the License value. For
more information, see Sign up for Microsoft Entra ID P1 or P2 editions.
 2. Verify that the Microsoft Graph Access Token was granted the AuditLog.Read.All and
Directory.Read.All permissions.

Scenario 2: Query credential user registration details

1. Make sure that the target tenant has an Entra ID Premium P1 or P2 license.
2. Verify that the Microsoft Graph Access Token was granted the Reports.Read.All
permission.
3. Verify that the authenticating user or the service principle of the application is in one of
the following required administrative roles:

Reports Reader
Security Reader
Security Administrator
Global Reader
Global Administrator

More information
If an application is configured by using only the AuditLog.Read.All permission, this error might
occur intermittently. This is expected behavior because the Directory.Read.All permission is
required to retrieve tenant licensing information if it isn't already cached. To avoid this error,
make sure that both permissions are included.
Python scripts making Microsoft Graph
requests are detected as web crawlers
Article • 04/22/2025

This article provides solutions to an issue where Python scripts might be detected as web
crawlers when making Microsoft Graph requests.

Symptoms
A Python script that makes a Microsoft Graph request might sometimes be detected by the
gateway as web crawlers. If Python scripts use a pool manager, the following error message is
returned when you block the request:

Output

{'error': {'code': 'UnknownError', 'message': '\r\n403 Forbidden\r\n\r\n

403 Forbidden
\r\n
Microsoft-Azure-Application-Gateway/v2
\r\n\r\n\r\n', 'innerError': {'date': '{UTC Date/Time}', 'request-id': '{guid}',
'client-request-id': '{guid}'}}}

Cause
The issue occurs because some Python scripts might not structure their requests in a way that
conforms to the expected patterns. As a result, the gateway mistakenly identifies the requests
as coming from a web crawler.

Solution
To resolve this issue, use the Microsoft Graph SDK for Python . If you don't want to use it,
structure your requests similarly to how the SDK handles them by using Python's Session
object to send requests.

Here's an example of how you can structure your requests manually:

Python

from requests import Request, Session

def example_request(url):
http = Session()
 req = Request('GET', url, headers=h)
prepped = req.prepare()
resp = http.send(prepped)
return resp.json()

７ Note

The User-Agent string in the HTTP request header should be unique to your
application or script, differentiating it from generic traffic.
Including additional headers such as Accept: application/json can help clarify the
intent of your request.
Incorrectly identified as crawler traffic might result in throttling or other automated
mitigations by Microsoft's backend systems. Properly identifying your client helps
avoid these issues.

If you use a different HTTP client, ensure that similar headers are set appropriately. Refer to
your HTTP client's documentation for customizing request headers.

More information
For more guidance on best practices when using Microsoft Graph, see the following articles:

Use the Microsoft Graph API

Microsoft Graph throttling guidance

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
General password writeback
troubleshooting steps
Article • 10/28/2024

This article describes general troubleshooting steps to resolve password writeback

issues. These steps are a good way to start the process if you have to consult other
content that explains more specific issues.

Focus on the exact failure scenario

You should be consistent about how the password issue is reproduced or tested.
Understand exactly what the failure scenario is, and learn the repro steps. Because a
password reset and a password change are two different operations, focus on one
operation, and use the same steps for that operation to reproduce the issue. The
difference between the operations is as follows.

ﾉ Expand table

Operation Characteristics

Password The user or administrator doesn't know or doesn't provide the current password.
reset

Password Only a user can initiate a password change. Users have to enter their current
change password before they can specify a new password.

Contrast working versus nonworking users

Does the operation fail for one user but succeed for another user? In this situation, try to
determine the differences between a working and nonworking user. You can use the
following steps:

1. Get information about certain Active Directory users by running the Ldifde
command or the Get-ADUser PowerShell cmdlet.

2. Run user commands in Microsoft Graph PowerShell to get information about those
users in Microsoft Graph PowerShell.

3. Compare the Active Directory and Microsoft Graph PowerShell information about
those two users offline, especially in terms of:
 Administrator roles and groups
Organizational unit placement
The last time that the object and password were synced
Other differences

Keep this information handy while you're troubleshooting an issue.

Use the same domain controller

Try to use the same domain controller every time that you test or make changes. To
control which domain controller is getting contacted for password writeback operations,
set a single preferred domain controller in the Active Directory Connector, and then
restart the ADSync service. Change the preferred domain controller to the nearest one,
or use the domain controller that owns the primary domain controller (PDC) emulator
role.

To set the preferred domain controller, follow these steps:

1. Open the Synchronization Service Manager. To do this, select Start, enter Microsoft
Entra ID, select the Microsoft Entra Connect group, and then select
Synchronization Service.

2. Select the Connectors tab, and then select the applicable Active Directory
connector. In the Actions pane, select Properties to open the Properties dialog
box.

3. In the Connector Designer pane, select Configure Directory Partitions. In the

Configure Directory Partitions pane, select a directory partition from the list.

4. In the Domain controller connection settings group, select the Only use preferred
domain controllers checkbox. Then, select Configure.

5. Make the appropriate changes in the Configure Preferred DCs dialog box.

Depending on the issue, it might actually help to try different domain controllers,
instead. Then, you can determine whether the issue can be isolated to a specific domain
controller or occurs on any domain controller.

In addition, when you use the Active Directory Users and Computers snap-in, change
the connected domain controller to the same one that you used for Microsoft Entra
Connect. Follow these steps:

1. Open the Active Directory Users and Computers snap-in. To do this, select Start,
search on dsa.msc, and then press Enter.
 2. In the navigation pane, right-click the domain name, and then select the Change
Domain Controller menu item.

3. In the Change Directory Server dialog box, select the This Domain Controller or
AD LDS instance option.

4. In the list of domain controllers, select the domain controller that matches the one
that you selected for Microsoft Entra Connect, and then select OK.

Temporarily relax the local Active Directory

password policy
To troubleshoot password writeback operations, we recommend that you temporarily
modify the local Active Directory password policy. Set the minimum password age to
zero to allow users to change their password more than one time consecutively. If
password complexity is required, use a combination of uppercase letters, lowercase
letters, and numerals. Because password history is usually enforced to a default of 24
remembered passwords, always use another password in every reset or change attempt.
For example, increment an integer suffix (1, 2, 3, and so on) for every reset or change.

Check application events by using the Event

Viewer
These troubleshooting articles for specific password writeback issues contain many
examples of application events that provide details about the issues. These examples
show that the Event Viewer snap-in (Eventvwr.msc) is the most effective Windows tool to
troubleshoot password writeback.

Identify the exact account name for the AD DS

Connector
Recheck the name of the current account for the Active Directory Domain Connector.
Make sure that this account has the same name as the account that the Microsoft Entra
Connect server uses. To find this account name, see Identify the AD DS Connector
account.

Learn which writeback operations are

supported or unsupported
To review the lists of supported and unsupported password writeback operations, see
How does self-service password reset writeback work in Microsoft Entra ID?.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot password writeback access
rights and permissions
Article • 10/28/2024

This article describes the access rights and permissions that are required in the domain
root, the user object, and the Builtin container in Active Directory. It also discusses the
following items:

Required domain group policies

How to identify the Active Directory Domain Services (AD DS) Connector account
that Microsoft Entra Connect uses
How to check existing permissions on that account
How to avoid replication issues

This information can help you troubleshoot specific problems that involve password
writeback.

Identify the AD DS Connector account

Before you check for password writeback permissions, verify the current AD DS
Connector account (also known as the MSOL_ account) in Microsoft Entra Connect.
Verifying this account helps you avoid taking the wrong steps during password
writeback troubleshooting.

To identify the AD DS Connector account:

1. Open the Synchronization Service Manager. To do this, select Start, enter Microsoft
Entra Connect, select Microsoft Entra Connect in the search results, and then select
Synchronization Service.

2. Select the Connectors tab, and then select the applicable Active Directory
connector. In the Actions pane, select Properties to open the Properties dialog
box.

3. In the left pane of the Properties window, select Connect to Active Directory
Forest, and then copy the account name that appears as User name.

Check existing permissions of the AD DS

Connector account
To set the correct Active Directory permissions for password writeback, use the built-in
ADSyncConfig PowerShell module. The ADSyncConfig module includes a method to set
permissions for password writeback by using the Set-
ADSyncPasswordWritebackPermissions cmdlet.

To check whether the AD DS Connector account (that is, the MSOL_ account) has the
correct permissions for a specific user, use one of the following tools:

Active Directory Users and Computers snap-in on the Microsoft Management

Console (MMC)
Command prompt
PowerShell

Active Directory Users and Computers snap-in

Use the MMC snap-in for Active Directory Users and Computers. Follow these steps:

1. Select Start, enter dsa.msc, and then select the Active Directory Users and
Computers snap-in in the search results.

2. Select View > Advanced Features.

3. In the console tree, find and select the user account that you want to check the
permissions for. Then, select the Properties icon.

4. In the Properties dialog box for the account, select the Security tab, and then
select the Advanced button.

5. In the Advanced Security Settings dialog box for the account, select the Effective
Permissions tab. Then, in the Group or user name section, select the Select
button.

6. In the Select User, Computer, or Group dialog box, select Advanced > Find Now
to show the selection list. In the Search results box, select the MSOL_ account
name.

7. Select OK two times to return to the Effective Permissions tab in the Advanced
Security Settings dialog box. Now, you can view the list of effective permissions
for the MSOL_ account that are assigned to the user account. The list of the default
permissions that are required for password writeback is shown in the Required
permissions on the user object section in this article.

Command prompt
Use the dsacls command to display the access control lists (ACLs, or permissions) of the
AD DS Connector account. The following command stores the command output in a
text file, although you can modify it to display the output on the console:

Windows Command Prompt

dsacls "CN=User01,OU=Sync,DC=Contoso,DC=com" > dsaclsDomainContoso.txt

You can use this method to analyze the permissions for any Active Directory object.
However, it isn't useful to compare permissions between objects because the text
output isn't sorted.

PowerShell
Use the Get-Acl cmdlet to get the AD DS Connector account permissions, and then store
the output as an XML file by using the Export-Clixml cmdlet, as follows:

PowerShell

Set-Location AD:
Get-Acl "DC=Contoso,DC=com" | Export-Clixml aclDomainContoso.xml

The PowerShell method is useful for offline analysis. It lets you import the file by using
the Import-Clixml cmdlet. It also keeps the original structure of the ACL and its
properties. You can use this method to analyze the permissions for any Active Directory
object.

Avoid replication issues when fixing

permissions
When you fix Active Directory permissions, the changes to Active Directory might not
take effect immediately. Active Directory permissions are also subject to replications
across the forest in the same manner that Active Directory objects are. How do you
mitigate the Active Directory replication issues or delays? You set a preferred domain
controller in Microsoft Entra Connect, and work on only that domain controller for any
changes. When you use the Active Directory Users and Computers snap-in, right-click
the domain root in the console tree, select the Change Domain Controller menu item,
and then pick the same preferred domain controller.

For a quick sanity check within Active Directory, run domain controller diagnostics by
using the dcdiag command. Then, run the repadmin /replsummary command to view a
summary of replication problems. The following commands store the command output
to text files, although you can modify them to display the output on the console:

Windows Command Prompt

dcdiag > dcdiag.txt

repadmin /replsum > replsum.txt

Required permissions on the Active Directory

domain root
This section describes the expected Active Directory permissions for password writeback
on the Active Directory domain root. Don't confuse this root with the root of the Active
Directory forest. A forest can have multiple Active Directory domains. Each domain must
have the correct permissions set in its own root, so that password writeback can work
for users in that domain.

You can view the existing Active Directory permissions in the security properties of the
domain root. Follow these steps:

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, locate and select the Active Directory domain root, and then
select the Properties icon.

3. In the Properties dialog box for the account, select the Security tab.

Each of the following subsections contains a table of domain root default permissions.
This table shows the required permission entries for the group or user name that's in the
subsection title. To view and modify the current permission entries to match the
requirements for each group or user name, follow these steps for each subsection:

1. On the Security tab, select the Advanced button to view the Advanced Security
Settings dialog box. The Permissions tab shows the current list of domain root
permissions for each Active Directory identity (Principal).

2. Compare the current permissions list against the list of default permissions for
each Active Directory identity (Principal).

3. If necessary, select Add to add required permission entries that are missing from
the current list. Or, select a permission entry, and then select Edit to modify that
entry to meet the requirement. Repeat this step until the current permission entries
match the subsection table.
 4. Select OK to accept the changes in the Advanced Security Settings dialog box and
return to the Properties dialog box.

７ Note

The permissions on the Active Directory domain root aren't inherited from any
parent container.

Root default permissions for the AD DS Connector

account (Allow)

ﾉ Expand table

Permission Apply to

Reset password Descendant User objects

(blank) Descendant msDS-Device objects

Replicating Directory Changes This object only

Replicating Directory Changes All This object only

Read all properties Descendant publicFolder objects

Read/write all properties Descendant InetOrgPerson objects

Read/write all properties Descendant Group objects

Read/write all properties Descendant User objects

Read/write all properties Descendant Contact objects

Root default permissions for Authenticated Users (Allow)

ﾉ Expand table

Permission Apply to

Enable per user reversibly encrypted password This object only

Unexpire password This object only

Update password not required bit This object only

Special This object only

Permission Apply to

(blank) This object and all descendant objects

Root default permissions for Everyone (Deny + Allow)

ﾉ Expand table

Type Permission Apply to

Deny Delete all child objects This object only

Allow Read all properties This object only

Root default permissions for Pre-Windows 2000

Compatible Access (Allow)

ﾉ Expand table

Permission Apply to

Special Descendant InetOrgPerson objects

Special Descendant Group objects

Special Descendant User objects

Special This object only

List contents This object and all descendant objects

Root default permissions for SELF (Allow)

ﾉ Expand table

Permission Apply to

(blank) This object and all descendant objects

Special All descendant objects

Validated write to computer attributes Descendant Computer objects

(blank) Descendant Computer objects

Required permissions on the user object
This section describes the expected Active Directory permissions for password writeback
on the target user object that has to update the password. To view the existing security
permissions, follow these steps to show the security properties of the user object:

1. Return to the Active Directory Users and Computers snap-in.

2. Use the console tree or the Action > Find menu item to select the target user
object, and then select the Properties icon.

3. In the Properties dialog box for the account, select the Security tab.

Each of the following subsections contains a table of user default permissions. This table
shows the required permission entries for the group or user name that's in the
subsection title. To view and modify the current permission entries to match the
requirements for each group or user name, follow these steps for each subsection:

1. On the Security tab, select the Advanced button to view the Advanced Security
Settings dialog box.

2. Make sure that the Disable Inheritance button is displayed near the bottom of the
dialog box. If the Enable Inheritance button is displayed instead, select that
button. The enable inheritance feature allows all the permissions from parent
containers and organizational units to be inherited by this object. This change
resolves the issue.

3. On the Permissions tab, compare the current permissions list against the list of
default permissions for each Active Directory identity (Principal). The Permissions
tab displays the current list of user permissions for each Active Directory identity
(Principal).

4. If necessary, select Add to add required permission entries that are missing from
the current list. Or, select a permission entry, and then select Edit to modify that
entry to meet the requirement. Repeat this step until the current permission entries
match the subsection table.

5. Select OK to accept the changes in Advanced Security Settings dialog box and
return to the Properties dialog box.

７ Note

Unlike for the Active Directory domain root, the required permissions for the user
object are usually inherited from the domain root, or from a parent container or
 organizational unit. Permissions that were set directly on the object will indicate an
inheritance from None. The inheritance of the access control entry (ACE) isn't
important as long as the values in the Type, Principal, Access, and Applies to
columns for the permission are the same. However, certain permissions can be set
only in the domain root. These entities are listed in the subsection tables.

User default permissions for the AD DS Connector

account (Allow)

ﾉ Expand table

Permission Inherited from Apply to

Reset password <domain root> Descendant User objects

(blank) <domain root> Descendant msDS-Device objects

Read all properties <domain root> Descendant publicFolder objects

Read/write all properties <domain root> Descendant InetOrgPerson objects

Read/write all properties <domain root> Descendant Group objects

Read/write all properties <domain root> Descendant User objects

Read/write all properties <domain root> Descendant Contact objects

User default permissions for Authenticated Users (Allow)

ﾉ Expand table

Permission Inherited from Apply to

Read general information None This object only

Read public information None This object only

Read personal information None This object only

Read web information None This object only

Read permissions None This object only

Read Exchange information <domain root> This object and all descendant objects
User default permissions for Everyone (Allow)

ﾉ Expand table

Permission Inherited from Apply to

Change password None This object only

User default permissions for Pre-Windows 2000

Compatible Access (Allow)
The Special permissions in this table include List contents, Read all properties, and
Read permissions rights.

ﾉ Expand table

Permission Inherited from Apply to

Special <domain root> Descendant InetOrgPerson objects

Special <domain root> Descendant Group objects

Special <domain root> Descendant User objects

List contents <domain root> This object and all descendant objects

User default permissions for SELF (Allow)

The Special permissions in this table include Read/Write private information rights
only.

ﾉ Expand table

Permission Inherited from Apply to

Change password None This object only

Send as None This object only

Receive as None This object only

Read/write personal information None This object only

Read/write phone and mail options None This object only

Read/write web information None This object only

 Permission Inherited from Apply to

Special None This object only

Validated write to computer attributes <domain root> Descendant Computer objects

(blank) <domain root> Descendant Computer objects

(blank) <domain root> This object and all descendant objects

Special <domain root> This object and all descendant objects

Required permissions on the SAM server object

This section describes the expected Active Directory permissions for password writeback
on the Security Account Manager (SAM) server object
(CN=Server,CN=System,DC=Contoso,DC=com). To find the security properties of the
SAM server object (samServer), follow these steps:

1. Return to the Active Directory Users and Computers snap-in.

2. In the console tree, locate and select the System container.

3. Locate and select Server (the samServer object), and then select the Properties
icon.

4. In the Properties dialog box for the object, select the Security tab.

5. Select the Advanced Security Settings dialog box. The Permissions tab displays
the current list of samServer object permissions for each Active Directory identity
(Principal).

6. Verify that at least one of the following principals is listed in the access control
entry for the samServer object. If only Pre-Windows 2000 Compatible Access is
listed, make sure that Authenticated Users is a member of this built-in group.

Permissions for Pre-Windows 2000 Compatible Access

(Allow)
Special permissions must include the List contents, Read all properties, and Read
permissions rights.

Permissions for Authenticated Users (Allow)

Special permissions must include the List contents, Read all properties, and Read
permissions rights.

Required permissions on the Builtin container

This section describes the expected Active Directory permissions for password writeback
on the Builtin container. To view the existing security permissions, follow these steps to
get to the security properties of the built-in object:

1. Open to the Active Directory Users and Computers snap-in.

2. In the console tree, locate and select the Builtin container, and then select the
Properties icon.

3. In the Properties dialog box for the account, select the Security tab.

4. Select the Advanced button to view the Advanced Security Settings dialog box.
The Permissions tab displays the current list of Builtin container permissions for
each Active Directory identity (Principal).

5. Compare this current permissions list against the list of required allow permissions
for the MSOL_ account, as follows.

ﾉ Expand table

Permission Inherited from Apply to

Read/write all properties <domain root> Descendant InetOrgPerson objects

Read/write all properties <domain root> Descendant Group objects

Read/write all properties <domain root> Descendant User objects

Read/write all properties <domain root> Descendant Contact objects

6. If necessary, select Add to add required permission entries that are missing from
the current list. Or, select a permission entry, and then select Edit to modify that
entry to meet the requirement. Repeat this step until the current permission entries
match the subsection table.

7. Select OK to exit the Advanced Security Settings dialog box and return to the
Properties dialog box.

Other required Active Directory permissions

In the Pre-Windows 2000 Compatible Access group properties, go to the Members tab,
and make sure that Authenticated Users is a member of this group. Otherwise, you
might experience issues that affect password writeback on Microsoft Entra Connect and
Active Directory (especially on older versions).

Required domain group policies

To make sure that you have the correct domain group policies, follow these steps:

1. Select Start, enter secpol.msc, and then select Local Security Policy in the search
results.

2. In the console tree, under Security Settings, expand Local Policies, and then select
User Rights Assignment.

3. In the list of policies, select Impersonate a client after authentication, and then
select the Properties icon.

4. In the Properties dialog box, make sure that the following groups are listed on the
Local Security Setting tab:

Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE

For more information, see the default values for the Impersonate a client after
authentication policy.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot error code 8023062C:
Insecure password reset or change
Article • 10/28/2024

This article describes how to troubleshoot a password writeback error that occurs when
Microsoft Entra Connect tries to make a password change or reset in an insecure
configuration. This situation occurs specifically when Microsoft Entra Connect tries to do
a password change or reset without having a 128-bit Transport Layer Security (TLS) or
Secure Sockets Layer (SSL) connection.

Symptoms
When a user or administrator tries to change or reset a password in Microsoft Entra ID,
password writeback to the on-premises directory fails and returns an "8023062C
(0x8023062c)" error code and the following error message:

The password could not be set because the server is not configured for insecure
setting of passwords, or a 128 bit TLS or SSL connection is required.

Cause
Microsoft Entra Connect has been configured not to require that Lightweight Directory
Access Protocol (LDAP) traffic be signed and encrypted.

Solution
Make sure that the Sign and Encrypt LDAP Traffic setting is enabled in three places
within Synchronization Service Manager by following these steps:

1. Open the Synchronization Service Manager. To do this, open the Start menu, go to
the Microsoft Entra Connect group, and then select Synchronization Service.

2. Select the Connectors tab, and then select the applicable Active Directory
connector. In the Actions pane, select Properties.

3. On the left side of the Properties dialog box, select Connect to Active Directory
Forest, and then select the Options button. In the Connection Options dialog box,
turn on Sign and Encrypt LDAP Traffic, and then select OK.
 4. On the left side of the Properties dialog box, select Configure Directory Partitions.
Then, in the Configure Directory Partitions pane, select a directory partition from
the list.

5. In the Domain controller connection settings group, select the Options button. In
the Connection Options dialog box, turn on Sign and Encrypt LDAP Traffic, and
then select OK.

6. In the Credentials group, check whether the Alternate credentials for this
directory partition option is selected. If that option isn't selected, go to step 8.
Otherwise, select the Set Credentials button, and then select Options in the
Credentials dialog box.

7. In the Connection Options dialog box, turn on Sign and Encrypt LDAP Traffic, and
then select OK two times to return to the Properties dialog box.

8. Select OK to save the changes and return to Synchronization Service Manager.

9. Select Start, enter services.msc, and then select the Services snap-in. Select
Microsoft Azure AD Sync from the list of services, and then select the Restart
Service icon.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot error SSPR_009:
Synchronized Microsoft Entra
Administrator can't reset password from
the cloud
Article • 10/28/2024

This article explains how to troubleshoot a password reset error that occurs when a
synchronized user who has a Microsoft Entra Administrator role tries unsuccessfully to
reset their password.

This scenario occurs after the user visits the sign-in page at
https://login.microsoftonline.com and selects Can't access your account?, Forgot my
password, or reset it now. Then, the browser redirects the user to the self-service
password reset (SSPR) page at https://passwordreset.microsoftonline.com to start the
SSPR process. This process requires that the user enter a "captcha" code. If the
operation is successful, password writeback sends a password reset request for the user
to an on-premises Active Directory domain. Simultaneously, SSPR sets the new
password in Microsoft Entra ID. If the operation is unsuccessful, an "SSPR_009" error is
returned instead. If the error occurs, use this article to fix the problem.

Symptoms
After a synchronized user tries unsuccessfully to reset a password by entering a captcha
code, the browser displays the following error message:

You can't reset your own password because password reset isn't turned on for your
organization.

SSPR_009: Your organization hasn't turned on password reset. If you're an

administrator, you can get more information from the "How to enable password
reset" article. If you're not an administrator, you can provide this information when
you contact your administrator.

７ Note

This scenario occurs only for Microsoft Entra users who have a Microsoft Entra
Administrator role assigned to them. The password change or reset flow works as
 expected for standard accounts.

Cause
SSPR for Administrators isn't enabled on the tenant. SSPR for Administrators (SSPR-A)
was the first implementation of SSPR. After SSPR for Users (SSPR-U) was introduced,
users could have two separate configurations.

The old SSPR-A implementation is used when a Microsoft Entra account has an admin
role, such as Global Administrator or Billing Administrator. However, the SSPR
management on the Azure portal is for SSPR-U only. Therefore, SSPR-A might not be
enabled on the tenant.

Solution
Enable SSPR-A on the tenant by running the Set-MsolCompanySettings PowerShell
cmdlet, as follows:

PowerShell

Set-MsolCompanySettings -SelfServePasswordResetEnabled $true

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot error SSPR_0029: Your
organization hasn't properly set up the
on-premises configuration for password
reset
Article • 10/28/2024

This article helps you troubleshoot the self-service password reset (SSPR) error
"SSPR_0029: Your organization hasn't properly set up the on-premises configuration for
password reset" that occurs after the user or admin enters and confirms a new password
on the SSPR page.

Symptoms
A user or administrator takes the following steps, and then receives an SSPR_0029 error:

1. At a Microsoft account sign-in page or Microsoft Azure sign-in page in the

https://login.microsoftonline.com domain, a user or admin selects Can't access
your account?, Forgot my password, or reset it now.

2. The user or admin selects the Work or school account account type. Then, they're
redirected to the SSPR page at https://passwordreset.microsoftonline.com to
start the Get back into your account flow.

3. On the Who are you? screen, the user or admin enters their user ID, completes a
case-insensitive captcha security challenge, and then selects Next.

4. On the Why are you having trouble signing in? screen, the user or admin selects I
forgot my password > Next.

5. On the choose a new password screen, the user or admin enters and confirms a
new password string, and then selects Finish. Then, a We're sorry screen appears
and presents the following message:

SSPR_0029: Your organization hasn't properly set up the on-premises

configuration for password reset.

If you're an administrator, you can get more information from the

Troubleshoot password writeback article. If you're not an administrator, you
can provide this information when you contact your administrator.
Cause 1: Can't use password writeback to reset
the password of a synchronized Windows
Active Directory administrator
You're a synchronized Windows Active Directory admin who belongs (or used to belong)
to an on-premises Active Directory protected group, and you can't use SSPR and
password writeback to reset your on-premises password.

Solution: None (behavior is by design)

For security, administrator accounts that exist within a local Active Directory protected
group can't be used together with password writeback. Administrators can change their
password in the cloud, but can't reset a forgotten password. For more information, see
How does self-service password reset writeback work in Microsoft Entra ID.

Cause 2: AD DS Connector account doesn't

have the right Active Directory permissions
The synchronized user is missing the correct permissions in Active Directory.

Solution: Resolve Active Directory permission issues

To resolve issues that affect Active Directory permissions, see Password Writeback access
rights and permissions.

Workaround: Target a different Active Directory domain

controller

７ Note

Password writeback has a dependency on the legacy API NetUserGetInfo. The

NetUserGetInfo API requires a complex set of allowed permissions in Active

Directory that can be difficult to identify, especially when a Microsoft Entra Connect
server is running on a domain controller. For more information, see Applications
using NetUserGetInfo and similar APIs rely on read access to certain Active
Directory objects.
Do you have a scenario in which a Microsoft Entra Connect server is running on a
domain controller, and it isn't possible to resolve Active Directory permissions? In this
case, we recommend that you deploy Microsoft Entra Connect server on a member
server instead of a domain controller. Or, configure your Active Directory connector to
Only use preferred domain controllers by using the following steps:

1. On the Start menu, search for and select Synchronization Service Manager.

2. In the Synchronization Service Manager window, select the Connectors tab.

3. Right-click the Active Directory connector from the list of connectors, and then
select Properties.

4. In the Connector Designer pane of the Properties dialog box, select Configure
Directory Partitions.

5. In the Configure Directory Partitions pane, select the Only use preferred domain
controllers option, and then select Configure.

6. In the Configure Preferred DCs dialog box, add one or more server names that
point to a different domain controller (or domain controllers) than the local host.

7. To save your changes and return to the main window, select OK three times,
including in the Warning dialog box that shows an advanced configuration
disclaimer.

Cause 3: Servers aren't allowed to make remote

calls to Security Accounts Manager (SAM)
In this case, two similar application error events are logged: Event ID 33004 and 6329.
Event ID 6329 differs from 33004 because it contains an ERROR_ACCESS_DENIED error code
in the stack trace when the server tries to make a remote call to SAM:

ERR_: MMS(####): admaexport.cpp(2944): Failed to acquire user information:

Contoso\MSOL_############. Error Code: ERROR_ACCESS_DENIED

This situation can occur if the Microsoft Entra Connect server or the domain controller
has or had a hardening security setting applied with a Domain Group Policy Object
(GPO) or in the Local Security Policy of the server. To check whether this is the case,
follow these steps:

1. Open an administrative Command Prompt window, and run the following

commands:
 Console

md C:\Temp
gpresult /h C:\Temp\GPreport.htm
start C:\Temp\GPreport.htm

2. Open the C:\Temp\gpresult.htm file in your web browser, and expand Computer
Details > Settings > Policies > Windows Settings > Security Settings > Local
Policies/Security Options > Network Access. Then, check whether you have a
setting that's named Network access: Restrict clients allowed to make remote calls
to SAM.

3. To open the Local Security Policy snap-in, select Start, enter secpol.msc, press Enter,
and then expand Local Policies > Expand Security Options.

4. In the list of policies, select Network access: Restrict clients allowed to make
remote calls to SAM. The Security Setting column will show Not Defined if the
setting isn't enabled, or it displays an O:BAG:... security descriptor value if the
setting is enabled. If the setting is enabled, you can also select the Properties icon
to see the Access Control List (ACL) that's currently applied.

７ Note

By default, this policy setting is turned off. When this setting is applied on a
device through a GPO or a Local Policy setting, a registry value that's named
RestrictRemoteSam is created in the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ registry
path. However, this registry setting can be difficult to clear after it's defined
and applied to the server. Disabling the Group Policy setting or clearing the
Define this policy setting option in Group Policy Management Console
(GPMC) doesn't remove the registry entry. Therefore, the server still restricts
which clients are allowed to make remote calls to SAM.

How do you accurately verify that the Microsoft Entra Connect server or the
domain controller is still restricting remote calls to SAM? You check whether
the registry entry remains present by running the Get-ItemProperty cmdlet in
PowerShell:

PowerShell

Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -

Name RestrictRemoteSam
Does the PowerShell output show that a RestrictRemoteSam registry entry is still
present? If so, you have two possible solutions.

Solution 1: Add the AD DS Connector account to the list

of allowed users
Keep the Network access: Restrict clients allowed to make remote calls to SAM policy
setting enabled and applied on the Microsoft Entra Connect server, but add the Active
Directory Domain Services (AD DS) Connector account (MSOL_ account) to the list of
allowed users. For instructions, see the following steps:

1. If you don't know the name of your AD DS Connector account, see Identify the AD
DS Connector account.

2. In the GPMC or Local Security Policy snap-in, go back to the property dialog box
for that policy setting.

3. Select Edit Security to display the Security Settings for Remote Access to SAM
dialog box.

4. In the Group or user names list, select Add to display the Select Users or Groups
dialog box. In the Enter the object names to select box, enter the name of the AD
DS Connector account (MSOL_ account), and then select OK to exit that dialog box.

5. Select the AD DS Connector account in the list. Under Permissions for <account
name>, in the Remote Access row, select Allow.

6. Select OK two times to accept the policy setting changes and return to the list of
policy settings.

7. Open an administrative Command Prompt window, and run the gpupdate

command to force a Group Policy update:

Console

gpupdate /force

Solution 2: Remove the Network access: Restrict clients

allowed to make remote calls to SAM policy setting, then
manually delete the RestrictRemoteSam registry entry
1. If the security setting is applied from the Local Security Policy, go to step #4.
2. Open the GPMC snap-in from a Domain Controller, and edit the respective Domain
GPO.

3. Expand Computer Configuration > Policies > Windows Settings > Security
Settings > Computer Configuration > Local Policies > Security Options.

4. In the list of security options, select Network access: Restrict clients allowed to
make remote calls to SAM, open Properties, and then disable Define this policy
setting.

5. Open an administrative Command Prompt window, and run the gpupdate

command to force a Group Policy update:

Console

gpupdate /force

6. To generate a new Group Policy result report (GPreport.htm), run the gpresult
command, and then open the new report in a web browser:

Console

md C:\Temp
gpresult /h C:\Temp\GPreport.htm
start C:\Temp\GPreport.htm

7. Check the report to make sure that the policy setting for Network access: Restrict
clients allowed to make remote calls to SAM isn't defined.

8. Open an administrative PowerShell console.

9. To remove the RestrictRemoteSam registry entry, run the Remove-ItemProperty

cmdlet:

PowerShell

Remove-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -

Name RestrictRemoteSam

７ Note
 If you delete the RestrictRemoteSam registry entry without removing the
Domain GPO setting, this registry entry will be re-created on the next Group
Policy refresh cycle, and the SSPR_0029 error will reoccur.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot admin password resets in
Microsoft 365 admin center
Article • 10/28/2024

This article describes a password writeback issue that occurs after an administrator
resets a user password in the Microsoft 365 admin center.

Symptoms
A user who recently had an administrator reset their password can't sign in to on-
premises Active Directory by using the new password. Additionally, the previous
password might still work.

Cause
An administrator has reset the password of a user in the Microsoft 365 admin center .
Although the user can sign in online by using the new password, the new password isn't
synchronized back to on-premises Active Directory.

Currently, the Microsoft 365 admin center doesn't use the self-service password reset
(SSPR) and password writeback libraries. When an administrator resets a user password
in the Microsoft 365 admin center, the password is reset in Microsoft Entra ID, but the
new password isn't updated in on-premises Active Directory. Therefore, the user
password is now out-of-sync between on-premises Active Directory and Microsoft Entra
ID.

Solution
To make sure that password writeback updates the new password in on-premises Active
Directory, the administrator who changes or resets the password must use the Azure
portal instead of the Microsoft 365 admin center .

For more information, see How does self-service password reset writeback work in
Microsoft Entra ID?.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot delays after the first sign-
in following a forced password change
Article • 10/28/2024

This article describes how to troubleshoot a password writeback issue when a user is
forced to change their password on first sign-in.

Symptoms
After a user makes a required password change on first sign-in, they receive this
warning message:

Your password was successfully updated, but our servers take a little time to catch
up. Please try signing in again in a few minutes.

Cause
When a user is forced to change their password on first sign-in in Microsoft Entra ID, the
password writeback process accepts the temporary password for sign-in, and the user is
prompted to provide a new password. Password writeback tries to change the password
on-premises, and then waits. If the on-premises update succeeds, password writeback
tries to change the password in Microsoft Entra ID. During a password change
operation, password writeback verifies the current password, and then provides the new
password to be updated in the respective directory.

However, a timing issue might cause this warning if an attempt to sign in occurs
immediately after the on-premises Active Directory password was reset. This issue
occurs if the user has the User must change password at next logon option selected,
and the domain authentication is configured for Pass-through Authentication (PTA).

In this scenario, the user tries to sign in before password hash synchronization finishes
syncing the temporary password to Microsoft Entra ID. But because PTA is configured,
the authentication is redirected to on-premises Active Directory. The user can now sign
in to Microsoft Entra ID successfully and is then forced to change the password on the
first sign-in. If the password change is successful, password writeback updates the new
password in on-premises Active Directory and in Microsoft Entra ID. However, the sign-
in message says "our servers take a little time to catch up." This is because the
temporary password didn't match the current password in Microsoft Entra ID.
Solution
After an Active Directory administrator resets the password on-premises, Microsoft Entra
Connect takes at least two minutes to sync that temporary password to Microsoft Entra
ID. To avoid receiving this warning message, the user has to wait at least two minutes to
sign in and update the password. This provides time for password hash synchronization
to sync the temporary password.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot password resets that are
blocked by on-premises policy
Article • 10/28/2024

This article helps you troubleshoot a scenario in which a user or administrator can't reset
or change a password because the on-premises Active Directory password policy
disallows it.

Symptoms
In the Azure portal , you take the following steps:

1. Select Microsoft Entra ID > Users.

2. Choose a user from the list.
3. Select the Reset password link.
4. Enter a temporary password for the user to use.
5. Select the Reset password button.

In this scenario, you receive the following error message:

Unfortunately, you cannot reset this user's password because your on-premises
policy does not allow it. Please review your on-premises policy to ensure that it is
setup correctly.

Cause
The error message is sent by an on-premises domain controller. To obtain more
information about the problem, follow these steps.

７ Note

This procedure requires that you enable your domain controller's audit policy for
Account Management - Failure events. For more information, see Audit account
management.

1. Go to an on-premises domain controller.

2. Open the Event Viewer snap-in. To do this, select Start, enter eventvwr.msc, and
then press Enter.
 3. Under the Event Viewer (Local) node in the sidebar, expand Windows Logs, and
then select Security.

4. Look for audit events that contain Event ID 4724, Audit Failure (in the Keywords
column) and User Account Management (in the Task Category column). These
events should resemble the following example:

Output

Log Name: Security

Source: Microsoft-Windows-Security-Auditing
Date: 11/5/2020 2:44:01 AM
Event ID: 4724
Task Category: User Account Management
Level: Information
Keywords: Audit Failure
User: N/A
Computer: ADDS01.Contoso.net
Description:
An attempt was made to reset an account's password.

Subject:
Security ID: Contoso\MSOL_73c8a9aa6173
Account Name: MSOL_73c8a9aa6173
Account Domain: Contoso
Logon ID: 0xF91C5C

Target Account:
Security ID: Contoso\User01
Account Name: User01
Account Domain: Contoso

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
...
</System>
</Event>

This example confirms that password writeback is working as expected. However, the
password that's entered doesn't meet the local Active Directory password policy. The
policy might be violated because of password length, complexity, age, or other
requirements.

Solution
Provide a password that meets the local Active Directory password policy.
First, verify the current settings for the password policy to be able to determine any
violations. Then, go to the domain controller, and use one or more of the following
methods:

From an on-premises domain controller, open an administrative Command Prompt

window, and run the net accounts command:

Output

C:\>net accounts

Force user logoff how long after time expires?: Never

Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.

Alternatively, open an administrative PowerShell window, and then run the Get-
ADDefaultDomainPasswordPolicy cmdlet:

Output

PS C:\WINDOWS\system32> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : True
DistinguishedName : DC=contoso,DC=net
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 0
MaxPasswordAge : 42:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 01234567-89ab-cdef-0123-456789abcdef
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

In an administrative Command Prompt window, export a Group Policy report in

HTML format by running gpresult /h GPreport.htm . Open the exported report
(GPreport.htm) in a browser window, and then view the policy settings under
Account Policies/Password Policy.
Was the local Active Directory password policy configured by using fine-grained
password policies? If so, check the resultant password policy for the target user by
running the net user command ( net user <username> /domain ):

Output

C:\>net user User01 /domain

User name User01

Full Name User01
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 11/5/2020 1:57:43 PM

Password expires 12/17/2020 1:57:43 PM
Password changeable 11/5/2020 1:57:43 PM
Password required Yes
User may change password Yes

Workstations allowed All

Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships

Global Group memberships *Domain Users
The command completed successfully.

Is the entered password compliant with the local Active Directory password policy, but
the issue persists? If so, check whether you're using Microsoft Entra Password Protection
in your on-premises AD DS environment, or if you have any third-party password filter
software installed on your domain controllers.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run the Azure Active
Directory Sync Tool Configuration
Wizard: An unknown error occurred
with the Microsoft Online Services Sign-
in Assistant
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2502710

Symptoms
When you run the Microsoft Azure Active Directory Sync Tool Configuration Wizard, you
receive the following error message:

An unknown error occurred with the Microsoft Online Services Sign-in Assistant.
Contact Support.

Resolution
To resolve this issue, follow these steps:

1. Select Start, type appwiz.cpl , and then press Enter to open the Programs and
Features item in Control Panel.

2. Uninstall the Microsoft Online Services Sign-In Assistant.

3. Uninstall the Azure Active Directory Sync tool.

4. Reinstall the Azure Active Directory Sync tool. For more information about how to
do this, go to Install or upgrade the Directory Sync tool .

5. Check whether the issue is resolved. If the error still occurs after you follow steps 1
through 4, make sure that the Microsoft Online Services Sign-In Assistant service is
started. To do this, follow these steps:
a. Select Start, type services.msc , and then press Enter.
 b. In the list of services, make sure that the entry in the Status column for
Microsoft Online Services Sign-In Assistant is Started.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to run the Azure
Active Directory Sync Tool
Configuration wizard: The Enterprise
Administrator credentials that you
supplied are not valid
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2386471

Symptoms
When you try to run the Microsoft Azure Active Directory Sync Tool Configuration
Wizard, you receive the following error message:

The Enterprise Administrator credentials that you supplied are not valid. Supply valid
credentials and try again.

Cause
This issue may occur if you entered incorrect credentials on the Active Directory
Credentials page of the Directory Sync Tool Configuration Wizard.

Resolution
To resolve this issue, follow these steps:

1. Make sure that you provide credentials for an account that has enterprise admin
permissions for your company's local Active Directory installation.
2. Make sure that you enter the correct user name and password for the user
account.
3. Make sure that the computer on which the Directory Sync Tool Configuration
Wizard is installed can communicate with your company's domain controllers and
can authenticate to the local Active Directory.
 ７ Note

The account must have enterprise admin permissions in the Active Directory forest
to which the computer that's running the Directory Sync Tool Configuration Wizard
is joined.

To check whether an account has enterprise admin permissions, follow these steps:

1. On a domain controller or computer that has the Windows Server Administration

Toolkit installed, start Active Directory Users and Computers. To do this, click Start,
click Run, type dsa.msc in the Open box, and then click OK.

2. Right-click the domain, and then click Find.

3. In the Name box, type enterprise admins, and then click Find Now.
 4. Double-click Enterprise Admins, and then click the Members tab.

5. Check whether the user is listed in the Members list. If the user isn't in the list, one
of the members of this list must log on and add the user to this list. Or, a member
of this list can use their credentials in the Directory Sync Tool Configuration Wizard.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

One or more Microsoft Entra Connect
services don't start
Article • 03/06/2025

This article describes an issue that prevents Microsoft Entra Connect services from
starting.

Original product version: Microsoft Entra ID, Office 365 Identity Management
Original KB number: 2995030

Symptoms
You discover that one or more Microsoft Entra Connect services don't start. For example,
the Microsoft Azure AD Sync service (ADSync) doesn't start.

Solution 1: Set User Rights Assignment

permissions within Group Policy
Make group policy changes if necessary so that the ADSync service account can log on
locally, as a service, and as a batch job. Because a domain group policy takes
precedence over a local group policy, you need to check the settings for both types of
group policies.

1. Select Start, enter gpedit.msc in the search box, and then press Enter to open the
Local Group Policy Editor snap-in.

2. In the console tree, under Computer Configuration, expand Windows Settings >
Security Settings > Local Policies, and then select User Rights Assignment.

3. Verify that the ADSync service account is added for the following policy settings:

Allow log on locally

Log on as a batch job
Log on as a service

4. For domain group policies, open an administrative command prompt.

5. Run the following gpresult command, which generates a group policy report:

Windows Command Prompt

 gpresult /H gpresult.htm

6. Open the resulting group policy report (gpresult.htm).

7. If User Rights Assignment settings are applied through any domain group policy
object (GPO), use the Group Policy Management console (gpmc.msc) from a
domain controller to take one of the following actions:

Remove the following policy settings from the Winning GPO:

Allow log on locally
Log on as a batch job
Log on as a service

Update the Winning GPO to include the ADSync service account.

8. If you made any changes to the local group policy or domain group policy, restart
the computer to apply the changes.

Solution 2: Troubleshoot error messages using

Event Viewer
You can also try to find and fix the problem by scanning the Application and System
logs in Event Viewer for directory synchronization events. For more information, see
Troubleshoot other error messages.

Solution 3: Check the Microsoft Entra ID Sync

(ADSync) service account
If solutions 1 and 2 don't resolve the issue, verify the status of your custom ADSync
service account. Ensure that the account isn't expired or disabled, that the User must
change password at next logon option isn't enabled, and that its password isn't
expired. If the password was changed, use the Services.msc console to update the
ADSync service account password.

For more information about other types of Windows service accounts, see ADSync
service account.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Management Agent
hangs during Full Import or Delta
Import with error:
System.Collections.Generic.KeyNotFoun
dException
Article • 10/28/2024

This article provides a resolution to an issue in which the Microsoft Entra Management
Agent stops responding with error System.Collections.Generic.KeyNotFoundException.

Original product version: Active Directory

Original KB number: 3096482

Symptoms
When you run a Full Import or a Delta Import on the Microsoft Entra Connector, one of
the following actions occur:

The following error is logged in the Application log:

FIMSynchronizationService Event 6801

The extensible extension returned an unsupported error.
The stack trace is:
"System.Collections.Generic.KeyNotFoundException: The given key was not
present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
at
Microsoft.Azure.ActiveDirectory.Connector.Connector.GetConnectorSpaceEn
tryChange(SyncObject syncObject)
at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
at System.Collections.Generic.List`1.InsertRange(Int32 index,
IEnumerable`1 collection)
at
Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCor
e()
at
Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(Ge
tImportEntriesRunStep getImportEntriesRunStep)
 You receive the following error message:

DirectorySynchronization Event 109:

Failure while importing entries from Windows Azure Active Directory.
Exception: System.Collections.Generic.KeyNotFoundException: The given
key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
at
Microsoft.Azure.ActiveDirectory.Connector.Connector.GetConnectorSpaceEn
tryChange(SyncObject syncObject)
at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
at System.Collections.Generic.List`1.InsertRange(Int32 index,
IEnumerable`1 collection)
at
Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCor
e()
at
Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(Ge
tImportEntriesRunStep getImportEntriesRunStep).

Resolution
To resolve this problem, select the missing object type (device). To do this, follow these
steps:

1. Open Management Agent for the Microsoft Entra directory in the Forefront
Identity Manager (FIM) Sync console.

2. Click Connectors, and then click Microsoft Entra ID.

3. In the Actions pane, click Properties.

７ Note

The Properties window opens.

4. Under Connector Design, click Select Object Types.

5. In the Select Object Types pane, locate and then select the device check box.

6. Click OK three times.

Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Connect is not working
correctly after an automatic upgrade
Article • 10/28/2024

This article discusses an issue in which Microsoft Entra Connect is only partially
upgraded or the password synchronization and the password writeback features are
disabled.

Original product version: Microsoft Entra ID

Original KB number: 4038479

Symptoms
When you run Microsoft Entra Connect 1.1.443.0 or an earlier version, you experience
one of the following issues:

Microsoft Entra Connect is only partially upgraded, the scheduler is suspended,

and no automatic synchronization cycle occurs.
Microsoft Entra Connect is upgraded correctly, the scheduler is enabled, and object
changes are synchronized correctly to Microsoft Entra ID. However, the password
synchronization feature or the password writeback feature is disabled.

Cause
A problem in the automatic upgrade feature for Microsoft Entra Connect causes the
Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe process to terminate
because of an unhandled exception. Therefore, the automatic upgrade does not finish.
To verify this, follow these steps:

Step 1: Determine whether automatic upgrade recently

tried to upgrade Microsoft Entra Connect
Examine the log files in the %ProgramData%\AADConnect folder. Log files that have a title
of SyncEngine-AutoUpgrader-[Date]-[Time].log indicate the time that the automatic
upgrade occurred.
Step 2: Determine whether Microsoft Entra Connect is
partially upgraded
Run the Microsoft Entra Connect wizard. If Microsoft Entra Connect is partially
upgraded, you are prompted to upgrade Microsoft Entra Connect.

Step 3: Compare the installed version of Microsoft Entra

Connect with the version in the server configuration
During automatic upgrade, the current installation of Microsoft Entra Connect is
upgraded, and then the version in the server configuration is updated. If the two
versions don't match, Microsoft Entra Connect is only partially upgraded.
To check which version of Microsoft Entra Connect is installed, open the Programs and
Features item in Control Panel, and examine the version number of Microsoft Entra
Connect.

To check the version of Microsoft Entra Connect in the server configuration, run the
following command in Windows PowerShell, and look for the value of the
Microsoft.Synchronize.ServerConfigurationVersion property:

PowerShell

(Get-ADSyncGlobalSettings).Parameters | select Name,Value

Check the status of the scheduler by running the following command:

PowerShell

Get-ADSyncScheduler

If the value of SchedulerSuspended is True, the scheduler is suspended.

Step 4: Verify that password synchronization and

password writeback are enabled
If Microsoft Entra Connect is upgraded correctly, open the Microsoft Entra Connect
wizard, and then select Review your solution to verify that the password
synchronization and password writeback features are enabled.

Workaround
To work around this issue, follow these steps:

1. Start the Microsoft Entra Connect wizard, and then select Upgrade.
2. After the upgrade is complete, verify that the installed version of Microsoft Entra
Connect matches the version in the server configuration.
3. If you have previously enabled the password synchronization feature or the
password writeback feature, verify that the feature remains enabled after the
upgrade is complete.
4. If any of the features is disabled after the upgrade, select Customize
synchronization options in the Microsoft Entra Connect wizard, and then manually
enable the feature.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Unable to connect to Azure Information
Protection using Windows PowerShell
Article • 10/28/2024

７ Note

Microsoft Azure Information Protection was previously known as Microsoft Azure

Rights Management.

This article resolves an issue where you can't connect to the Azure Information
Protection Service using Windows PowerShell in Office 365.

Original product version: Microsoft Entra ID, Azure Information Protection

Original KB number: 2797755

Symptoms
When you try to connect to Microsoft Azure Information Protection using Windows
PowerShell in Microsoft Office 365, you get an error message that resembles the
following:

PS C:\> Connect-AipService

Connect-AipService : The attempt to connect to the Azure Information Protection

service failed. Verify that the user name and password you are using are

correct and try again. If you have continued problems, see

http://go.microsoft.com/fwlink/?LinkId=251909.

The correlation ID is 1df4c755-f859-4284-907b-be5d2a551260. Please note and

provide this value if asked by support for it.

At line:1 char:1

+ Connect-AipService

+ ~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [Connect-AipService],

ApplicationFailedException
 + FullyQualifiedErrorId :
NotSpecified,Microsoft.RightsManagementServices.Online.Admin.PowerShell.Connect

AipServiceCommand

You may also see the following error message:

Object reference not set to an instance of an object.

Cause
This issue occurs if one or more of the following conditions are true:

You entered the wrong user name or password.

You aren't a company administrator.
You don't have a subscription that includes Azure Information Protection.
The network is preventing you from connecting to Azure Information Protection.
You're using Windows PowerShell 7. Using PowerShell 7 will result in the "Object
reference not set to an instance of an object" error. For more information, see
Known issues - Azure Information Protection.

Resolution

７ Note

If Azure Information Protection isn't enabled for your company, you use the
Microsoft 365 admin center to enable it. For more info about how to do this, read
Azure Information Protection deployment road map.

To resolve this issue, make sure that the following are true:

Make sure that you enter the correct user name and password. To check that you
entered them correctly, sign in to the Office 365 portal .
You must be a global administrator to connect to Azure Information Protection.
To use Azure Information Protection, you must have a subscription that includes
Azure Information Protection.
Work with the network administrator to make sure that the network meets the
requirements for connecting to Azure Information Protection. The requirements
are as follows:
Incoming and outgoing connections to *.aadrm.com are enabled.
 Incoming and outgoing connections to *.cloudapp.net ( rmsoprod*-b-
rms*.cloudapp.net ) are enabled.

Port 443 is open.

Use Windows PowerShell 5. You can check the PowerShell version by using the
$PSVersionTable.PSVersion command.

More information
For more information on Azure Information Protection, visit AIPService.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't enable the Device writeback
option in Microsoft Entra Connect
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Office 365 Identity Management, Microsoft Intune
Original KB number: 3085068

Symptoms
When you run the Microsoft Entra Connect configuration wizard, you can't enable the
Device writeback option on the Customize synchronization options page.

Cause
This issue can occur if one of the following conditions is true:

Your Microsoft Entra organization isn't enabled for device writeback.

One or more of the domain controllers that hold an operations master role (also
known as a flexible single master operations or FSMO role) in your environment
aren't replicating.

Resolution

Step 1: Troubleshoot FSMO role or replication issues

1. Run the repadmin /showrepl command to display a report that shows replication
status. To do this, follow these steps:

a. Open a command prompt as an administrator.

b. Run the following command:

Console

repadmin /showrepl * /csv > replication.csv

c. Examine the Replication.csv file, and then troubleshoot and correct any errors.
 2. Seize the FSMO role. In some instances, the server that holds an FMSO role may
not be advertising itself correctly. Seizing itself may fix the issue. To do this, follow
these steps:

a. On a domain controller or a computer that has the Remote Server

Administration Tools Pack installed, open a command prompt as an
administrator.

b. Run the following command:

Console

netdom query FSMO

3. For each computer that's listed in the output, follow the steps in the "Seize FSMO
roles" section of Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
controller .

Step 2: Enable the organization for device writeback

Follow these steps on the server on which Microsoft Entra Connect is installed:

1. Make sure that the Remote Server Administration Tools Pack is installed. For more
information, see Installing or Removing the Remote Server Administration Tools
Pack .

2. Open Active Directory Module for Windows PowerShell as an administrator. For

more information, see Active Directory Administration with Windows PowerShell .

3. Go to %ProgramFiles%\Microsoft Azure Active Directory Connect\AdPrep , and then

run the following commands:

Console

Import-module .\AdSyncPrep.psm1

Console

Initialize-ADSyncDeviceWriteBack -domainname <domain.com>

In this command, the placeholder <domain.com> represents your Active Directory

domain. For example, run Initialize-ADSyncDeviceWriteBack -domainname
contoso.com .
 You may have to run this command for each domain in your Active Directory
environment.

4. When you're prompted, enter the enterprise administrator user name.

5. Open the Microsoft Entra Connect configuration wizard. You should now be able to
enable device writeback.

More information
On the server on which Microsoft Entra Connect is installed, review the logs in the
following location:

C:\Users\<UserAccount which AAD Connect was

installed>\AppData\Local\AADConnect\trace-<DateTime>.log

You may see an error message that resembles the following:

[13:15:30.864] [ 18] [ERROR]

ADPowerShellQueyProvider:SearchAdSyncDirectoryObjects Failed to run the ldap
search query. Parameter values passed to PowerShell:
ForestFqdn : <Forest_Name>
AdConnectorId : <ID>
PropertiesToRetrieve : msDS-
DeviceLocation,name,displayName,distinguishedName,objectClass
NamingContextType : Configuration
BaseDnType : Relative
AdConnectorUserName : <Domain>\MSOL_d95558f154ee
BaseDn : CN=Services
LdapFilter : (objectClass=msDS-DeviceRegistrationService)
SearchScope : Subtree
Exception Details :
System.Management.Automation.CmdletInvocationException: Error HRESULT E_FAIL
has been returned from a call to a COM component. --->
System.Runtime.InteropServices.COMException: Error HRESULT E_FAIL has been
returned from a call to a COM component. at
MmsServerRCW.IMMSServer2.SearchADSyncDirectoryObjects(String forestFqdn,
Guid& adConnectorGuid, String namingContextType, String baseDnType, String
baseDn, String ldapFilter, String searchScope, String propertiesToLoad, String
userName, String password, String& outputSerializedResult) at
Microsoft.IdentityManagement.PowerShell.Cmdlet.AdSyncDirectorySearchResult.Pro
cessRecord()
You may also see the following event 2092 warning message logged in Event Viewer on
the domain controller that's experiencing the issue:

Event ID: 2092

Task Category: Replicaiton
Level: Warning
Description:
This server is the owner of the following FSMO role, but does not consider it valid.
For the partition which contains the FSMO, this server has not replicated successfully
with any of its partners since this server has been restarted. Replication errors are
preventing validation of this role.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't manage or remove objects that
were synchronized through the Azure
Active Directory Sync tool
Article • 10/28/2024

This article describes an issue that you can't manage or remove objects that were
created through directory synchronization from Microsoft Entra ID. It provides two
resolutions for this issue according to different reasons.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2619062

Symptoms
You try to manually manage or remove objects that were created through directory
synchronization from Microsoft Entra ID:

For example, you want to remove an orphaned user account that was synced to
Microsoft Entra ID from your on-premises Active Directory Domain Services (AD DS).

In this scenario, you can't remove the orphaned user account by using the Microsoft
cloud service portal in Office 365, Azure, or Microsoft Intune, or by using Windows
PowerShell.

Cause
This issue may occur if one or more of the following conditions are true:

The on-premises AD DS is no longer available. So you can't manage or delete the

object from the on-premises environment.
You deleted an object from the on-premises AD DS. However, the object wasn't
deleted from your cloud service organization. This behavior is unexpected.

Resolution

The on-premises AD DS is no longer available. Therefore,

you can't manage or delete the object from the on-
premises environment
You want to manage objects in Office 365, Azure, or Intune and you no longer want to
use directory synchronization.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

1. If you're not running Windows 10, install the 64-bit version of the Microsoft Online
Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT
Professionals RTW .

2. Install the Microsoft Azure Active Directory module for Windows PowerShell:
a. Open an elevated Windows PowerShell command prompt (run Windows
PowerShell as an administrator).
b. Run the Install-Module MSOnline command.

3. Disable directory synchronization by running the following command:

PowerShell

Set-MsolDirSyncEnabled -EnableDirSync $false

4. Check that directory synchronization was fully disabled by using the Windows
PowerShell. To do it, run the following command periodically:

PowerShell

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

This command will return True or False. Continue to run this command periodically
until it returns False, and then go to the next step.
 It may take 72 hours for deactivation to be completed. The time depends on the
number of objects that are in your cloud service subscription account.

5. Try to update an object by using Windows PowerShell or by using the cloud service
portal.

Step 4 may take a while to be completed. There's a process in the cloud service
environment that computes attribute values. The process must be completed
before the objects can be changed by using Windows PowerShell or by using
the cloud service portal.

You delete an object from an on-premises AD DS.

However, the object isn't deleted from your cloud service
subscription account
Force directory synchronization by using the steps on this article: Start the Scheduler

If some updates and deletions are propagated, but some deletions aren't
synchronized to the cloud service, follow typical directory synchronization
troubleshooting procedures.

If all updates and deletions aren't synchronized to the cloud service, contact
Support.

７ Note

As an alternative resolution for this scenario, an object can be manually

deleted in the cloud service. However, the object can't be updated in the
cloud service. For more information about how to resolve this issue, see the
following Microsoft Knowledge Base article: Object deletions aren't
synchronized to Microsoft Entra ID when using the Azure Active Directory
Sync tool .

More information
To re-enable directory synchronization, run the following command:

PowerShell

Set-MsolDirSyncEnabled -EnableDirSync $true

It's important to plan carefully when you re-enable directory synchronization. If you
used the cloud service portal or Windows PowerShell to make any changes directly to
the objects that were originally synchronized from on-premises AD DS, the changes will
be overwritten by on-premises attributes and settings the first time that synchronization
occurs after directory synchronization is re-enabled.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run
DirSyncConfigShell.psc1 in Windows
Server 2008 R2: Could not load file or
assembly
Article • 10/28/2024

This article describes a scenario in which you receive an error when you run
DirSyncConfigShell.psc1 after you install version 6765.0006 of the Directory Sync tool

on a Windows Server 2008 R2-based computer.

Original product version: Microsoft Entra ID, Cloud Services (Web roles/Worker roles),
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2964373

Symptoms
When you run DirSyncConfigShell.psc1 after you install version 6765.0006 of the
Microsoft Azure Active Directory Sync Tool on a Windows Server 2008 R2-based
computer, you receive the following error message:

WARNING: The following errors occurred when loading console c:\program

files\Windows Azure Active Directory Sync\dirsyncfonfigshell.psc1: Cannot load
Windows PowerShell snap-in coexistence-configuration because of the following
error: could not load file or assembly 'file:///c:\programSync\Microsoft
Online.Coexistence.PS.Config.dll' or one of its dependencies. This assembly is built
by a runtime newer than the currently loaded runtime and cannot be loaded. For
example, this issue occurs when you run DirSyncConfigShell.psc1 to force directory
synchronization.

Cause
This issue occurs if Windows Management Framework 3.0 is not installed on the
Windows Server 2008 R2-based computer.

Resolution
Do one of the following:
 Install Windows Management Framework 3.0 on the Windows Server 2008 R2-
based computer. For more information, see Windows Management Framework
3.0 .
Run the Directory Sync tool from a Windows Server 2012 R2-based computer. To
install the Directory Sync tool, see Install or upgrade the Directory Sync tool.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Users can no longer sign in after you
run the Convert-
MSOLDomaintoFederated command to
convert an existing domain
Article • 10/28/2024

This article provides information about troubleshooting an issue in which users can no
longer access Office 365, Azure, or Microsoft Intune after running the Convert-
MSOLDomaintoFederated command to convert an existing domain from standard

authentication to federated authentication.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2662960

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

Symptoms
During setup of single sign-on (SSO) in a Microsoft cloud service such as Office 365,
Microsoft Azure, or Microsoft Intune, you run the Convert-MSOLDomaintoFederated
command to convert an existing domain from standard authentication to federated
authentication. However, after you do this, users who are associated with that domain
can no longer access the cloud service.
Cause
This issue occurs if SSO isn't set up correctly or if the setup isn't completed.

２ Warning

It's a Microsoft best practice to always have at least one administrator user ID that's
associated with the default domain so that administrative access to the
organization isn't lost if SSO is compromised.

Resolution
To resolve this issue, use one of the following methods, as appropriate for your
situation.

Method 1: Troubleshoot SSO setup

Use this method only if all the following conditions are true:

The problem isn't caused by a service outage.

Immediately restoring user access isn't required.

To diagnose and troubleshoot SSO setup, see Troubleshoot single sign-on setup issues
in Office 365, Intune, or Azure .

Method 2: Revert the domain federation back to standard

authentication if the AD FS server isn't available
Use this method only if all the following conditions are true:

The problem is caused by a service outage that requires immediately restoring user
access.
The AD FS server is unavailable.

If these conditions are true, reset the authentication setting for the domain and for each
user account to use standard authentication. To do this, follow these steps:

1. Start the Azure Active Directory module for Windows PowerShell. To do this, select
Start, select All Programs, select Windows Azure Active Directory, right-click
Windows Azure Active Directory module for Windows PowerShell, and then
select Run as administrator.
 2. To convert the domain, run the following commands in the order in which they are
presented. Press Enter after you type each command.

PowerShell

$cred = Get-Credential

When you're prompted, enter cloud service administrator credentials that are not
SSO-enabled.

PowerShell

Connect-MsolService -credential $cred

PowerShell

Set-MSOLDomainAuthentication -Authentication Managed -DomainName

<federated domain name>

７ Note

In this command, the placeholder <federated domain name> represents the

name of the domain for which SSO isn't working.

3. For each user who has a user principal name (UPN) suffix that's associated with the
domain, run the following command:

PowerShell

Convert-MSOLFederatedUser -UserPrincipalName <string>

７ Note

In this command, the placeholder <string> represents the value of the UPN
for the user who is being converted.

More information

） Important
 In scenarios in which the last Microsoft cloud services organization administrator is
assigned the domain suffix of a federated domain and in which that administrator
becomes SSO-enabled, subsequent AD FS failures will limit running the connect-
MSOLService command and may prevent the remediation of SSO problems. It's a
best practice recommendation that Microsoft cloud services organization
administrators always keep at least one global administrator account that isn't SSO-
enabled to allow for troubleshooting SSO problems by using the Azure Active
Directory module for Windows PowerShell.

If this problem occurs, contact Microsoft Support to have the domain federation
reversed temporarily so that the administrator (who is no longer SSO-enabled) can
regain access to troubleshoot SSO-related problems.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't sync SystemMailbox or
DiscoveryMailboxSearch accounts using
Azure Active Directory Sync tool
Article • 10/28/2024

This article provides information about resolve a problem in which you receive errors
when trying to use the Azure Active Directory Sync tool to synchronize the
SystemMailbox and DiscoverySearchMailbox user accounts.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2804688

Symptoms
When you use the Microsoft Azure Active Directory Sync tool to sync the following user
accounts, you receive directory synchronization errors:

SystemMailbox{1f05a927-beed-480c-b962-
da8d1d7e16a8}@<DomainNameName>
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@<DomainName>
DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-
7E09334BB852}@<DomainNameName>

Cause
This issue occurs if the three user accounts that were created during Microsoft Exchange
Server 2010 installation are missing the attribute data. In this case, the attribute data is
used by the Azure Active Directory Sync tool to filter out these user accounts and stop
them from being synced to the cloud.

Resolution
To resolve this issue, use one of the following methods, as appropriate for your
situation.

Method 1
On the domain controller or a computer on which the Active Directory Domain Services
Administration Tools are installed, follow these steps:

1. Open Active Directory Users and Computers.

2. On the View menu, select Advanced Features.

3. Select the Users container.

4. Double-click each SystemMailbox user account, and then follow these steps for
each account:
a. Select Attribute Editor.
b. Find the mailNickName attribute, and then populate the attribute by using the
value that's included in the mail attribute.
c. Select OK.

5. Double-click each DiscoverySearchMailbox user account, and then follow these

steps for each account:
a. Select Attribute Editor.
b. Find the mailNickName attribute, and then populate the attribute by using the
value that is included in the mail attribute.
c. Find the msExchRecipientTypeDetails attribute, and then set the value of the
attribute to 536870912.
d. Select OK.

Method 2

On the computer on which the Directory Sync tool is installed, follow these steps:

1. Open an elevated command prompt.

2. Open Windows PowerShell, type Import-Module DirSync , and then press Enter.

3. After the Windows PowerShell session starts, run the following cmdlet:

PowerShell

Start-OnlineCoexistenceSync

If the methods did not work, see Recreate missing arbitration mailboxes.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Security group is still mail-enabled after
it is disabled through a sync in on-
premises AD
Article • 10/28/2024

This article provides information about resolving an issue in which a security group
remains mail-enabled after it is disabled through a sync in on-premises AD.

Original product version: Microsoft Entra ID

Original KB number: 4096314

Symptoms
Consider the following scenario:

You have a security group that has an email address that is specified in on-
premises Active Directory (on-premises AD).
The security group is synchronized to Microsoft Entra ID.
You remove the email address from the security group in on-premises AD.
You run a synchronization. In this scenario, the security group remains mail-
enabled, and it still has the original email address that was assigned to it in
Microsoft Entra ID.

Cause
When a mail-enabled security group is synchronized to Microsoft Entra ID, the email
address that uses the original domain ( onmicrosoft.com ) is appended to the group as
the secondary email address. If you delete the primary email address, the email address
that has the original domain becomes the primary email address.

The following is the impact of this issue:

The affected group does not exist in Global Address List (GAL) for on-premises
users, so the user cannot choose the group in the From filed when they send
emails.
For Exchange Online users, the affected group can be found in GAL to choose
from. However, email does not reach the recipient since the group's mail address
was changed to alias@contoso.onmicrosoft.com .
 On-premises users cannot use the affected group to set permission such as access
to a shared calendar.
For Exchange Online users, the affected group can be used to set access to a
calendar.

Workaround
To work around this issue, use one of the following methods:

Delete the security group from the Admin Portal, and then run the synchronization
again.

Move the security group to another organizational unit (OU) that has not been
synchronized (filtered out). When you do this, the group is removed from the
cloud. Then, move the group back to the original OU.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra joined computers
experience a three hours delay during
boot
Article • 10/28/2024

Original product version: Microsoft Entra ID

Original KB number: 4565997

Symptoms
Consider the following scenario:

1. You are using Microsoft Entra Connect to federate (synchronize) users from an on-
premises Active Directory domain to Microsoft Entra ID.
2. The computer is Microsoft Entra joined, and the workgroup name is the same as
the on-premises domain's NetBIOS name.
3. You have logged on to this computer with a federated user at least once.

In this case, the computer takes approximately three hours to progress to the logon
screen when you restart the OS. During this time, you will see a black screen that
displays an activity icon (a spinning circle of dots). Approximately three hours after
starting, the startup process finishes, and the interactive logon screen is displayed and
the user can log in without issues.

This slow startup experience is not dependent on the hardware configuration.

Computers that have "excellent" hardware specifications can also experience this
problem.

Cause
This issue occurs because Windows unexpectedly evaluates a condition in which a wait
time of 10,000 seconds is initiated. This timeout condition is manifested as a three-hour
startup delay.

７ Note

For reference, 10,000 seconds = 167 minutes = 2 hours 47 minutes.

Resolution
To resolve this issue, use a workgroup name that does not match the NetBIOS name of
the on-premises domain.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Directory synchronization to Microsoft
Entra ID stops or you're warned that
sync hasn't registered in more than a
day
Article • 10/28/2024

This article describes a performance problem in Azure Active Directory Sync Tool. The
tool either stops syncing, or reports that sync hasn't run in more than 24 hours.

Original product version: Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365
Identity Management
Original KB number: 2882421

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback
button on this page to let us know how well this article worked for you or how we
can improve it.

Symptoms
You experience one of the following symptoms:

The Microsoft Azure Active Directory Sync Tool stops syncing.

You receive email messages that say that Microsoft Entra ID didn't register a
synchronization attempt in the last 24 hours.
In the MIISClient.exe tool, you receive a "Stopped-Server-Down" message or a
"Stopped-Extension-DLL-Exception" message.
You're unable to start one or more of the directory synchronization services.

７ Note

By default, directory synchronization runs every three hours.

Cause
This issue may occur if one or more of the following conditions are true:

The work or school account that was used in the configuration wizard to set up
directory synchronization has one of the following problems:
The account was deleted.
The account was disabled.
The account password expired.

The logon account for one or more directory synchronization services has one of
the following problems:
The account was deleted.
The account was disabled.
The account password expired.

７ Note

The logon account for the directory synchronization service is automatically

configured and should not be modified.

The admin account that's used for directory synchronization was changed.

You have network connection issues.

Directory synchronization services are stopped.

Resolution

Method 1: Manually verify that the service is started and

that the admin account can sign in
1. Select Start, select Run, type Services.msc, and then select OK.

2. Locate the Microsoft Entra Synchronization appliance service, and then check
whether the service is started. If the service isn't started, right-click it, and then
select Start.

If you're using the Azure Active Directory Sync Tool, look for Azure Active
Directory Sync Service.
If you're using Microsoft Entra Connect, look for Microsoft Azure AD Sync.

3. Verify that the admin account that's being used for directory synchronization still
exists. And verify that the account is allowed to sign in. If the account still exists,
 reset the password, and then verify that you can sign in. If you're prompted,
change the password.

If you don't know the global administrator account that's used to configure
directory synchronization, follow these steps on the server on which you installed
the directory synchronization appliance:

a. Go to %ProgramFiles%\Microsoft Azure AD Sync\UIShell\ , and then run

Miisclient.exe.

７ Note

If you're using Microsoft Entra Connect or the Azure Active Directory Sync
Service, select Start, and then search for and open Synchronization
Service.

b. Select Connectors, and then double-click the Microsoft Entra connector.

c. Select Connectivity.

d. Make note of the UserName value. It's the global administrator account that's
used to configure directory synchronization.

4. On the directory synchronization server, run the Microsoft Entra Synchronization

appliance configuration wizard. Type the new password for the admin account
that's used for directory synchronization, and then follow the remaining steps in
the wizard.

5. When you're prompted, select the Force directory synchronization check box.

Method 2: Resolve the problem with the logon account

for the directory synchronization service
1. Select Start, select Run, type Services.msc, and then select OK.

2. Locate the Microsoft Entra Synchronization appliance service:

If you're using the Azure Active Directory Sync Tool, look for Azure Active
Directory Sync Service.
If you're using Microsoft Entra Connect, look for Microsoft Azure AD Sync.
Right-click the service, and then select Properties. On the Log On tab, note
the account name that's listed.
 ７ Note

Reconfiguring any of the directory synchronization services to log on as a

local system account isn't supported and may introduce problems.

3. On a domain controller or a computer that has the Administration Tools installed,

open Active Directory Users and Computers (Dsa.msc), right-click the domain
name, and then select Find. Type the name of the account that you noted in step 2,
and then select Find now.

If you find the account, go to step 4.

If you can't find the account, it may have been deleted. For more information
about how to restore this account, see Active Directory Recycle Bin Step-by-
Step Guide. If you can't restore the account, you must uninstall and then
reinstall the directory synchronization client.

4. Right-click the account, and then select Properties. On the Account tab, under
Account options, follow these steps:
a. Make sure that the Password never expires check box is selected.
b. Make sure that the Account is disabled check box is cleared. Then, take one of
the following actions:

If the Account is disabled check box is selected, clear it to enable the

account. Then, restart the Microsoft Entra Synchronization appliance service.
To do so, select Start, select Run, type Services.msc, and then select OK.
Locate the service, right-click it, and then select Restart.
If you're using the Azure Active Directory Sync Tool, look for Azure Active
Directory Sync Service.
If you're using Microsoft Entra Connect, look for Microsoft Azure AD Sync.
If the Account is disabled check box is already cleared, go to step 5.

5. If the Account is disabled check box is already cleared, it's possible that the
password for the account was manually changed. To set a new password, open
Active Directory Users and Computers, locate and right-click the account, and then
select Reset Password to reset the password. Note the password that you set
because you'll have to use it in the next step.

6. Set the password on the logon account for the directory synchronization services:

a. select Start, select Run, type Services.msc, and then select OK.

b. Set the password for the following services, depending on the client that you're
using. To do so, right-click the appropriate service, select Properties, select the
 Log On tab, and then type the password.

ﾉ Expand table

Microsoft Entra Synchronization client Microsoft Entra Connect

Forefront Identity Manager Synchronization Service Azure AD Sync

SQL Server (MOSONLINE) (if present)
Azure Active Directory Sync Service

c. Start the service or services for which you set the new password.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Email addresses aren't synced to
Microsoft Entra ID
Article • 10/28/2024

This article describes an issue in which users are synced to Microsoft Entra ID but one or
more SMTP proxy addresses aren't synced. This issue occurs if duplicate SMTP proxy
addresses exist.

Original product version: Microsoft Entra ID

Original KB number: 3166798

Symptoms
Although your users are synced to Microsoft Entra ID, one or more SMTP proxy
addresses aren't synced. Additionally, you may see a message that resembles one of the
following:

In the Office 365 portal:

There is an error on one or more user accounts. To see which users are affected and
the detailed error message, select the "users with errors" view, and then select the
user's display name.

We detected a duplicate Proxy address conflict on the value <value>. All attribute
values need to be unique across objects. To resolve this conflict, first determine
which object should be using the conflicting value. Then, update or remove the
conflicting value from the other object(s). This error was detected on <Date and
Time>.

From an email report:

This object has been updated in your Microsoft Entra ID, but with some modified
properties, because the following attributes are associated with another object
[ProxyAddresses SMTP: john@contoso.com ;].

This issue occurs if another object has the same SMTP proxy address.

Resolution
To resolve this issue, find the users who have duplicate SMTP proxy addresses, and then
change the addresses so that they are unique. To do this, follow these steps.

Step 1: Check your local directory

Use the IdFix DirSync Error Remediation Tool to identify duplicate or invalid attributes.

To resolve duplicate attributes by using the IdFix Tool, see "Duplicate" is displayed in the
ERROR column.

For more information about the IdFix tool, go to IdFix DirSync Error Remediation Tool .

Step 2: Check Microsoft Entra ID

You can use the Office 365 portal or the Azure Active Directory module for Windows
PowerShell to check Microsoft Entra ID for duplicate attributes.

７ Note

The report in the Office 365 portal only displays user objects that have these errors.
The report doesn't show information about conflicts between groups, contacts, or
public folders. See Method 2 to learn how to view conflicts for the other objects.

Method 1: Use the Office 365 portal

1. Sign in to the Office 365 portal (https://portal.office.com ) as an administrator.

2. In the Microsoft 365 admin center, go to Users, and then select Active users.

A warning at the top of the page is displayed if there are duplicate attribute
conflicts on any object in your organization.

3. To filter the view to display only users with errors, select Users with errors.

4. Select an object to view details about the conflict. This information is displayed in
the lower-right corner of the page.

5. Change the email address so that it's unique.

Method 2: Use the Azure AD module for Windows PowerShell

To learn more about how to use the Azure AD module for Windows PowerShell to
identify objects that have duplicate values, see Identity synchronization and duplicate
attribute resiliency.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Password Hash Sync is automatically
enabled during Microsoft Entra Connect
Pass-through Authentication
Article • 10/28/2024

This article can help you fix a problem in which Password Hash Synchronization is
automatically enabled in Microsoft Entra connector.

Original product version: Microsoft Entra ID

Original KB number: 4051623

The following versions of Microsoft Entra Connect have issues that affect the Change
user sign-in task:

1.1.557.0
1.1.558.0
1.1.561.0
1.1.614.0

These issues affect the Pass-through Authentication users who don't want to use
Password Hash Synchronization.

The issues are fixed in Microsoft Entra Connect version 1.1.644.0.

Problem 1: Password Synchronization is

enabled when User sign-in method is set to
Pass-through Authentication

Scenario 1
You have an existing Microsoft Entra Connect deployment that has both Password
Synchronization and Pass-through Authentication disabled.
After you enable Pass-through Authentication by using the Change user sign-in
task, Password Hash Synchronization is automatically enabled.

Scenario 2
 You have an existing Microsoft Entra Connect deployment that has Password
Synchronization disabled and Pass-through Authentication enabled.
After you enable or disable the Seamless Single Sign-on option by using the
Change user sign-in task, Password Hash Synchronization is automatically enabled.

Background information about this issue

Prior to Microsoft Entra Connect version 1.1.557.0, Password Synchronization was a
prerequisite for enabling Pass-through Authentication. Therefore, Password
Synchronization was enabled when Pass-through Authentication was enabled.
Because Password Synchronization is no longer required for Pass-through
Authentication, we changed this process in Microsoft Entra Connect version
1.1.557.0 so that it does not enable Password Synchronization when Pass-through
Authentication is enabled during a Microsoft Entra Connect installation.
However, the same change was not applied to the Change user sign-in task. If you
use the task to enable Pass-through Authentication to an existing Microsoft Entra
Connect deployment, Password Synchronization is automatically enabled. This
issue is fixed in Microsoft Entra Connect version 1.1.644.0 to make sure that
Password Hash Synchronization remains disabled when Pass-through
Authentication is enabled by using the Change user sign-in task.

Problem 2: Incorrect prompt about

disabled Password Synchronization if User sign-
in method is set to Pass-through
Authentication
You have an existing Microsoft Entra Connect deployment that has Password
Synchronization enabled and Pass-through Authentication disabled.
After you enable Pass-through Authentication by using the Change user sign-in
task, Password Hash Synchronization remains enabled.

Background information about this issue

By design, if Password Hash Synchronization is enabled, changing the user sign-in task
to any other option does not disable Password Hash Synchronization. This issue is fixed
in Microsoft Entra Connect version 1.1.644.0 to prevent the display of the prompt
window that states that Password Hash Synchronization is disabled.
Resolution
To resolve this issue, follow these steps:

1. Run Microsoft Entra Connect, and then select View current configuration. In the
details pane, check whether Password synchronization is enabled on your tenant.

2. Disable the Password synchronization feature. To do this, follow these steps:

a. Run Microsoft Entra Connect, and then select Configure.
b. Select the Customize synchronization options task.
c. On the Optional features page, clear the Password synchronization feature
check box.
d. Complete the wizard.

Optionally, if you want to clear password hashes that are already synchronized to
Microsoft Entra ID, follow these steps:

1. Make sure that the Password writeback feature is disabled on your tenant. To do
that, follow these steps:
a. Run Microsoft Entra Connect, and then select Configure.
b. Select the Customize synchronization options task.
c. On the Optional features page, clear the Password writeback feature check
box.
d. Complete the wizard.
 2. Use the Set-MsolUserPassword cmdlet to set random passwords on all affected
users. You have to run this cmdlet five times for each user because Microsoft Entra
ID stores the last four password hashes in the password hash history.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

７ Note

The Set-MsolUserPassword cmdlet does not work if the user is using a federated
domain. To clear password hashes for the user in the federated domain, you must
change the UPN of the user to a non-federated domain, and then run the cmdlet to
set the random password. After that, revert the UPN of the user to the original
state.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when upgrading Microsoft Entra
Connect: Unable to install the
synchronization service
Article • 10/28/2024

Original product version: Office 365 Identity Management, Microsoft Entra ID

Original KB number: 4054462

Symptoms
When you try to upgrade Microsoft Entra Connect, you receive the following error
message:

An Error occurred while Upgrading from Azure Active Directory Sync. Unable to
upgrade the Synchronization Service. Please see the Event log for additional details.

The detailed event log resembles the following:

Date/Time[ 12] [INFO ] ServiceControllerProvider: StartService status: Running

Date/Time[ 12] [ERROR] Error during sync engine upgrade. System.Exception:
Unable to upgrade the Synchronization Service. Please see the event log for
additional details. --->
Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedException:
Error installing msi package 'Synchronization Service.msi'. Full log is available at
'C:\ProgramData\AADConnect\Synchronization Service_Install-DateTime.log'.

Action startTime: DetectServiceAccount. CustomAction DetectServiceAccount

returned actual error code 1603 (note this may not be 100% accurate if translation
happened inside sandbox) Action endedTime: DetectServiceAccount. Return value 3.
Action endedTime: INSTALL. Return value 3. MSI (s) (14:AC)Time: Note: 1: 1708 MSI
(s) (14:AC)Time: Product: Microsoft Entra Connect synchronization services --
Installation operation failed. MSI (s) (14:AC)Time: Windows Installer installed the
product. Product Name: Microsoft Entra Connect synchronization services. Product
Version: 1.1.614.0. Product Language: 1033. Manufacturer: Microsoft Corporation.
Installation success or error status: 1603. MSI (s) (14:AC)Time: Deferring clean up of
packages/files, if any exist MSI (s) (14:AC)Time: MainEngineThread is returning 1603
MSI (s) (14:80)Time: RESTART MANAGER: Session closed.
Cause
The underlying service account was configured by using the user principal name (UPN)
instead of Domain\SamAccountName.

Resolution
To resolve this issue, follow these steps:

1. Start the Service Console on the Microsoft Entra Connect server.

2. Locate the Microsoft Azure AD Sync service, and then right-click the service.
3. Select Properties, and then select Logons.
4. Set the account by using Domain\SamAccountName instead of using the UPN.
5. Select Apply and OK.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error: 80070005 when you run the Azure
Active Directory Sync Services config
wizard
Article • 10/28/2024

Original product version: Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365
Identity Management
Original KB number: 2988408

Symptoms
When you run the Azure Active Directory Sync (Azure AD Sync) Services config wizard,
you receive the following message:

Retrieving the COM class factory for remote component with CSLID {...} from
machine ... failed due to the following error: 80070005

Cause
This issue may occur if you're not a member of the ADSyncAdmins group on the local
computer or if you have just installed Azure AD Sync Services.

Resolution
To resolve this issue, sign out and then sign in to the computer. If the issue persists,
follow these steps:

1. Select Start, type compmgmt.msc in the search box, and then press Enter to open
Computer Management.
2. Under Computer Management, expand Local Users and Groups, and then expand
Groups.
3. Make sure that the ADSyncAdmins group exists. If this group is missing, create a
new group, and name it ADSyncAdmins.
4. Add yourself to the ADSyncAdmins group.
5. Sign out, and then sign in to the computer again.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Table-valued parameter errors after
Microsoft Entra Connect is installed on
Windows Server 2019
Article • 10/28/2024

This article describes a problem in which synchronization errors appear after Microsoft
Entra Connect is installed on Windows Server 2019-based servers.

Original product version: Microsoft Entra ID, Windows Server 2019

Symptoms
You experience one or more of various symptoms, such as password hash sync failures
or receiving "staging-error" discovery errors during the import cycle (shown in the
following screenshot).

When this problem occurs, Event ID 6301 is logged in the server Application log, as
follows:

Log Name: Application

Source: ADSync
Date: 8/22/2019 11:11:17 PM
 Event ID: 6301
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: AADConnect.contoso.com
Description: The server encountered an unexpected error in the synchronization
engine:

"BAIL: MMS(7996): ..\sql.cpp(7524): 0x80004005 > (Unspecified error)

** BAIL: MMS(7996): x:\bt\1011518\repo\src\dev\sync\server\sqlstore\rcvtvp.h(158):

0x80004005 (Unspecified error) **

** BAIL: MMS(7996): x:\bt\1011518\repo\src\dev\sync\server\sqlstore\rcvtvp.h(52):

0x80004005 (Unspecified error) **

BAIL: MMS(7996): ..\sproc.cpp(1124): 0x80004005 (Unspecified error)
BAIL: MMS(7996): ..\csobj.cpp(15789): 0x80004005 (Unspecified error)
BAIL: MMS(7996): ..\tower.cpp(10511): 0x80004005 (Unspecified error)
BAIL: MMS(7996): x:\bt\1011518\repo\src\dev\sync\server\sqlstore\csobj.h(1379):
0x80004005 (Unspecified error)
BAIL: MMS(7996): ..\csobj.cpp(1368): 0x80004005 (Unspecified error)
BAIL: MMS(7996): ..\nscsimp.cpp(531): 0x80004005 (Unspecified error)
BAIL: MMS(7996): ..\syncstage.cpp(923): 0x80004005 (Unspecified error)
BAIL: MMS(7996): ..\syncstage.cpp(1666): 0x80004005 (Unspecified error)
BAIL: MMS(7996): ..\syncstage.cpp(414): 0x80004005 (Unspecified error)
Azure AD Sync 1.5.45.0"

This event indicates that an error occurs when Microsoft Entra Connect attempts a read
or write operation over the LocalDB database by using table-valued parameters.

For more information about table-valued parameters, see Use Table-Valued Parameters
(Database Engine).

Cause
This problem is caused by incompatible language settings for programs that do not
support Unicode.
The service account defaults to UTF-8 for worldwide language support when it is
enabled. The LocalDB database version in Windows Server 2019 does not support this
format.

Resolution
To resolve this problem, clear the checkbox next to Beta: Use Unicode UTF-8 for
worldwide language support (shown in the previous screenshot), and then restart the
server.

To change the setting, follow these steps:

1. On the Microsoft Entra Connect server, open Control Panel, and then select Clock,
Language and Region.
2. Select Region.

3. Select the Administrative tab, and then select Change System locale.
4. If the Use Unicode UTF-8 for worldwide language support setting is enabled,
clear it.
 5. Select OK, and then restart the server.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run the Azure Active
Directory Sync tool configuration
wizard: Failed to get address for
method: CreateIdentityHandle2
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 3037953

Symptoms
When you run the Microsoft Azure Active Directory Sync tool configuration wizard, you
receive the following error message:

Failed to get address for method: CreateIdentityHandle2 from library C:\Program

Files\Common Files\Microsoft Shared\Microsoft Online Services\msoidcli.dll.
GetLastError code: 127

Cause
This problem occurs if you're running an earlier version of the Microsoft Online Services
Sign-in Assistant.

Resolution
To resolve this issue, follow these steps:

1. Uninstall any versions of the Microsoft Online Services Sign-in Assistant that are
currently installed on the directory synchronization computer.
2. Install the latest version of the Microsoft Online Services Sign-In Assistant from
Microsoft Online Services Sign-In Assistant for IT Professionals RTW .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to install Azure
Active Directory module for Windows
PowerShell: You must have Windows
PowerShell 2.0 or greater installed
Article • 10/28/2024

This article describes an issue in which you can't install Azure Active Directory module
for Windows PowerShell. It provides a resolution.

Original product version: Microsoft Entra ID, Office 365 User and Domain Management,
Office 365 Identity Management
Original KB number: 2913017

Symptoms
When you try to install Azure Active Directory module for Windows PowerShell, you
receive the following error message:

In order to install Windows Azure Active Directory module for PowerShell, you must
have Windows PowerShell 2.0 or greater installed on this computer.

Resolution
To resolve this issue, try one of the following methods. If one doesn't work for you, try
another one.

Method 1: Install Azure Active Directory module for

Windows PowerShell when you log on as local admin
1. Log on as a local admin. (Just logging on as a domain admin may not work.)
2. Install Azure Active Directory module for PowerShell.

Method 2: Make sure that Windows PowerShell 2.0 is

enabled
1. Log on as a local admin. (Just logging on as a domain admin may not work.)
 2. In Control Panel, select Programs and Features, or select Uninstall a program
under Programs.
3. Select Turn Window features on or off.
4. In the Windows Feature window, make sure that the Windows PowerShell 2.0
checkbox is selected, and then select OK.
5. Install Azure Active Directory module for PowerShell.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Changes to domain-based filtering in
Synchronization Service Manager fail to
sync
Article • 10/28/2024

This article describes an issue in which changes to domain-based filtering in the Active
Directory management agent or the Active Directory Connector fail to sync.

Original product version: Microsoft Entra ID, Cloud Services (Web roles/Worker roles),
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2998261

Symptoms
After you make a change to domain-based filtering in the Active Directory management
agent or the Active Directory Connector, the run profile action fails to sync. In this
situation, you receive the following error message:

missing-partition-for-run-step

Additionally, an instance of event ID 6020 is logged in Event Viewer:

Source: FIMSynchronization
Event ID: 6020
Description:
The management agent "Active Directory Connector" failed on run profile "Delta
Sync" because a partition specified in the configuration could not be located.
User Action
Refresh and verify the partition configuration for the management agent and the
target partition.

Cause
This issue may occur if the run profile isn't updated.

Resolution
If you're removing a domain from the sync process
1. In Synchronization Service Manager, select the Management Agents tab or the
Connectors tab.
2. Right-click the management agent or the Connector type for Active Directory
Domain Services, and then select Configure Run Profiles.
3. Look for the step that has a Partition value that contains a string of alphanumeric
characters (for example, {B3C9A66A-4C9C-457A-97B9-A0107037A416}), and then
select Delete Step.
4. Select Apply, and then select OK.
5. Repeat steps 3-4 for each run profile.
6. Right-click the same management agent or Connector again, and then select Run.
7. Select Full Sync, and then select OK.

If you're adding a domain to be synced

1. In Synchronization Service Manager, select the Management Agents tab or the
Connectors tab.
2. Right-click the management agent or the Connector type for Active Directory
Domain Services, and then select Configure Run Profiles.
3. In the navigation pane (on the left), select a Management Agent run profile.
4. Select New Step.
5. Under Type, select the option that resembles the run profile that you selected in
step 3, and then select Next.
6. Under Partition, select the domain that you want to add, and then select Finish.
7. Repeat steps 3-6 for each run profile.
8. Right-click the same management agent or Connector again, and then select Run.
9. Select Full Sync, and then select OK.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

High CPU usage in Microsoft Entra
Connect Health for Sync
Article • 10/28/2024

This article provides information about resolving an issue in which high CPU usage
occurs in Microsoft Entra Connect Health for Sync.

Original product version: Microsoft Entra ID

Original KB number: 4346822

Symptoms
You experience slow performance and high CPU usage (up to 100 percent) on a
computer that runs the Microsoft Entra Connect Health for Sync monitoring agent. In
Task Manager, you notice that the
Microsoft.Online.Reporting.MonitoringAgent.Startup process is causing the high CPU
usage.

７ Note

This issue is not limited to any specific Microsoft Entra Connect Health versions or
operating system versions.

Cause
This issue occurs because the June 2018 update for .NET Framework 4.7.2 is installed on
the computer, and the Microsoft Entra Connect Health for Sync monitoring agent does
not fully support this update.

The following .NET Framework update would cause the high CPU issue by the
monitoring agent.

ﾉ Expand table

.NET Framework update System version

KB4338420 Windows Server 2008

KB4338606 Windows Server 2008 R2

 .NET Framework update System version

KB4054542 Windows Server 2012

KB4054566 Windows Server 2012 R2

KB4054590 KB4338814 KB4338419 KB4338605 KB4345418 General

Resolution

For Connect Health for AD DS and AD FS

To resolve this issue for Active Directory Domain Services (AD DS) and Active Directory
Federation Services (AD FS), install the new Microsoft Entra Connect Health
agent version, 3.1.7.0, that was released in July 2018. The agent can be downloaded
from Connect Health public documentation.

For Microsoft Entra Connect

To resolve this issue for Microsoft Entra Connect, install the latest version of Microsoft
Entra Connect .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when Microsoft Entra Connect
cannot authenticate to Microsoft Entra
ID: Unable to communicate with the
Windows Azure Active Directory service
Article • 10/28/2024

This article provides information about troubleshooting a problem in which your identity
sync client cannot authenticate to Microsoft Entra ID if there is an unauthenticated proxy
server.

Original product version: Microsoft Entra ID

Original KB number: 3013032

Symptoms
If your environment includes an unauthenticated proxy server, your identity sync client
may not authenticate to Microsoft Entra ID.

For example, you experience this issue when you use an identity sync client such as
Microsoft Entra Connect, Azure Active Directory Sync Services (Azure AD Sync), or the
Azure Active Directory Sync Tool.

If you're using Microsoft Entra Connect or Azure AD Sync:

The wizard displays the following configuration error message:

Ready to configure.
We have gathered enough information to configure Azure AD Sync and will now
create a default configuration.
Failed even after 5 retries. Action: PingProvisioningServiceEndPoint, Exception:
Unable to communicate with the Windows Azure Active Directory service. Tracking
ID: 01601250-7951-469c-8973-34e2a8e1ca10 See the event log for more details.

When this problem occurs, an "Error 906" entry that resembles the following is logged in
the Microsoft Entra Connect or Azure AD Sync log. This entry indicates that the identity
sync appliance tries to make a direct connection to the Internet.

AzureActiveDirectoryDirectorySyncTool Error: 906 :

System.Management.Automation.CmdletInvocationException: Failed even after 5
 retries. Action: PingProvisioningServiceEndPoint, Exception: Unable to communicate
with the Windows Azure Active Directory service. Tracking ID: 90edf657-f63e-46cc-
94ec-df88817f4c73 See the event log for more details.. --->
Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurati
onValidationException: Failed even after 5 retries. Action:
PingProvisioningServiceEndPoint, Exception: Unable to communicate with the
Windows Azure Active Directory service. Tracking ID: 90edf657-f63e-46cc-94ec-
df88817f4c73 See the event log for more details..

If you're using the Azure Active Directory Sync Tool:

The following Directory Synchronization event ID 0 is logged in the Application log of

the identify sync client computer:

Log name: Application

Source: Directory Synchronization
Event ID: 0
Task Category: None
Level: Error
Description:
Unable to establish a connection to the authentication service. Contact Technical
Support.0 GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical
Support. (0x80048862)

Additionally, a Network Monitor (Netmon.exe) trace indicates that the Microsoft Online
Services Sign-in Assistant uses the proxy and accesses login.microsoftonline.com .

Cause
This problem occurs because the Microsoft .NET Framework on which your identity sync
appliance is based doesn't recognize your proxy settings.

Resolution
To fix this issue, follow these steps:

1. Open the following file:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config .

2. Add the following text to the end of the file:

 <system.net> <defaultProxy> <proxy usesystemdefault="true"
proxyaddress="http://<PROXYIP>:80" bypassonlocal="true" /> </defaultProxy>

</system.net>

７ Note

In this text, the placeholder <PROXYIP> represents the actual proxy IP

address. For more information about the proxy settings in this context, see
Element (Network Settings).

More information
For more information, see Error on .NET client that consumes a web service through an
HTTP proxy server .

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error (LogonUser() Failed with error
code: 1789) after you enter enterprise
administrator credentials in the Azure
Active Directory Sync tool Configuration
Wizard
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2508225

Symptoms
After you enter your enterprise admin credentials in the Microsoft Azure Active
Directory Sync Tool Configuration Wizard, you receive the following error message:

LogonUser() Failed with error code: 1789

Cause
This issue typically occurs when the computer on which you're running the Directory
Sync tool can't authenticate with Active Directory.

Resolution
To resolve this issue, use one or more of the following methods:

Restart the computer.

Join the computer to a workgroup and then join the computer back to the domain.

1. Select Start, right-click Computer, and then select Properties.

2. Under Computer name, domain, and workgroup settings, select Change
Settings.
3. Select the Computer Name tab, and then select Change.
4. Select the Workgroup option, and then type a workgroup in the Workgroup
dialog box.
5. Restart the computer.
 6. Repeat steps 1 through 3.
7. Select the Domain option, and then type the domain name in the Domain
dialog box to add the computer back to the domain.
8. Restart the computer.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Resolve Model database corruption in
SQLLocalDB
Article • 10/28/2024

This article describes a known issue in the SQLLocalDB utility that can prevent the
ADSync service from starting because of a corrupted Model database. This issue mainly
affects Microsoft Entra Connect 2.x servers that run on a Microsoft SQL Server 2019
LocalDB.

The issue is caused by a bug in the SQL Server backup logic that creates an inconsistent
state in the SQL Server Model database start page. After a backup occurs, the Model
database is set to FULL recovery mode ( dbi_status == 0x40010000), and the
dbi_dbbackupLSN (the log sequence number (LSN) for the database backup) is set to a

value that points to a log file. However, the actual recovery mode that is governed by
the Master database is SIMPLE .

In SIMPLE recovery mode, database logs are truncated automatically. In FULL recovery
mode, logs are truncated only after a backup. When SQLLocalDB is restarted after the
log file is truncated, it detects a backup LSN that's earlier than the earliest log file.
Therefore, it won't start the service.

Review the guidance in the next sections to learn how to do the following tasks:

Correctly identify whether the Microsoft Entra Connect service (ADSync) doesn't
start because of Model database corruption.

Mitigate the issue by recovering the Model database from a corrupted state.

Apply a permanent fix to make sure that this Model database corruption doesn't
occur again.

Symptoms
You can verify that the issue is based on the following events in the Microsoft Entra
Connect server:

Event Viewer: Application, EventID 528, Source: SQLLocalDB 15.0

Output
 WaitForMultipleObjects
575
{Application Error}
The application was unable to start correctly (0x%lx). Click OK to
close the application.
3714

Event Viewer: Application, EventIDs 2005 and 6226, Source: ADSync

Output

0x8023044a
OriginalError=0x80004005 OLEDB Provider error(s):
Description = 'Login timeout expired'
Failure Code = 0x80004005

SQLLocalDB error.log file in <ADSync service profile

path>\AppData\Local\Microsoft\Microsoft SQL Server Local
DB\Instances\ADSync2019

Output

<yyyy-MM-dd HH:mm:ss.##> spid14s The resource database build

version is 15.00.4138. This is an informational message only. No user
action is required.
<yyyy-MM-dd HH:mm:ss.##> spid8s Starting up database 'msdb'.
<yyyy-MM-dd HH:mm:ss.##> spid14s Starting up database 'model'.
<yyyy-MM-dd HH:mm:ss.##> spid14s Error: 9003, Severity: 20, State:
1.
<yyyy-MM-dd HH:mm:ss.##> spid14s The log scan number (41:488:1)
passed to log scan in database 'model' is not valid. This error may
indicate data corruption or that the log file (.ldf) does not match the
data file (.mdf). If this error occurred during replication, re-create
the publication. Otherwise, restore from backup if the problem results
in a failure during startup.
<yyyy-MM-dd HH:mm:ss.##> spid14s SQL Trace was stopped due to
server shutdown. Trace ID = '1'. This is an informational message only;
no user action is required.

Mitigation

） Important

Only apply the mitigation steps that are described here if all of these conditions
occur:
 The version of Microsoft Entra Connect is 2.0.x.x.

Microsoft Entra Connect is installed with SQL LocalDB.

All of the conditions that are listed in Symptoms are present.

To recover the Model database from a corrupted state, follow these steps:

1. Go to one of the following ADSync Service profile locations, depending on the

service account that's running (such as a domain account, virtual service account,
or managed service account):

C:\Users\<service account>\
C:\Users\ADSyncMSAxxxx$\
C:\Windows\ServiceProfiles\ADSync\

2. Open the error.log file from the ADSync2019 instance folder in the following
directory path:

<service profile path>\AppData\Local\Microsoft\Microsoft SQL Server Local

DB\Instances\ADSync2019\

3. Find the following error entry in the log to verify that the Model database is
corrupted:

Output

<yyyy-MM-dd HH:mm:ss.##> spid14s Error: 9003, Severity: 20, State:

1.
<yyyy-MM-dd HH:mm:ss.##> spid14s The log scan number (41:488:1)
passed to log scan in database 'model' is not valid. This error may
indicate data corruption or that the log file (.ldf) does not match the
data file (.mdf). If this error occurred during replication, re-create
the publication. Otherwise, restore from backup if the problem results
in a failure during startup.

4. If error "9003" exists in this entry, rename the model.mdf and modellog.ldf files in
this folder to old_model.mdf and old_modellog.ldf, respectively.

5. Open the SQL Templates folder at C:\Program Files\Microsoft SQL

Server\150\LocalDB\Binn\Templates.

6. Copy the model.mdf and modellog.ldf files to the ADSync2019 instance folder from
step 2.

7. Start the ADSync service.

Solution
Microsoft has introduced a fix for this issue in Microsoft Entra Connect version 2.1.1.0. If
the sync service (ADSync) can't be started, you need to apply the steps in the Mitigation
section before you can upgrade Microsoft Entra Connect.

To prevent the corruption issues in the SQLLocalDB Model database, install the latest
Microsoft Entra Connect build, which is available at Microsoft Entra Connect: Version
release history.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to install the Azure
Active Directory Sync Tool: The
computer must be joined to a domain
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2419250

Symptoms
When you try to install the Microsoft Azure Active Directory Sync Tool, you may receive
the following error message:

The computer must be joined to a domain.

Cause
This issue may occur if the computer isn't joined to an Active Directory Domain Services
(AD DS) domain or if the computer doesn't register a host (A) resource record with its
Domain Name System (DNS).

Resolution
To resolve this issue, use one of the following methods.

Method 1: Computer isn't joined to an AD DS domain

Join the computer to an AD DS domain. To do this, follow these steps:

1. On the computer that you want to join to a domain, select Start, select Control
Panel, and then double-click System.
2. Under Computer name, domain, and workgroup settings, select Change settings.
3. On the Computer Name tab, select Change.
4. Under Member of, select Domain, type the name of the domain that this
computer will join, and then select OK.
5. Select OK, and then restart the computer.
Method 2: Computer is already joined to an AD DS
domain
If the computer is already joined to an AD DS domain, make sure that the computer's
DNS settings are correct and that a host (A) resource record for the computer is
registered with DNS. To do this, follow these steps:

1. Open Network Connections.

2. Right-click the network connection that you want to set up, and then select
Properties.

3. Do one of the following, as appropriate for the connection that you want to set up:

For a local area connection: On the General tab, select Internet Protocol
(TCP/IP), and then select Properties.
For all other connections: On the Networking tab, select Internet Protocol
(TCP/IP), and then select Properties.

4. If you want to obtain DNS server addresses from a Dynamic Host Configuration
Protocol (DHCP) server, select Obtain DNS server address automatically.

5. If you want to configure DNS server addresses manually, select Use the following
DNS server addresses. In the Preferred DNS server box, type the IP addresses of
the preferred DNS server. In the Alternate DNS server box, type the IP addresses
of the alternative DNS server.

6. Select OK two times, and then close Network Connections.

7. At a command prompt, type the following commands, and press ENTER after each
command:

Console

ipconfig /flushdns

Console

ipconfig /registerdns

8. If the issue isn't resolved, restart the computer that has Directory Sync Tool
installed.
 9. If the issue still isn't resolved, make sure that the computer that has the Directory
Sync Tool is installed can communicate with the computer that's running AD DS.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Number added to user names and email
addresses when users are synced to
Microsoft Entra ID
Article • 10/28/2024

This article provides information about troubleshooting an issue in which a number is

added to user names and email addresses when users are synced to Microsoft Entra ID.
This issue occurs if there are duplicate user principal names (UPN).

Original product version: Microsoft Entra ID

Original KB number: 3166795

Symptoms
When users are synced to Microsoft Entra ID, a number is added to their UPN and SMTP
proxy address. For example: john1234@contoso.onmicrosoft.com .

７ Note

When users are created in Microsoft Entra ID, their user principal name (UPN) will
also be used as one of the SMTP proxy addresses. Therefore, the SMTP proxy
address will also contain the number.

Additionally, you may see one of the following messages:

In the Office 365 portal:

There is an error on one or more user accounts. To see which users are affected and
the detailed error message, select the "users with errors" view, and then click the
user's display name.

[DIRSYNC ERROR]: This User has been synced to your Microsoft Entra ID, but we had
to modify the UserPrincipalName property from john@contoso.com to
john1234@contoso.onmicrosoft .com because an existing user, john@contoso.com , was

already created with this value. john@contoso.com to

john1234@contoso.onmicrosoft.com because an existing user, john@contoso.com , was

already created with this value.

From an email report:

This object has been updated in your Microsoft Entra ID, but with some modified
properties, because the following attributes are associated with another object
[ProxyAddresses SMTP: john@contoso.com ;].

This object has been updated in your Microsoft Entra ID, but with some modified
properties, because the following attributes are associated with another object
[UserPrincipalName john@contoso.com ;].

This issue occurs if another object has the same UPN.

Resolution
To resolve this issue, find the users who have duplicate UPNs, and then change the
UPNs so that they are unique. To do this, follow these steps.

Step 1: Check your local directory

Use the IdFix DirSync Error Remediation Tool to identify duplicate or invalid attributes.

To resolve duplicate attributes by using the IdFix Tool, see "Duplicate" is displayed in the
ERROR column .

For more information about the IdFix tool, go to IdFix DirSync Error Remediation Tool .

Step 2: Check Microsoft Entra ID

You can use the Office 365 portal or the Azure Active Directory module for Windows
PowerShell to check Microsoft Entra ID for duplicate attributes.

Method 1: Use the Office 365 portal

1. Sign in to the Office 365 portal as an administrator.

2. In the Microsoft 365 admin center, go to Users, and then select Active users.

A warning at the top of the page is displayed if there are duplicate attribute
conflicts on any object in your organization.
 3. Select an object to view details about the conflict. This information is displayed in
the lower-right corner of the page.

4. Change the user name so that it's unique.

Method 2: Use the Azure AD module for Windows PowerShell

To learn more about how to use the Azure AD module for Windows PowerShell to
identify objects that have duplicate values, see Identity synchronization and duplicate
attribute resiliency.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

An error displays in a directory
synchronization report: This company
has exceeded the number of objects
that can be synchronized
Article • 10/28/2024

This article describes how to increase the Active Directory directory service quota for
directory synchronization in an Office 365, Azure, or Microsoft Intune environment.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 User and Domain Management
Original KB number: 2812409

Symptoms
You receive an email message from MSOnlineServicesTeam@MicrosoftOnline.com that
contains the following error message:

Error 016: Synchronization has been stopped. This company has exceeded the
number of objects that can be synchronized. Contact Microsoft Online Services
Support.

７ Note

This article can also be used if you just want to request to increase the directory
service quota in case you're planning to have more than the allowed number of
objects in a Microsoft cloud service such as Office 365, Azure, or Microsoft Intune,
and you don't use Active Directory synchronization. The current directory service
quota in Microsoft Entra ID is 50,000 objects.

Cause
This issue occurs because the number of objects that you created in your Microsoft
Entra ID exceed your directory service limit. Microsoft Entra ID limits how many objects
can be created by each organization. Groups, contacts, and user objects in your
Microsoft Entra organization are counted as part of your organization's directory usage.
Your default directory service quota is calculated according to the following guidelines:

If you don't have any verified domains, the current directory service quota in
Microsoft Entra ID is 50,000 objects.

1. If your organization was created before October 5, 2011, your default

directory service quota is 10,000 objects.
2. If your organization was created after October 5, 2011 and before May 2012,
your default directory service quota is 20,000 objects.
3. If your organization was created after May 2012, your default directory
service quota is 50,000 objects.

If you have at least one verified domain, the default directory service quota in
Microsoft Entra ID is 300,000 objects.

Resolution
When the number of groups, contacts, and user objects in your on-premises Active
Directory exceed your directory service quota, you can request an increase to the
directory service quota limitation for your company. This increase lets you sync more
objects than the current default limit when you use directory synchronization.

To continue to create objects in your organization, you must either add a domain or
request an increase to your directory service quota. To do this, use the following
methods.

Method 1
If you don't have a verified domain, you must add a domain to increase your quota limit
to 300,000 objects. For more information, see Add your domain .

Method 2
If you have more than 300,000 objects in your on-premises Active Directory directory
service, to increase the number of objects that can be synced beyond 300,000, contact
Microsoft Support.

More information
A directory service quota is implemented by using the cloud service as a method to limit
the maximum number of objects that can be created and owned by a single security
principal. All objects that are synced by using directory synchronization to a company
have the creator/owner value set to the default admins group for that company. For
example, the admins group is set as follows: admins@contoso1.microsoftonline.com .
Therefore, this configuration prevents users from creating an unlimited number of
objects by using directory synchronization. If a company has a legitimate need to sync
more than the directory service quota limit, submit a service request to technical
support.

Frequently asked questions

Question 1: Do objects that were manually added through the cloud service portal or
through the cloud service API, such as Exchange Online PowerShell, count against my
online company quota?

Answer 1: Yes.

Question 2: Do deleted objects count against my online company quota?

Answer 2: Yes. When a cloud service customer deletes an object from an online
company, the deleted object is put into a deleted objects container in the directory
service. The object remains in the deleted objects container until the tombstone lifetime
expires. The expiration is currently set to 30 days.

For example, consider the following scenario. An online company is evaluating a cloud
service by using a nonproduction on-premises Active Directory environment. The cloud
service organization was created before October 5, 2011, and the default sync limit is
10,000 objects. The company performs a bulk sync of 8,000 group objects and contact
objects by using the Directory Sync tool. Later, the online company decides to do the
following:

1. Delete those group objects and contact objects from the company's on-premises
nonproduction Active Directory DS environment.
2. Add 8,000 user objects to its on-premises nonproduction Active Directory DS
environment.
3. Sync the updates to its online company.

The 8,000 group objects and contact objects are moved to the deleted objects container
in the directory service. And these objects continue to consume up to 25 percent of the
online company quota until they are permanently removed after the 30-day tombstone
period. (This percentage is equal to 2,000 objects, or 8,000 × 25 percent.) Therefore,
after syncing the 5,000 new user objects, the online company will consume 10,000
objects of its available Active Directory quota, 2,000 from deleted objects plus 8,000
from new user objects. During the 30-day tombstone period (and this period may
coincide with the online company evaluation period), the online company may be
unable to add any additional objects by using directory synchronization. This condition
occurs because the online company's directory service quota has been reached.

In this scenario, the online company that's performing the evaluation of the cloud
service must reduce the number of objects in its nonproduction on-premises Active
Directory DS environment to complete the product evaluation. However, if the online
company can't reduce the number of objects, the company must request an increase in
its directory service quota.

Question 3: Does having more than one verified domain mean that I can have a quota
that's higher than 300,000 objects?

Answer 3: No. You're granted a directory quota of 300,000 objects if you have one or
more verified domains. You're not granted a quota of 300,000 objects for each verified
domain that you register.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Object deletions aren't synchronized to
Microsoft Entra ID when using the Azure
AD Connect
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2709902

Symptoms
Consider the following scenario:

You have an on-premises Active Directory object.

Directory synchronization is used to sync the Active Directory object to Microsoft
Entra ID. It creates a linked object.
You delete the on-premises Active Directory object.

In this scenario, the linked object isn't removed from Microsoft Entra ID.

Cause
This issue may occur if one of the following conditions is true:

Directory synchronization hasn't yet occurred.

Directory synchronization unexpectedly failed to delete a specific cloud object and
results in an orphaned Microsoft Entra object.

Resolution
To fix this issue, follow these steps:

1. Ensure that the ADSyncTools module is installed for PowerShell. For more
information, see Microsoft Entra Connect: ADSyncTools PowerShell Reference.

2. Run the following ADSync command to force directory synchronization:

PowerShell
 Start-ADSyncSyncCycle -PolicyType Initial

3. If sync is working correctly but the Active Directory object deletion is still not
propagated to Microsoft Entra ID, manually remove the orphaned object. To do so,
use one of the following cmdlets in Azure Active Directory module for Windows
PowerShell:

PowerShell

Remove-MsolContact

PowerShell

Remove-MsolGroup

PowerShell

Remove-MsolUser

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30,

2024. To learn more, read the deprecation update . After this date, support
for these modules are limited to migration assistance to Microsoft Graph
PowerShell SDK and security fixes. The deprecated modules will continue to
function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions,
refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience
disruption after June 30, 2024.

For example, to manually remove orphaned user ID john.smith@contoso.com that

was originally created by using directory synchronization, you would run the
following cmdlet:

PowerShell

Remove-MsolUser -UserPrincipalName John.Smith@Contoso.com

Contact us for help
If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

One or more objects don't sync when using
Azure Active Directory Sync tool
Article • 10/28/2024

This article resolves an issue that one or more Active Directory Domain Services (AD DS) object
attributes don't sync to Microsoft Entra ID through the Azure Active Directory Sync tool.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft
Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2643629

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback button on this
page to let us know how well this article worked for you or how we can improve it.

Symptoms
One or more AD DS objects or attributes don't sync to Microsoft Entra ID as expected. When Active
Directory synchronization runs, an object doesn't sync, and you experience one of the following
symptoms:

You receive an error message that states that an attribute has a duplicate value.
You receive an error message that states that one or more attributes violate formatting
requirements such as character set or character length.
You don't receive an error message, and directory synchronization seems to be completed.
However, some objects or attributes aren't updated as expected.

Some examples of the error message that you may receive:

A synchronized object with the same proxy address already exists in your Microsoft Online Services
directory.

Unable to update this object because the user ID is not found.

Unable to update this object in Microsoft Online Services because the following attributes
associated with this object have values that may already be associated with another object in your
local directory.

Cause
This issue occurs for one of the following reasons:

The domain value that's used by AD DS attributes hasn't been verified.

One or more object attributes that require a unique value have a duplicate attribute value (such as
the proxyAddresses attribute or the U serPrincipalName attribute) in an existing user account.

One or more object attributes violate formatting requirements that restrict the characters and the
character length of attribute values.

One or more object attributes match exclusion rules for directory synchronization.

The following table shows the default sync scoping rules:

ﾉ Expand table

Object type Attribute name Condition of attribute when

synchronization fails

Contact DisplayName Contains "MSOL"

msExchHideFromAddressLists Is set to "True"

Security-enabled group isCriticalSystemObject Is set to "True"

Mail-enabled groups proxyAddresses Has no "SMTP:" address entry

(security group or
distribution list) and and

mail is not present

Mail-enabled contacts proxyAddresses Has no "SMTP:" address entry

and and

mail is not present

iNetOrgPerson sAMAccountName Is not present

isCriticalSystemObject Is present

User mailNickName Starts with "SystemMailbox"

mailNickName Starts with "CAS_"

and

contains "}"

sAMAccountName Starts with "CAS_"

and

contains "}"

sAMAccountName Equals "SUPPORT_388945a0"

sAMAccountName Equals "MSOL_AD_Sync"

sAMAccountName Is not present

isCriticalSystemObject Is set to "True"

 The user principal name (UPN) was changed after the initial synchronization and must be updated
manually.

Exchange Online Simple Mail Transfer Protocol (SMTP) addresses of synced users aren't populated
appropriately in the on-premises Active Directory schema.

Resolution
To resolve this issue, use one of the following methods, as appropriate for your situation.

Run IdFix to check for duplicates, missing attributes, and rule

violations
Use the IdFix DirSync Error Remediation Tool to find objects and errors that prevent synchronization
to Microsoft Entra ID.

If you see "Blank" in the ERROR column after you run IdFix, the displayName attribute of the
object isn't defined. To resolve this issue, specify a value for the displayName attribute of the
object using these steps:

1. In the UPDATE column for the object, type the name of its displayName attribute.
2. In the ACTION column, click EDIT, and then click Apply.
3. Repeat steps 1 and 2 for each object that has a "blank" entry in the ERROR column.
4. Run IdFix again to look for more object errors.

If you see "Duplicate" in the ERROR column after you run IdFix, two or more objects have the
same email address. To resolve this problem, specify a unique email address for the object using
these steps:

1. In the UPDATE column for the object, type an email address that isn't already used.
2. In the ACTION column, click EDIT, and then click Apply.
3. Run IdFix again to look for more object errors.

Determine attribute conflicts that are caused by objects that

weren't created in Microsoft Entra ID through directory
synchronization
To determine attribute conflicts caused by user objects that were created by using management tools
(and that weren't created in Microsoft Entra ID through directory synchronization), follow these steps:

1. Determine the unique attributes of the on-premises AD DS user account. To do it, on a computer
that has Windows Support Tools installed, follow these steps:

a. Select Start, select Run, type ldp.exe, and then select OK.

b. Select Connection, select Connect, type the computer name of an AD DS domain controller,
and then select OK.
c. Select Connection, select Bind, and then select OK.

d. Select View, select Tree View, select the AD DS domain in the BaseDN drop-down list, and
then select OK.

e. In the navigation pane, locate and then double-click the object that isn't syncing correctly. The
Details pane on the right side of the window lists all object attributes. The following example
shows the object attributes:

f. Record the values of the userPrincipalName attribute and each SMTP address in the multivalue
proxyAddresses attribute. You'll need these values later.

ﾉ Expand table

Attribute name Example Notes

proxyAddresses proxyAddresses (3): x500:/o=Exchange/ou=Exchange Administrative Group

(FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae75fca0d3a4303802cea9ca50fcd4f- 1. The
7628376; smtp: 7628376@service.contoso.com ; SMTP: 7628376@contoso.com ; number
that's
displayed in
parentheses
next to the
attribute
label
indicates
the number
of proxy
address
values in
the
multivalue
attribute.

2. Each
distinct
proxy
address
value is
indicated
 Attribute name Example Notes

by a
semicolon
(;).

3. The
primary
SMTP proxy
address
value is
indicated
by
uppercase
"SMTP:"

userPrincipalName 7628376@contoso.com

７ Note

Ldp.exe is included in Windows Server 2008 and in the Windows Server 2003 Support
Tools. The Windows Server 2003 Support Tools are included in the Windows Server 2003
installation media. Or, to obtain the Support Tools, go to the following Microsoft website:
Windows Server 2003 Service Pack 2 32-bit Support Tools

2. Connect to Microsoft Entra ID by using the Azure Active Directory module for Windows
PowerShell. For more info, go to Manage Microsoft Entra ID using Windows PowerShell.

Leave the console window open. You'll need to use it in the next step.

3. Check for the duplicate userPrincipalName attributes.

In the console connection that you opened in step 2, type the following commands in the order in
which they are presented. Press Enter after each command:

PowerShell

$userUPN = "<search UPN>"

７ Note

In this command, the placeholder "<search UPN>" represents the UserPrincipalName

attribute that you recorded in step 1f.

PowerShell

Get-MSOLUser -UserPrincipalName $userUPN | where {$_.LastDirSyncTime -eq $null}

７ Note
 Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn
more, read the deprecation update . After this date, support for these modules are limited
to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The
deprecated modules will continue to function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID

(formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note:
Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

Leave the console window open. You'll use it again in the next step.

4. Check for duplicate proxyAddresses attributes. In the console connection that you opened in step
2, run the following command:

PowerShell

Import-Module ExchangeOnlineManagement

5. For each proxy address entry that you recorded in step 1f, type the following commands in the
order in which they are presented. Press Enter after each command:

PowerShell

$proxyAddress = "<search proxyAddress>"

７ Note

In this command, the placeholder "<search proxyAddress>" represents the value of a

proxyAddresses attribute that you recorded in step 1f.

PowerShell

Get-EXOMailbox | where {[string] $str = ($_.EmailAddresses);

$str.tolower().Contains($proxyAddress.tolower()) -eq $true} | foreach {get-MSOLUser -
UserPrincipalName $_.MicrosoftOnlineServicesID | where {($_.LastDirSyncTime -eq
$null)}}

Items that are returned after you run the commands in step 3 and 4 represent user objects that weren't
created through directory synchronization and that have attributes that conflict with the object that
isn't syncing correctly.

Update AD DS attributes to remove duplicates, rules violations,

and scoping exclusions
Identify the specific attributes that are preventing synchronization based on the following information:

Administrative email messages

The report from the output of the Office 365 Deployment Readiness Tool
 Default directory synchronization scoping rules and custom rules

After a specific attribute value is identified, edit the attribute value using one of these methods:

Use the Active Directory Users and Computers tool to edit the attribute value.

1. Open Active Directory Users and Computers, and then select the root node of the AD DS domain.
2. Select View, and then make sure that the Advanced Features option is selected.
3. In the left navigation pane, locate the user object, right-click it, and then select Properties.
4. On the Object Editor tab, locate the attribute that you want. Select Edit, and then edit the
attribute value to the value that you want.
5. Select OK two times.

Use Active Directory Service Interfaces (ADSI) Edit to update object attributes in AD DS. You can
download and install ADSI Edit as a part of the Windows Server Toolkit. To use ADSI Edit to edit
attributes, follow these steps.

２ Warning

This procedure requires ADSI Edit. Using ADSI Edit incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot guarantee that problems that
result from the incorrect use of ADSI Edit can be resolved. Use ADSI Edit at your own risk.

1. Select Start, select Run, type ADSIEdit.msc, and then select OK.
2. Right-click ADSI Edit in the navigation pane, select Connect to, and then select OK to load the
domain partition.
3. Locate the user object, right-click it, and then select Properties.
4. In the Attributes list, locate the attribute that you want. Select Edit, and then edit the attribute
value to the value that you want.
5. Select OK two times, and then exit ADSI Edit.

Create a new group and add it to the built-in group that's not
being synced
To resolve the issue in the scenario that some built-in groups (such as the Domain Users group) aren't
synced, create a new group that contains all the applicable members and appropriate permissions of
the built-in group. Then, add that group as a member to the built-in group that's not synced. Use the
new group instead of the built-in group to manage members. By using this method, you still manage
only one group.

You don't want to change the attributes of the built-in group or change the scoping rules of the
identity sync appliance to allow critical system objects to be synced. It may trigger other unexpected
behavior.

Use SMTP matching to cause an on-premises user object to sync

to an existing user object
For more information, see How to use SMTP matching to match on-premises user accounts to Office
365 user accounts for directory synchronization .

Manually update a user account UPN

To update a user account UPN that was licensed after initial directory synchronization has occurred,
follow these steps:

1. Install Azure Active Directory v2 PowerShell Module. For more information, see Azure Active
Directory v2 PowerShell Module .

2. Run the following cmdlets at the Azure Active Directory v2 PowerShell prompt:

PowerShell

$cred = get-credential

７ Note

When you're prompted, enter your admin credentials.

PowerShell

Connect-AzureAD

PowerShell

Set-AzureADUser -ObjectId [CurrentUPN] -UserPrincipalName [NewUPN]

Update user SMTP addresses by using on-premises Active

Directory attributes
When SMTP attributes aren't synced to Exchange Online in an expected way, you may have to update
the on-premises Active Directory attributes. To update on-premises Active Directory attributes so that
the correct email address displays in Exchange Online, use Resolution 2 to manipulate the attributes in
the following table.

ﾉ Expand table

On-premises Active Example On-premises Active Example Exchange Online email addresses
Directory attribute name Directory attribute value

proxyAddresses SMTP: user1@contoso.com Primary SMTP: user1@contoso.com

Secondary SMTP:
user1@contoso.onmicrosoft.com

proxyAddresses smtp: user1@contoso.com Primary SMTP:

user1@contoso.onmicrosoft.com Secondary
 On-premises Active Example On-premises Active Example Exchange Online email addresses
Directory attribute name Directory attribute value

SMTP: user1@contoso.com

proxyAddresses SMTP: user1@contoso.com Primary SMTP: user1@contoso.com

smtp: user1@sub.contoso.com Secondary SMTP: user1@sub.contoso.com
Secondary SMTP:
user1@contoso.onmicrosoft.com

mail User1@contoso.com Primary SMTP: user1@contoso.com

Secondary SMTP:
user1@contoso.onmicrosoft.com

UserPrincipalName User1@contoso.com Primary SMTP: user1@contoso.com

Secondary SMTP:
user1@contoso.onmicrosoft.com

The Microsoft Online Email Routing Address (MOERA) entry that's associated with the default domain
(such as user1@contoso.onmicrosoft.com ) is an interpreted value that's based on a user account's alias.
This specialty email address is inextricably linked to each Exchange Online recipient. You can't manage,
delete, or create additional MOERA addresses for any recipient. However, the MOERA address can be
over-ridden as the primary SMTP address by using the attributes in the on-premises Active Directory
user object.

７ Note

The presence of data in the proxyAddresses attribute completely masks data in the mail attribute
for Exchange Online email address population.

７ Note

The presence of data in the proxyAddresses attribute, the mail attribute, or both attributes
completely mask UserPrincipalName data for Exchange Online email address population. The UPN
can be used to manage email addresses. However, an admin can decide to manage the email
address and UPN separately by populating proxyAddresses or mail attributes.

We highly recommend that one of these attributes is used consistently to manage Exchange Online
email addresses for synced users.

More information
The Windows PowerShell commands that are mentioned in this article require the Azure Active
Directory module for Windows PowerShell. For more information about the Azure Active Directory
module for Windows PowerShell, see the following article:
Manage Microsoft Entra ID using Windows PowerShell.

For more information about filtering directory synchronization by attributes, see the following
Microsoft TechNet wiki article:
List of Attributes that are Synced by the Azure Active Directory Sync Tool

Contact us for help

If you have questions or need help, create a support request , or ask Azure community support. You
can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Connect Health shows
old information about on-premises
Microsoft Entra Connect server
Article • 10/28/2024

This article discusses an issue in which Microsoft Entra Connect Health shows outdated
information about the on-premises Microsoft Entra Connect server.

Original product version: Microsoft Entra ID

Original KB number: 4053427

Symptoms
Microsoft Entra Connect Health blade no longer shows up-to-date information (for
example, synchronization errors) about the on-premises Microsoft Entra Connect server.
In some cases, the Microsoft Entra Connect Health Insight Service that is running on the
Microsoft Entra Connect server crashes and generates the following Windows
Application event:

Log Name: Application

Source: Application Error
Date: 10/19/2017 8:03:19 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: XXXXXXX
Description: Faulting application name:
Microsoft.Identity.AadConnect.Health.AadSync.Host.exe, version: 3.0.68.0, time
stamp: 0x5965450e Faulting module name: ntdll.dll, version: 6.3.9600.18696, time
stamp: 0x59153753 Exception code: 0xc0000374 Fault offset: 0x00000000000f1c00
Faulting process id: 0x624 Faulting application start time: 0x01d348d2403fcb09
Faulting application path: C:\Program Files\Microsoft Azure AD Connect Health Sync
Agent\Insights\Microsoft.Identity.AadConnect.Health.AadSync.Host.exe Faulting
module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 7eb31450-b4c5-11e7-
80cb-005056ba3ca2 Faulting package full name: Faulting package-relative
application ID:
Cause
The issue occurs if there is version mismatch between Microsoft Entra Connect
Synchronization Service and Microsoft Entra Connect Health for Sync applications. This
issue may occur if either component was not successfully upgraded during the last
Microsoft Entra Connect upgrade or auto-upgrade.

To verify that an existing Microsoft Entra Connect server has a version compatibility
issue between the two applications, follow these steps:

1. Get the version of the applications from the Programs item in Control Panel.

2. Compare the version information against the following compatibility table:

ﾉ Expand table

Synchronization Service version Compatible Health Agent version

1.1.614.0 (or earlier version) 3.0.68.0 (or earlier version) 3.0.127.0

1.1.647.0 (or later version) 3.0.103.0 3.0.129.0

Resolution
To resolve this issue, use one of the following methods.

Method 1
Manually upgrade your Microsoft Entra Connect server to version 1.1.649.0 or a later
version. During the manual upgrade, both applications will be upgraded to the versions
that are compatible with each other.

For more information about how to upgrade Microsoft Entra Connect server, see the
following Azure article: Microsoft Entra Connect: Upgrade from a previous version to the
latest

Method 2
Manually reinstall Health Agent for Sync to a version that is compatible with the
Synchronization Service version that is installed on the Microsoft Entra Connect server.
For example, you have an existing Microsoft Entra Connect server that has
Synchronization Service version 1.1.647.0 and Health Agent for Sync version 3.0.68.0. To
resolve the incompatibility issue, you can reinstall Health Agent for Sync version
3.0.129.0.

To reinstall Health Agent for Sync:

1. Determine the version of Health Agent that is compatible with the version of
Microsoft Entra Connect Synchronization Service that you have installed. If you
have Microsoft Entra Connect Synchronization Service version 1.1.647.0 or a later
version, use Health Agent Version 3.0.129.0.

2. Download a copy of the Health Agent installer

(AadConnectHealthAadSyncSetup.exe) from the following Microsoft Download
Center website:

Download and install Microsoft Entra Connect Health Agent

3. Log on to the Microsoft Entra Connect server by using an account that has Local
Administrator rights.

4. To uninstall the existing version of Health Agent, follow these steps:

a. Go to Control Panel > Program and Features. Select Microsoft Entra Connect
Health Agent for Sync, and then select Uninstall.

７ Note

This opens the setup window for the Health Agent.

b. In the setup window for Health Agent, select Uninstall.

c. After the uninstallation process finishes, select Close.

5. To install the compatible version of Health Agent:

a. Double-click the downloaded executable file.

b. On the Setup screen, select Install.

c. After the installation finishes, select Close.

 ） Important

Do not select Configure.

d. Start a new PowerShell session. Register the installed Health Agent with
Microsoft Entra ID by running the following cmdlet:

PowerShell

Register-AzureADConnectHealthSyncAgent -AttributeFiltering:$false -
StagingMode:$false

e. When you are prompted for credentials, provide your Microsoft Entra Global
Admin credentials.

f. Wait about two hours, and then verify that the Health panel is showing up-to-
date information about Sync.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Password hash synchronization stops
working after updating Microsoft Entra
credentials in FIM
Article • 10/28/2024

This article describes an issue in which password hash synchronization stops working in
an Azure environment. This occurs after you update your global administrator
credentials in Microsoft Forefront Identity Manager (FIM).

Original product version: Microsoft Entra ID, Cloud Services (Web roles/Worker roles),
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2962509

Symptoms
After you update your global administrator credentials in FIM for directory
synchronization, password hash synchronization stops working. Additionally, one of the
following events may be logged in the Application log in Event Viewer:

ﾉ Expand table

Event Source Level Description

ID

115 Directory Synchronization Information Error Description: Access to Windows Azure

Active Directory has been denied. Contact
Technical Support.

0 Directory Synchronization Error The user name or password is incorrect.

Verify your user name, and then type your
password again.

655 Directory Synchronization Error The user name or password is incorrect.

Verify your user name, and then type your
password again.

6900 FIMSynchronizationService Error The server encountered an unexpected error

while processing a password change
notification:
"The user name or password is incorrect.
Verify your user name, and then type your
password again.
Resolution
To resolve this issue, run the Azure Active Directory Sync tool Configuration Wizard. For
more information about how to do this, see Synchronize your directories.

More information
Alternatively, you can restart the Forefront Identity Manager Synchronization Service. To
do this, follow these steps:

1. Click Start, point to Administrative Tools, and then click Services.

2. In the list of services, right-click Forefront Identity Manager Synchronization
Service, and then click Stop.
3. Right-click Forefront Identity Manager Synchronization Service, and then click
Start.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Password isn't synced from Microsoft
Entra ID to on-premises after the
password is changed or reset
Article • 10/28/2024

This article describes an issue in which password isn't synced from Microsoft Entra ID to
on-premises directory after the password is changed or reset.

Original product version: Microsoft Entra ID

Original KB number: 3187256

Symptoms
When a password reset or a password change action is performed, the password isn't
synchronized from Microsoft Entra ID to the on-premises directory using Microsoft Entra
Connect.

Additionally, you may see the following message, or the password will not write back to
your on-premises directory:

Your request could not be processed

We're sorry but we cannot reset your password at this time. This is due to a
temporary connectivity issue, so if you try again later, resetting your password may
succeed. If the issue persists, please contact your admin to reset your password for
you.

Cause
This issue can occur for many reasons. The following is a list of known causes:

Prerequisites are not met for password writeback.

Permissions are not set up correctly for password writeback.
The password reset agent in Microsoft Entra Connect isn't running.
There's a network connectivity issue between the password reset service in
Microsoft Entra ID and your local environment where Microsoft Entra Connect is
running.

Resolution
Before troubleshooting this issue, it's important to know which scenarios allow password
writeback. The following table lists scenarios in which password writeback occurs and
doesn't occur.

ﾉ Expand table

Scenario Password
writeback

Users who perform self-service password reset through Yes

https://passwordreset.microsoftonline.com

Admins who perform self-service password reset through Yes

https://passwordreset.microsoftonline.com

Password change in My Apps or in Office 365 portal Yes

Admins who perform password resets by using the Azure Management Portal Yes

Admins who perform password resets by using the Microsoft 365 admin center No

Passwords at new user creation through Azure Management Portal, Microsoft No

365 admin center, or Microsoft Graph PowerShell module

Admins who perform password resets by using PowerShell Modules V1 No

(MSOnline) or V2 (AzureAD)

To resolve this issue, see the Troubleshoot Password Writeback section of How to
troubleshoot Password Management.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Password hash synchronization for
Microsoft Entra ID stops working and
event ID 611 is logged
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2867278

Symptoms
Password hash synchronization for Microsoft Entra ID stops working after several days.
Additionally, in Event Viewer, the following event ID 611 error is logged in the
Application log:

Password synchronization failed for domain: Contoso.com .

Resolution
Install the latest version of the Microsoft Entra Synchronization tool. For more
information, see Install or upgrade the Directory Sync tool.

More information
You may see one or more of the following error details for Event ID 611.

ﾉ Expand table

Description Cause More

information

Microsoft.Online.PasswordSynchronization. Windows Server Update to

SynchronizationManagerException: Recovery task failed. ---> 2003 domain the latest
Microsoft.Online.PasswordSynchronization. controllers version of
DirectoryReplicationServices.DrsException: RPC Error 8439: The handle certain Microsoft
distinguished name specified for this replication operation is scenarios Entra
invalid. There was an error calling _IDL_DRSGetNCChanges . unexpectedly. Connect to
resolve this
issue.
Description Cause More
information

Microsoft.Online.PasswordSynchronization. It's a known Update to

DirectoryReplicationServices.DrsException: RPC Error 8593: The issue that was the latest
directory service cannot perform the requested operation fixed in Azure version of
because the servers involved are of different replication epochs Active Directory Microsoft
(which is related to a domain rename that is in progress). Sync tool build Entra
1.0.6455.0807. Connect to
resolve this
issue.

System.ArgumentOutOfRangeException: Not a valid Win32 It's a known Update to

FileTime. issue that was the latest
fixed in Azure version of
Active Directory Microsoft
Sync tool build Entra
1.0.6455.0807. Connect to
resolve this
issue.

System.ArgumentException: An item with the same key has It's a known Update to
already been added. issue that was the latest
fixed in Azure version of
Active Directory Microsoft
Sync tool build Entra tool to
1.0.6455.0807. resolve this
issue.

Password synchronization failed for domain: Contoso.com . AD DS Update to

Details: Connector the latest
Microsoft.Online.PasswordSynchronization. Account is version of
DirectoryReplicationServices.DrsException: RPC Error 8453: missing the Microsoft
Replication access was denied. There was an error calling following Entra
_IDL_DRSGetNCChanges . extended Connect,
permissions on and follow
at Microsoft.Online.PasswordSynchronization. AD: the article
DirectoryReplicationServices.DrsRpcConnection.OnGetChanges( "Microsoft
Replicating Entra
ReplicationState syncState)
Directory Connect:
Changes Configure
at Microsoft.Online.PasswordSynchronization.
Replicating AD DS
DirectoryReplicationServices.DrsConnection.GetChanges(
Directory Connector
ReplicationState replicationState)
Changes Account
All Permissions"
at Microsoft.Online.PasswordSynchronization.
RetryUtility.ExecuteWithRetry[T](Func 1 operation, Func 1 on how to
shouldAbort, RetryPolicyHandler retryPolicy) add the
correct
at Microsoft.Online.PasswordSynchronization. Active
DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
 Description Cause More
information

Directory
at Microsoft.Online.PasswordSynchronization. permissions.
PasswordSynchronizationTask.SynchronizeSecrets()

at Microsoft.Online.PasswordSynchronization.
SynchronizationExecutionContext.SynchronizeDomain()

at Microsoft.Online.PasswordSynchronization.
SynchronizationManager.SynchronizeDomain(
SynchronizationExecutionContext syncExecutionContext).

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Permission-issue error 8344,
"Insufficient access rights to perform
the operation."
Article • 10/28/2024

This article discusses how to understand and troubleshoot the "permission-issue [8344]"
error, "Insufficient access rights to perform the operation." This Microsoft Entra error
occurs on an on-premises Active Directory connector during an export operation in
Synchronization Service Manager.

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback
button on this page to let us know how well this article worked for you or how we
can improve it.

Symptoms
On the Operations tab of the Synchronization Service Manager app, the Connection
Operations table contains a row that represents an on-premises AD connector in which
the Profile Name column value is Export. However, the corresponding Status column
value is completed-export-errors. When you select this table row, a secondary table
displays one or more permission-issue export errors.
 

If you select one of the permission-issue export errors, the Connector Space Object
Properties dialog box appears. On the Export Error tab, the following information is
shown.

ﾉ Expand table

Error Information field Value

Error permission-issue

Connected data source error code 8344

Connected data source error Insufficient access rights to perform the operation.
 

Cause
The on-premises Active Directory connector account ( MSOL_<hex-digits> ) doesn't have
permissions in Active Directory to write back the object's properties that are being
synchronized with Microsoft Entra ID.

Solution 1: Grant permissions by using the

Microsoft Entra Connect Troubleshooting
console

７ Note

This solution is the recommended and preferred method.

In the on-premises Active Directory connector account ( MSOL_<hex-digits> ), locate the

attributes that this account doesn't have permissions for. Then, use the Microsoft Entra
Connect wizard to grant the permissions in the Microsoft Entra Connect
Troubleshooting console, as described in the following sections.
Part 1: Determine which on-premises Active Directory
connector account is in use
To find the on-premises AD connector account, use one of the following tools.
The Microsoft Entra Connect wizard

1. On the Windows desktop, double-click the Microsoft Entra Connect icon to open
the Microsoft Entra Connect wizard.

2. In the Microsoft Entra Connect dialog box, select the Configure button.

3. In the Additional tasks screen, select the View or export current configuration
task, and then select the Next button.

4. In the Review your solution screen, locate the Synchronized Directories heading,
and then copy the MSOL_<hex-digits> string from within the ACCOUNT field value.

5. Select the Exit button.

The Synchronization Service Manager app

1. Select Start, and then search for and select Synchronization Service Manager.

2. In the Synchronization Service Manager app, select the Connectors tab.

3. In the Connectors list, right-click the Name value of the on-premises Active
Directory connector, and then select Properties.

4. In the Properties dialog box, locate the Connector Designer pane, and then select
Connect to Active Directory Forest.

5. In the Connect to Active Directory Forest pane, copy the value of the User name
field. This value contains the name of the on-premises Active Directory connector
account.

The ADSyncTools module in PowerShell

If the ADSyncTools module isn't already installed in your PowerShell environment,

install that module. After the module is installed, run the Get-
ADSyncToolsADconnectorAccount cmdlet:

Azure PowerShell

Install-Module ADSyncTools # Not required if the ADSyncTools module is

already installed
Get-ADSyncToolsADconnectorAccount
The output is a table that displays the Name , Forest , Domain , and Username columns for
each Active Directory connector account. The text string that you want to copy is in the
Username column.

Part 2: Determine which attributes the on-premises Active

Directory connector account doesn't have permissions for
1. Select Start, and then search for and select Synchronization Service Manager.

2. In the Synchronization Service Manager app, select the Operations tab.

3. In the Connector Operations table, select the row that has the following
characteristics.

ﾉ Expand table

Column name Value

Name The name of the on-premises Active Directory connector

Profile Name Export

Status completed-export-errors

4. In the bottom-right table, select an object in the first column (labeled Export
Errors) for which permission-issue is listed as one of the errors in the second
column.

5. In the Connector Space Object Properties dialog box, select the Pending Export
tab.

6. Locate the Attribute information table, and then select the Changes column to
sort by that column.
 

7. Identify the Microsoft Entra Connect feature that you're using by following one of
these methods:

Review the list of Exchange hybrid writeback attributes to synchronize, and

then return to the Attribute information table UI to find the Exchange hybrid
writeback attribute that ADSync was trying to add or modify. For example,
the added or modified attribute might be the msDS-
ExternalDirectoryObjectID attribute.

Check the Microsoft Entra Connect features by running the Get-

ADSyncGlobalSettings cmdlet from a PowerShell session, as shown in the

following code:

Azure PowerShell

(Get-ADSyncGlobalSettings).Parameters | select Name, Value | sort

Name

Part 3: Grant the missing permissions

） Important
The account that's used to run the Microsoft Entra Connect tool must be allowed to
grant permissions on all domains to Active Directory. Usually, only the Enterprise
Administrator has Domain Administrator rights on all domains in the Active
Directory forest.

1. On the Windows Desktop, double-click the Microsoft Entra Connect icon.

2. In the Microsoft Entra Connect dialog box, select the Configure button.

3. In the Additional tasks pane, select the Troubleshoot task, and then select the
Next button.

4. On the Welcome to Microsoft Entra Connect Troubleshooting page, select the

Launch button to start the troubleshooting menu in a console.

5. In the AADConnect Troubleshooting menu in the console, enter 4 to configure the

Active Directory Domain Services (AD DS) connector account permissions.

Console

----------------------------------------AADConnect Troubleshooting-----
------------------------------------

Enter '1' - Troubleshoot Object Synchronization

Enter '2' - Troubleshoot Password Hash Synchronization
Enter '3' - Collect General Diagnostics
Enter '4' - Configure AD DS Connector Account Permissions
Enter '5' - Test Azure Active Directory Connectivity
Enter '6' - Test Active Directory Connectivity
Enter 'Q' - Quit

Please make a selection: 4_

6. In the Configure Permissions menu, enter the option that you're interested in. In
this example, enter 4 to set the Exchange Hybrid permissions.

Console

--------------------------------------------Configure Permissions------
------------------------------------

Enter '1' - Get AD Connector account

Enter '2' - Get objects with inheritance disabled
Enter '3' - Set basic read permissions
Enter '4' - Set Exchange Hybrid permissions
Enter '5' - Set Exchange mail public folder permissions
Enter '6' - Set MS-DS-Consistency-Guid permissions
Enter '7' - Set password hash sync permissions
 Enter '8' - Set password writeback permissions
Enter '9' - Set restricted permissions
Enter '10' - Set unified group writeback permissions
Enter '11' - Show AD object permissions
Enter '12' - Set default AD Connector account permissions
Enter '13' - Compare object read permissions when running in
context of AD Connector account vs Admin account
Enter 'B' - Go back to main troubleshooting menu
Enter 'Q' - Quit

Please make a selection: 4_

7. In the Account to Configure screen, when you're prompted by the message,

"Would you like to configure an existing connector account or a custom account?,"
enter E for an existing connector account (the default response):

Console

Account to Configure
Would you like to configure an existing connector account or a custom
account?
[E] Existing Connector Account [C] Custom Account [?] Help (default
is "E") E_

8. In the Configured connectors and their related accounts screen, after you see a
list of rows that contain ADConnectorName , ADConnectorForest ,
ADConnectorAccountName , and ADConnectorAccountDomain data, enter the name of

the connector for the account that you want to configure:

Console

Configured connectors and their related accounts:

ADConnectorName ADConnectorForest ADConnectorAccountName

ADConnectorAccountDomain
---------------- ----------------- ---------------------- -------------
-----------
corp.contoso.com corp.contoso.com MSOL__<hex-digits>
domain.contoso.com
test.local test.local MSOL__<hex-digits> test.local

Name of the connector who's account to configure: corp.contoso.com_

Note: In this screen, the word "who's" appears as shown although it should be
"whose."
 9. Either select Enter to apply the permissions at the root of the domain for all child
objects, or specify the target object to set the permissions on. For example, you
can specify the target organizational unit (OU) in which the users reside:

Console

To set permissions for a single target object, enter the

DistinguishedName of the target AD
object. Giving no input will set root permissions for all Domains in
the Forest: _

10. In the Update AdminSdHolders screen, when you're prompted whether to "Update
AdminSDHolder container when updating with these permissions?," enter Y for
Yes only if you're synchronizing Protected Accounts in Active Directory to

Microsoft Entra ID. Otherwise, enter N for No (the default response).

Console

Update AdminSdHolders
Update AdminSDHolder container when updating with these permissions?
[Y] Yes [N] No [?] Help (default is "N"): _

７ Note

We recommend that you don't synchronize your on-premises AD

administrator accounts to Microsoft Entra ID. For more information, see the
Administrator password setting section of Plan a Microsoft Entra self-service
password reset deployment.

11. In the Confirm screen, enter Y for Yes to confirm your choice (the default
response):

Console

Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Hybrid permissions" on target
"corp.contoso.com"
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"): y_
Solution 2: Grant permissions by using the
ADSyncConfig module in PowerShell

７ Note

This solution is also a recommended method.

For information about this solution, see the "Using the ADSyncConfig PowerShell
module" section of Microsoft Entra Connect: Configure AD DS connector account
permissions.

Solution 3: Grant permissions by using the

Active Directory Users and Computers snap-in

２ Warning

If you grant permissions manually in Active Directory by using this method, this
action might cause insufficient permissions that can have unexpected results.

1. On an account that has the appropriate Domain Administrator permissions, select

Start, and then search for and select the Active Directory Users and Computers
snap-in (dsa.msc).

2. In the View menu, if a check mark isn't displayed next to Advanced features, select
that menu item so that you can view the advanced features.

3. In the console tree, locate the object that represents the root of the domain. Right-
click that object, and then select Properties.

4. In the Properties dialog box, select the Security tab, and then select the Advanced
button.

5. In the Advanced Security Settings dialog box, select the Permissions tab, and then
select the Add button.

6. In the Permission Entry dialog box, enter the settings as described in the following
table.

ﾉ Expand table
 Setting Action

Principal Select the Select a principal link. Enter the name of the account to apply the
name permissions to (the account that Microsoft Entra Connect uses), and then
select OK.

Type list Select Allow.

Applies to Select Descendant User objects to show the list of permissions that are
list allowed for the selected principal.

Properties Select the check box for each permission property option that you want.
options Scroll through the list of properties to find the attributes that you need.
Property option names can include Read all properties, Write all properties,
Read msDS-OperationsForAzTaskBL, Read msDS-parentdistname, and so
on.

7. To exit the dialog boxes and apply the changes, select the OK button three times.

Solution 4: Grant permissions by using the

dsacls tool

２ Warning

If you grant permissions manually in Active Directory by using this method, this
action might cause insufficient permissions that can have unexpected results.
To grant permissions to read and write all properties for all objects at the root of the
domain to all of its descendant objects, run the following dsacls command:

Windows Command Prompt

dsacls.exe "DC=Contoso,DC=com" /G "CONTOSO\ADConnectAccount:RPWP;;" /I:S

In this command, DC=Contoso,DC=com is the distinguished name of your domain, and

CONTOSO\ADConnectAccount is the domain account that Microsoft Entra Connect uses.

Known issues
The following table lists known issues that cause permission-issue errors but can't
currently be fixed by the listed solutions.

ﾉ Expand table

Condition Effect

The AdminCount attribute for a user is You see unexpected synchronization results or
greater than zero, even though the user is permission-issue errors because the new
no longer a member of a Protected permissions aren't applied.
Group.

There are SDProp issues in Active The permission-issue error persists after you apply a
Directory. solution because Active Directory can't propagate
the new permissions for all child objects in the
domain.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

How the proxyAddresses attribute is
populated in Microsoft Entra ID
Article • 10/28/2024

This article describes how the proxyAddresses attribute is populated in Microsoft Entra
ID and discusses common scenarios to help you understand how the proxyAddresses
attribute is populated in Microsoft Entra ID.

Original product version: Microsoft Entra ID

Original KB number: 3190357

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback
button on this page to let us know how well this article worked for you or how we
can improve it.

The proxyAddresses attribute in Active Directory is a multi-value property that can

contain various known address entries. For example, it can contain SMTP addresses,
X500 addresses, and SIP addresses. When an object is synchronized to Microsoft Entra
ID, the values that are specified in the mail or proxyAddresses attribute in Active
Directory are copied to a shadow mail or proxyAddresses attribute in Microsoft Entra ID.
Then, they are used to calculate the final proxyAddresses of the object in Microsoft Entra
according to internal Microsoft Entra ID rules. The logic that populates mail,
mailNickName, and proxyAddresses attributes in Microsoft Entra ID is called proxy
calculation. It takes into account many different aspects of the on-premises Active
Directory data, such as:

Set or update the Primary SMTP address and additional secondary addresses
based on the on-premises ProxyAddresses or UserPrincipalName.
Set or update the Mail attribute based on the calculated Primary SMTP address.
Set or update the MailNickName attribute based on the on-premises
MailNickName or Primary SMTP address prefix.
Discard on-premises addresses that have a reserved domain suffix, e.g.
@*.onmicrosoft.com, @*.microsoftonline.com;
Discard on-premises ProxyAddresses with legacy protocols like MSMAIL, X400, etc;
Discard malformed on-premises addresses or not compliant with RFC 5322, e.g.
missing protocol prefix "SMTP:", containing a space or other invalid character;
 Remove ProxyAddresses with a non-verified domain suffix, if the user is assigned
an Exchange Online license.

Therefore, the values of the Mail and ProxyAddresses attributes for the object in Active
Directory may not be the same as the values of the ProxyAddresses attribute in
Microsoft Entra ID.

Terminology
The following terminology is used in this article:

Initial domain: The first domain provisioned in the tenant. For example,
Contoso.onmicrosoft.com .

Microsoft Online Email Routing Address (MOERA): The address constructed from
the user's userPrincipalName prefix, plus the initial domain suffix, which is
automatically added to the proxyAddresses in Microsoft Entra ID. For example,
smtp:john.doe@Contoso.onmicrosoft.com .

UserPrincipalName (UPN): The sign-in address of the user.

Primary SMTP address: The primary email address of an Exchange recipient object,
including the SMTP protocol prefix. For example, SMTP:john.doe@Contoso.com .
Secondary smtp address: Additional email address(es) of an Exchange recipient
object. For example, smtp:john.doe@Contoso.com .
Mail attribute: Holds the primary email address of a user, without the SMTP
protocol prefix. For example, john.doe@Contoso.com .
MailNickName attribute: Holds the alias of an Exchange recipient object. For
example, john.doe .

Scenario 1: User doesn't have the mail,

mailNickName, or proxyAddresses attribute set
You created an on-premises user object that has the following attributes set:

AD:mail : \<not set>

AD:mailNickName : \<not set>
AD:proxyAddresses : {\<not set>}
AD:userPrincipalName : user1upn@Contoso.com

Next, it's synchronized to Microsoft Entra ID and only the mailNickName attribute is
populated by using the prefix of the UPN, because it's a mandatory attribute:
 AAD:mailNickName : user1upn
AAD:UserPrincipalName : user1upn@Contoso.com

Then, it's assigned an Exchange Online license. In this scenario, the following operations
are performed as a result of proxy calculation:

Set the primary SMTP address in the proxyAddresses attribute by using the UPN
value.
Populate the mail attribute by using the primary SMTP address.
Add the MOERA as a secondary smtp address in the proxyAddresses attribute, by
using the format of mailNickName@initial domain.

The following attributes are set in Microsoft Entra ID on the synchronized user object
that has an Exchange Online license:

AAD:mail : user1upn@Contoso.com
AAD:mailNickName : user1upn
AAD:proxyAddresses : {smtp:user1upn@Contoso.onmicrosoft.com;
SMTP:user1upn@Contoso.com}
AAD:userPrincipalName : user1upn@Contoso.com

７ Note

If the user has an Exchange license assigned or the user is an Exchange Online
recipient, such as a shared mailbox, the userPrincipalName is always added as a
proxy address.

Scenario 2: User doesn't have the

mailNickName or proxyAddresses attribute set
You create an on-premises user object that has the following attributes set:

AD:mail : user2mail@Contoso.com
AD:mailNickName : \<not set>
AD:proxyAddresses : {\<not set>}
AD:userPrincipalName : user2upn@Contoso.com
Next, it's synchronized to Microsoft Entra ID and the following operations are performed
as a result of proxy calculation:

Set the primary SMTP using the same value of the mail attribute.
Populate the mailNickName attribute by using the primary SMTP address prefix.
Populate the mail attribute by using the primary SMTP address.

The following attributes are set in Microsoft Entra ID upon initial user provisioning:

AAD:mail : user2mail@Contoso.com
AAD:mailNickName : user2mail
AAD:proxyAddresses : {SMTP:user2mail@Contoso.com}
AAD:userPrincipalName : user2upn@Contoso.com

Then, it's assigned an Exchange Online license. In this scenario, the following operation
is performed as a result of proxy calculation:

Add the UPN as a secondary smtp address in the proxyAddresses attribute.

Add the MOERA as a secondary smtp address in the proxyAddresses attribute, by
using the format of mailNickName@initial domain.

The following attributes are set in Microsoft Entra ID on the synchronized user object
with Exchange Online license:

AAD:mail : user2mail@Contoso.com
AAD:mailNickName : user2mail
AAD:proxyAddresses : {smtp:user2upn@Contoso.com;
smtp:user2mail@Contoso.onmicrosoft.com; SMTP:user2mail@Contoso.com}
AAD:userPrincipalName : user2upn@Contoso.com

Scenario 3: You change the proxyAddresses

attribute values of the on-premises user
You create an on-premises user object that has the following attributes set:

AD:mail : \<not set>

AD:mailNickName : \<not set>
AD:proxyAddresses : {smtp:user3pa3@Fabrikam.microsoftonline.com,
 smtp:user3pa2@Contoso.onmicrosoft.com, SMTP:user3pa1@Contoso.com}
AD:userPrincipalName : user3upn@Contoso.com

Next, it's synchronized to Microsoft Entra ID and assigned an Exchange Online license. In
this scenario, the following operation is performed as a result of proxy calculation:

Discard addresses that have a reserved domain suffix. In this example, the
following addresses are skipped:
smtp:user3pa2@Contoso.onmicrosoft.com

smtp:user3pa3@Fabrikam.microsoftonline.com

Set the primary SMTP using the same address that's specified in the on-premises
proxyAddresses attribute.
Populate the mailNickName attribute by using the primary SMTP address prefix.
Populate the mail attribute by using the primary SMTP address.
Add the MOERA as a secondary smtp address in the proxyAddresses attribute, by
using the format of mailNickName@initial domain.
Add the UPN as a secondary smtp address in the proxyAddresses attribute.

The following attributes are set in Microsoft Entra ID on the synchronized user object:

AAD:mail : user3pa1@Contoso.com
AAD:mailNickName : user3pa1
AAD:proxyAddresses : {smtp:user3upn@Contoso.com;
smtp:user3pa1@Contoso.onmicrosoft.com; SMTP:user3pa1@Contoso.com}
AAD:userPrincipalName : user3upn@Contoso.com

Then, you change the values of the on-premises proxyAddresses attribute to the
following values:

AD:mail : \<not set>

AD:mailNickName : \<not set>
AD:proxyAddresses : {smtp:user3new3@Fabrikam.microsoftonline.com,
smtp:user3new2@Contoso.onmicrosoft.com, SMTP:user3new1@Contoso.com}
AD:userPrincipalName : user3upn@Contoso.com

In this scenario, the following operation is performed as a result of proxy calculation:

Discard addresses that have a reserved domain suffix. For example, the following
addresses are skipped:
smtp:user3new2@Contoso.onmicrosoft.com
 smtp:user3new3@Fabrikam.microsoftonline.com

Replace the new primary SMTP address that's specified in the proxyAddresses
attribute.
Update the mail attribute by using the value of the new primary SMTP address
specified in the proxyAddresses attribute.
Keep the old mailNickName since the on-premises mailNickName is not set nor its
value have changed.
Keep the old MOERA as a secondary smtp address in the proxyAddresses attribute.
Keep the UPN as a secondary SMTP address in the proxyAddresses attribute.

The following attributes are set in Microsoft Entra ID on the synchronized user object:

AAD:mail : user3new1@Contoso.com
AAD:mailNickName : user3pa1
AAD:proxyAddresses : {SMTP:user3new1@Contoso.com;
smtp:user3upn@Contoso.com; smtp:user3pa1@Contoso.onmicrosoft.com}
AAD:userPrincipalName : user3upn@Contoso.com

Scenario 4: Exchange Online license is removed

You create an on-premises user object that has the following attributes set:

AD:mail : \<not set>

AD:mailNickName : \<not set>
AD:proxyAddresses : {\<not set>}
AD:userPrincipalName : user4upn@Contoso.com

Next, it's synchronized to Microsoft Entra ID and assigned an Exchange Online license. In
this scenario, the following operation is performed as a result of proxy calculation:

Set the primary SMTP address in the proxyAddresses attribute by using the UPN
value.
Populate the mailNickName attribute by using the primary SMTP address prefix.
Populate the mail attribute by using the primary SMTP address.
Add the MOERA as a secondary smtp address in the proxyAddresses attribute, by
using the format of mailNickName@initial domain.

The following attributes are set in Microsoft Entra ID on the synchronized user object:
 AAD:mail : user4upn@Contoso.com
AAD:mailNickName : user4upn
AAD:proxyAddresses : {smtp:user4upn@Contoso.onmicrosoft.com;
SMTP:user4upn@Contoso.com}
AAD:userPrincipalName : user4upn@Contoso.com

Then, you remove the Exchange Online license and the following operation is performed
as a result of proxy calculation:

Remove the primary SMTP address in the proxyAddresses attribute corresponding

to the UPN value.
Promote the MOERA from secondary to Primary SMTP address in the
proxyAddresses attribute.
Update the mail attribute by using the primary SMTP address in the
proxyAddresses attribute(MOERA).

AAD:mail : user4upn@Contoso.onmicrosoft.com
AAD:mailNickName : user4upn
AAD:proxyAddresses : {SMTP:user4upn@Contoso.onmicrosoft.com}
AAD:userPrincipalName : user4upn@Contoso.com

Then, you add a secondary smtp address in the on-premises proxyAddresses attribute:

AD:mail : \<not set>

AD:mailNickName : \<not set>
AD:proxyAddresses : {smtp:user4new@Contoso.com}
AD:userPrincipalName : user4upn@Contoso.com

When the object is synchronized to Microsoft Entra ID, the following operation is
performed as a result of proxy calculation:

Add the secondary smtp address in the proxyAddresses attribute.

Add the UPN as a secondary smtp address in the proxyAddresses attribute.

The following attributes set in Microsoft Entra ID on the synchronized user object:

AAD:mail : user4upn@Contoso.onmicrosoft.com
AAD:mailNickName : user4upn
AAD:proxyAddresses : {smtp:user4upn@Contoso.com;
 smtp:user4new@Contoso.com; SMTP:user4upn@Contoso.onmicrosoft.com}
AAD:userPrincipalName : user4upn@Contoso.com

Scenario 5: The mailNickName attribute value

is changed
You create an on-premises user object that has the following attributes set:

AD:mail : \<not set>

AD:mailNickName : \<not set>
AD:proxyAddresses : {\<not set>}
AD:userPrincipalName : user5upn@Contoso.com

Next, it's synchronized to Microsoft Entra ID and assigned an Exchange Online license. In
this scenario, the following operation is performed as a result of proxy calculation:

Set the primary SMTP address in the proxyAddresses attribute by using the UPN
value.
Populate the mailNickName attribute by using the primary SMTP address prefix.
Populate the mail attribute by using the primary SMTP address.
Add the MOERA as a secondary smtp address in the proxyAddresses attribute, by
using the format of mailNickName@initial domain.

The following attributes are set in Microsoft Entra ID on the synchronized user object:

AAD:mail : user5upn@Contoso.com
AAD:mailNickName : user5upn
AAD:proxyAddresses : {smtp:user5upn@Contoso.onmicrosoft.com;
SMTP:user5upn@Contoso.com}
AAD:userPrincipalName : user5upn@Contoso.com

Then, you change the value of the on-premises mailNickName attribute to the following:

mail : \<not set>

AD:mailNickName : user5new1
AD:proxyAddresses : {\<not set>}
AD:userPrincipalName : user5upn@Contoso.com
In this scenario, the following operation is performed as a result of proxy calculation:

Update the mailNickName attribute by using the same value as the on-premises
mailNickName attribute.
Keep the mail attribute unchanged.
Keep the proxyAddresses attribute unchanged.

The following attributes are set in Microsoft Entra ID on the synchronized user object:

AAD:mail : user5upn@Contoso.com
AAD:mailNickName : user5new1
AAD:proxyAddresses : {smtp:user5upn@Contoso.onmicrosoft.com;
SMTP:user5upn@Contoso.com}
AAD:userPrincipalName : user5upn@Contoso.com

Scenario 6: Two users have the same

mailNickName attribute
You create two on-premises user objects that have the same mailNickName value:

AD:mail : \<not set>

AD:mailNickName : user6mnn
AD:proxyAddresses : {\<not set>}
AD:userPrincipalName : user6a@Contoso.com

AD:mail : \<not set>

AD:mailNickName : user6mnn
AD:proxyAddresses : {\<not set>}
AD:userPrincipalName : user6b@Contoso.com

Next, they are synchronized to Office 365 and assigned an Exchange Online license. In
this scenario, the following operation is performed as a result of proxy calculation:

Set the primary SMTP address in the proxyAddresses attribute by using the UPN
value.
Populate the mailNickName attribute by using the same value as the on-premises
mailNickName attribute.
Populate the mail attribute by using the primary SMTP address.
 For the first user provisioned - Add the MOERA as the secondary smtp address in
the proxyAddresses attribute, by using the format mailNickName@initial domain.
For the second user provisioned, MOERA is already in use by another object - Add
the MOERA as the secondary smtp address, by appending 4 random digits to the
mailNickName as a prefix, plus @initial domain suffix.

The following attributes are set in Microsoft Entra ID on the synchronized user object:

AAD:mail : user6a@Contoso.com
AAD:mailNickName : user6mnn
AAD:proxyAddresses : {smtp:user6mnn@Contoso.onmicrosoft.com;
SMTP:user6a@Contoso.com}
AAD:userPrincipalName : user6a@Contoso.com

AAD:mail : user6b@Contoso.com
AAD:mailNickName : user6mnn
AAD:proxyAddresses : {smtp:user6mnn5236@Contoso.onmicrosoft.com;
SMTP:user6b@Contoso.com}
AAD:userPrincipalName : user6b@Contoso.com

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you reset your password in
Azure, Office 365, or Intune: Your
request could not be processed
Article • 10/28/2024

This article describes a problem in which you receive a "Your request could not be
processed" message when you reset your password in Microsoft Azure, Office 365, or
Microsoft Intune. To resolve this problem, work with your administrator to update your
telephone number(s).

Original product version: Microsoft Entra ID, Microsoft Intune, Cloud Services (Web
roles/Worker roles)
Original KB number: 2951268

Symptoms
When you try to reset your password in Microsoft Azure, Microsoft Office 365, or
Microsoft Intune, you receive the following error message:

There was an error processing your request. Please try resetting your password
again by clicking here.
If you are unable to reset your password after retrying, please contact Support for
assistance.

Cause
This problem occurs because the telephone number that we have on file may be
incorrect, and we were unable to reach you.

Resolution
To resolve this problem, work with your administrator to update your telephone
number(s).

７ Note
 If available, try to use another method such as using your mobile phone, office
telephone, or mobile app.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

RPC errors affecting Microsoft Entra
Connect
Article • 10/28/2024

Customers may experience issues where they cannot configure Microsoft Entra Connect
and or enable features due to Remote Procedure Call (RPC) related errors.

Customers may also experience features previously enabled stop working due to these
types of errors.

In the vast majority of cases, the issue is affecting Microsoft Entra Connect and not
caused by Microsoft Entra Connect, so finding the exact underlying problem is crucial to
correctly define troubleshooting steps and identify the right underlying issue causing
the errors.

This article cover examples of Microsoft Entra Connect features affected by RPC errors.

Investigating a Remote Procedure Call error

affecting Microsoft Entra Connect
When an issue is identified, it is generally recommended as part of troubleshooting
initial steps, to carefully investigate Application events using Event Viewer. Determining
the system error being returned from the remote procedure call will help you target
your investigation and define the right troubleshooting methods and tools.

For these types of errors, Application events include information about the RPC error
such as in the following examples:

Example 1
 

Snippet from the Application error event seen in the previous image:

dos

Log Name: Application

Source: Directory Synchronization
Date: 8/10/2020 11:00:39 AM
Event ID: 611
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: server1.contoso.com
Description: Password hash synchronization failed for domain: contoso.com,
domain controller hostname: <not available>, domain controller IP address:
<not available>.
Details:
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException:
Unable to open connection to domain: contoso.com. Error: There was an error
establishing a connection to the directory replication service. Domain
controller hostname: server1.contoso.com, domain controller IP address:
10.0.0.202 --->
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCom
municationException: There was an error establishing a connection to the
directory replication service. Domain controller hostname:
server1.contoso.com, domain controller IP address: 10.0.0.202 --->
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.
DrsException: There was an error creating the connection context. --->
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsCom
municationException: RPC Error 1722 : The RPC server is unavailable. Error
creating the RPC binding handle

In this case, the RPC communication failed with error "1722 : The RPC server is
unavailable".
System Error Codes 1700-3999

In this example, the error is affecting Microsoft Entra Connect password synchronization
feature.

Troubleshooting Example 1
The error in Example 1 is a common networking related error for which troubleshooting
steps can be found in Troubleshoot TCP/IP RPC Errors.

In this scenario, investigating a network trace reveals retransmit packets being sent for
communication with destination port 135, so traffic on this port is being blocked on the
destination server.

These errors can manifest intermittently, which adds complexity to the process of
collecting data, like a network trace, for investigation and troubleshooting.

The following steps allow you to automatically collect a network trace, when the error
event ID is generated.

７ Note

To automatically collect an network trace, Microsoft Network Monitor must be

installed on the Microsoft Entra Connect server.

Download Netmon

1. From an elevated command prompt, run the following command:

 dos

nmcap /network * /Capture /file c:\MSData\%Computername%_Trace.cap:500M

/StopWhen /Frame (ICMP and Ipv4.TotalLength == 328) /CaptureProcesses
/TimeAfter 2s

2. To stop the trace when the error is generated, send a Ping with the correct size.

Prepare the Ping Command in a script (cmd file for instance) that you execute
when the Microsoft Entra Connect throws the Error in Event log.

Ping command:

dos

ping -l 300 -n 2 1.2.3.4

3. Attach a task that runs the cmd file created in the previous step to the event that is
generated when the issue reproduces. That will trigger the ping command that
stops the trace.

Example 2
Snippet from the Application error event seen in the previous image:

dos

Log Name: Application

Source: Directory Synchronization
Date: 8/3/2020 8:17:55 PM
Event ID: 611
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: server1.contoso.com
Description: Password hash synchronization failed for domain: contoso.com,
domain controller hostname: server1.contoso.com, domain controller IP
address: 192.168.0.0.
Details:
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException:
Recovery task failed. --->
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.
DrsException: RPC Error 8333 : Directory object not found. There was an
error calling _IDL_DRSGetNCChanges.

Other infrastructure configuration issues may contribute to Remote Procedure Call

problems, such as DNS name resolution, Authentication problems, etc.

It's important to note the error number for appropriate investigation and
troubleshooting.
Troubleshooting Example 2
In Example 2 the Remote Procedure Call returned error is 8333, an error for "Directory
object not found"

System Error Codes 8200-8999

Microsoft Entra Connect server was not able to find the user object for which it is trying
to perform Password Hash Synchronization in Active Directory.

More detailed information and troubleshooting guidance can be found in Windows

Server Troubleshooting : RPC Server is unavailable .

Example 3

Snippet from the Application error event seen in the previous image:

dos

Log Name: Application

Source: ADSync
Date: 7/28/2020 7:07:20 PM
Event ID: 6329
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
 Computer: server1.contoso.com
Description: An unexpected error has occurred during a password set
operation.
"BAIL: MMS(4984): ..\dnutils.cpp(1341): 0x800700b7 (Cannot create a file
when that file already exists.)
ERR_: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting
registry value 'ADMADoNormalization', 0x2
BAIL: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The
system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002
(The system cannot find the file specified.)
ERR_: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting
registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The
system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002
(The system cannot find the file specified.)
ERR_: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting
registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The
system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(4984):
X:\bt\1016372\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002
(The system cannot find the file specified.)
ERR_: MMS(4984): admaexport.cpp(2939): Failed to acquire user information:
0x6ba
BAIL: MMS(4984): admaexport.cpp(2963): 0x80004005 (Unspecified error)
BAIL: MMS(4984): admaexport.cpp(3296): 0x80004005 (Unspecified error)
ERR_: MMS(4984): ..\ma.cpp(8000): ExportPasswordSet failed with 0x80004005
Azure AD Sync 1.4.18.0"

It's important to know that errors can be represented in their hexadecimal code, like in
this example.

You can also use the hexadecimal error code to search the error symbolic name.

The error "0x6ba" translates to an "RPC Server Unavailable" error 1722. The
troubleshooting steps used in Example 1 also apply here.

System Error Codes 1700-3999

Example 4
Another example with the RPC error represented in its hexadecimal form:

In this case, the error returned "0x5" translates to an access denied error:

System Error Codes 0-499

There may be various reasons to raise an access denied error. Hardening group policies
implemented in Active Directory is one of them. One example is restricting clients
allowed to make calls to SAM:

Network access: Restrict clients allowed to make remote calls to SAM

Other commonly found system error codes

returned in Remote Procedure Call affecting
Microsoft Entra Connect
ﾉ Expand table

Error Hexadecimal Error symbolic name Error descriptive

ID error text
representation

1127 0x467 ERROR_DISK_OPERATION_FAILED While accessing the

hard disk, a disk
operation failed even
after retries.

1130 0x46A ERROR_NOT_ENOUGH_SERVER_MEMORY Not enough server

storage is available
to process this
command.

1331 0x533 ERROR_ACCOUNT_DISABLED This user can't sign in

because this account
Error Hexadecimal Error symbolic name Error descriptive
ID error text
representation

is currently disabled.

14 0xE ERROR_OUTOFMEMORY Not enough storage

is available to
complete this
operation.

1450 0x5AA ERROR_NO_SYSTEM_RESOURCES Insufficient system

resources exist to
complete the
requested service.

1722 0x6BA RPC_S_SERVER_UNAVAILABLE The RPC server is

unavailable.

1723 0x6BB RPC_S_SERVER_TOO_BUSY The RPC server is too

busy to complete this
operation.

1726 0x6BE RPC_S_CALL_FAILED The remote

procedure call failed.

1727 0x6BF RPC_S_CALL_FAILED_DNE The remote

procedure call failed
and did not execute.

1728 0x6C0 RPC_S_PROTOCOL_ERROR A remote procedure

call (RPC) protocol
error occurred.

1753 0x6D9 EPT_S_NOT_REGISTERED There are no more

endpoints available
from the endpoint
mapper.

1818 0x71A RPC_S_CALL_CANCELLED The remote

procedure call was
cancelled.

1825 0x721 RPC_S_SEC_PKG_ERROR A security package

specific error
occurred.

5 0x5 ERROR_ACCESS_DENIED Access is denied.

6 0x6 ERROR_INVALID_HANDLE The handle is invalid.

 Error Hexadecimal Error symbolic name Error descriptive
ID error text
representation

8333 0x208D ERROR_DS_OBJ_NOT_FOUND Directory object not

found.

8420 0x20E4 ERROR_DS_CANT_FIND_EXPECTED_NC The naming context

could not be found.

8439 0x20F7 ERROR_DS_DRA_BAD_DN The distinguished

name specified for
this replication
operation is invalid.

8446 0x20FE ERROR_DS_DRA_OUT_OF_MEM The replication

operation failed to
allocate memory.

8451 0x2103 ERROR_DS_DRA_DB_ERROR The replication

operation
encountered a
database error.

8453 0x2105 ERROR_DS_DRA_ACCESS_DENIED Replication access

was denied.

8456 0x2108 ERROR_DS_DRA_SOURCE_DISABLED The source server is

currently rejecting
replication requests.

8465 0x2111 ERROR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA The replication

synchronization
attempt failed
because a master
replica attempted to
sync from a partial
replica.

More information
System Error codes can be found through Error Codes.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Can't run scripts in Azure Active
Directory module for Windows
PowerShell
Article • 10/28/2024

This article describes an issue in which you receive an error message when you try to run
scripts in Azure Active Directory module for Windows PowerShell.

Original product version: Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365
User and Domain Management, Office 365 Identity Management
Original KB number: 2411920

Symptoms
When you try to run a script in Microsoft Azure Active Directory module for Windows
PowerShell, you receive one of the following error messages:

File C:\my_script.ps1 cannot be loaded. The execution of scripts is disabled on this

system. Please see "Get-Help about_signing" for more details.

File C:\Desktop\myscript.ps1 cannot be loaded because running scripts is disabled

on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170 .

File C:\my_script.ps1 cannot be loaded. The file C:\my_script.ps1 is not digitally

signed. The script will not execute on the system. For more information, see
about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170 .

Cause
This issue may occur if one of the following factors is true:

The PowerShell version that you are using is higher than 5.1. The Azure Active
Directory module only works with PowerShell 3 to 5.1.
The execution policy is set to Restricted. Certain Windows PowerShell cmdlets
can't run if the policy is too restricted.
Resolution
To resolve this issue, follow these steps:

1. Identify the PowerShell version by running $PSVersionTable .

2. Run the Azure Active Directory module for Windows PowerShell as an

administrator. To do it, select Start, select All Programs, select Windows Azure
Active Directory, right-click Windows Azure Active Directory module for
Windows PowerShell, and then select Run as administrator.

3. Set the execution policy to Unrestricted. To do it, type the following cmdlet, and
then press Enter:

PowerShell

Set-ExecutionPolicy Unrestricted

4. Run the Windows PowerShell cmdlets that you want.

5. Set the execution policy to Restricted. To do it, type the following cmdlet, and then
press Enter:

PowerShell

Set-ExecutionPolicy Restricted

More information
To help deliver a more secure command-line administration experience, Windows
PowerShell uses "execution policies" to control how Windows PowerShell can be used.
Execution policies define the restrictions under which Windows PowerShell loads files for
execution and configuration. Windows PowerShell runs in the Restricted execution
policy by default. This mode is its most secure mode. In this mode, Windows PowerShell
operates as an interactive shell only.

The four execution policies are as follows:

Restricted is the default execution policy. This policy doesn't run scripts and is
interactive only.
AllSigned policy runs scripts. All scripts and configuration files must be signed by a
publisher that you trust. This policy opens you to the risk of running signed but
malicious scripts, after you confirm that you trust the publisher.
 RemoteSigned policy runs scripts. All scripts and configuration files downloaded
from communication applications must be signed by a publisher that you trust.
These communication applications include Microsoft Outlook, Windows Internet
Explorer, Outlook Express, and Windows Messenger. This policy opens you to the
risk of running malicious scripts that aren't downloaded from these applications.
And you aren't prompted in this situation.
Unrestricted policy runs scripts. All scripts and configuration files downloaded from
communication applications run after you confirm that you understand that the file
originated from the Internet. These communication applications include Outlook,
Internet Explorer, Outlook Express, and Windows Messenger. No digital signature
is required. This policy opens you to the risk of running unsigned, malicious scripts
that are downloaded from these applications.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Separate passwords required for the
computer and work or school account
when using password synchronization
and the Azure Active Directory Sync tool
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 Identity Management
Original KB number: 2853316

Symptoms
Users have to use different passwords to sign in to their work or school account in a
Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune and to
log on to their computers. This problem occurs even though you've take the following
actions:

Enabled password synchronization in Microsoft Entra ID

Set up Active Directory synchronization to sync user accounts in your on-premises
Active Directory Domain Services (AD DS) environment to Microsoft Entra ID

Cause
This problem occurs if users' cloud service passwords change. Password synchronization
doesn't sync the cloud service password. Therefore, users in this scenario have different
passwords for their local computer and for the cloud service.

Resolution
To resolve this problem, do one of the following:

Have users change their computer password.

Reset the computer password for the users. When you reset a user's password,
make sure that the User must change password at next logon check box is
cleared.
After directory synchronization occurs, users' computer passwords in the on-premises
Active Directory environment are synced to Microsoft Entra ID. Users can then log on to
their computers and sign in to the cloud service by using the same password.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

"Size Limit Exceeded - Error Code 0x4"
error message during delta import in
Microsoft Entra Connect
Article • 10/28/2024

This article discusses how to troubleshoot the "Size Limit Exceeded - Error Code 0x4"
error message that occurs during the delta import step from an on-premises Active
Directory in Microsoft Entra Connect.

Symptoms
In the Synchronization Service Manager app, the Delta Import steps from the on-
premises Active Directory connector fail. The Connection Log dialog box displays a
dropped-connection status, a Size Limit Exceeded error, and an error code of 0x4:

In the Application log, the error event ID 6050 is recorded, as shown in the following
example:

Output

Log Name: Application

Source: ADSync
Date: 5/12/2023 7:34:38 AM
Event ID: 6050
Task Category: Management Agent Run Profile
Level: Error
Keywords: Classic
User: N/A
 Computer: AADConnect.Contoso.com
Description:
The management agent "Contoso.com" failed on run profile "Delta Import"
because of connectivity issues.

Additional Information
Discovery Errors : "0"
Synchronization Errors : "0"
Metaverse Retry Errors : "0"
Export Errors : "0"
Warnings : "0"

User Action
View the management agent run history for details.

Cause
By default, when you make a Lightweight Directory Access Protocol (LDAP) search or
query in Microsoft Entra ID, the directory can return no more than 1,000 records. By
security design, this is the default behavior of Active Directory. The 1,000-record limit is
intended to prevent a distributed denial-of-service (DDoS) attack on LDAP queries. This
issue can occur if you recently restored a large number of objects simultaneously from
the Active Directory Recycle Bin. The restore process can cause the delta import query to
exceed the record limit.

Solution 1: Run a full import on the AD DS

connector
The easiest resolution to this issue is to manually run a full import (instead of a delta
import) on the Active Directory Domain Services (AD DS) connector. Follow these steps:

1. Select Start, and then search for and select Synchronization Service Manager.

2. In the Synchronization Service Manager window, select the Delta Import step of
the on-premises AD Connector that isn't connecting. Look for the Delta Import
step that shows a stopped-connectivity status.

3. Select Ctrl + F5 , or right-click your selection, and then select Run.

4. In the Run Connector dialog box, select the Full Import run profile, and then select
OK.

After the full import finishes, open a PowerShell console, and run the Start-
ADSyncSyncCycle cmdlet to start a normal delta synchronization cycle. This process is
described in Microsoft Entra Connect Sync: Scheduler.

Solution 2: Temporarily increase the record

limit
If you don't want to run a full import on the AD DS connector, you can temporarily
change your configuration so that an LDAP search can return a larger number of records
during delta synchronization.

To increase the 1,000-record limit, increase the maximum page size ( MaxPageSize )
setting to accommodate the number of objects that the delta import step returns. For
example, if you restored an Organization Unit (OU) that has 5,000 users, we recommend
that you temporarily increase MaxPageSize to a value of 5,000. Then, after the Microsoft
Entra Connect issue is resolved, restore MaxPageSize to the default value of 1,000.

To change the MaxPageSize setting, run the Ntdsutil command, as shown in the
following procedure. For more information about MaxPageSize , see LDAP administration
limits.

） Important

Follow the steps in this section carefully. Serious problems might occur if you
modify the default AD configuration incorrectly. When the issue is resolved, you
can restore the default values.

1. Select Start, enter Command Prompt, and then select Run as administrator.

2. At the command prompt, enter ntdsutil to start an Ntdsutil console session.

3. In the View and set LDAP policy in Active Directory by using Ntdsutil.exe article,
follow the instructions in the View current policy settings section to learn what the
policy settings currently are.

4. To change the maximum page size, enter set MaxPageSize to <new-maximum-page-

size-value> .

5. Enter commit changes to apply the new value.

6. To exit the Ntdsutil session, enter quit two times.

After you make the configuration change, open a PowerShell console, and then run the
Start-ADSyncSyncCycle cmdlet to start a normal delta synchronization cycle. This
process is described in Microsoft Entra Connect Sync: Scheduler. Now, Active Directory
returns a larger number of records, and it should be able to provide the full delta
response to Microsoft Entra Connect.

After the delta synchronization finishes successfully, repeat the procedure to restore the
MaxPageSize setting to its original value (1,000).

References
LDAP policies

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Slow performance and high CPU usage
in Microsoft Entra Connect Health for
Sync monitoring agent on a system that
has installed .NET Framework
Article • 10/28/2024

This article describes an issue that causes slow performance and high CPU usage in
Microsoft Entra Connect Health for Sync monitoring agent on a system that has installed
.NET Framework 4.7.2 or the July 2018 updates for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7,
4.7.1, or 4.7.2.

Original product version: Microsoft Entra ID

Original KB number: 4457331

Symptoms
Assume that you run the Microsoft Entra Connect Health for Sync monitoring agent on a
system that has installed .NET Framework 4.7.2 or the July 2018 updates for .NET
Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, or 4.7.2. In this scenario, the system may
experience slow performance and high CPU usage.

To see the high CPU usage, start Task Manager, and view the CPU usage of the
MIcrosoft.Online.Reporting.MonitoringAgent.Startup process on the Processes tab.

Cause
This issue occurs because the Microsoft Entra Connect Health for Sync monitoring agent
does not fully support .NET Framework 4.7.2 or the July 2018 updates for .NET
Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, or 4.7.2. The following updates may cause high
CPU usage of the monitoring agent.

ﾉ Expand table

.NET Framework update Server version Type of update

KB 4340007 Windows Server 2008 Security

KB 4340556 Windows Server 2008 R2 Security

 .NET Framework update Server version Type of update

KB 4340004 Windows Server 2008 R2 Security

KB 4340557 Windows Server 2012 Security

KB 4340005 Windows Server 2012 Security

KB 4340558 Windows Server 2012 R2 Security

KB 4340006 Windows Server 2012 R2 Security

KB 4054542 Windows Server 2012 Nonsecurity

KB 4054566 Windows Server 2012 R2 Nonsecurity

KB 4054590 Windows Server 2016 Nonsecurity

KB 4338814 Windows Server 2016 (build 14393.2363) Nonsecurity

KB 4345418 Windows Server 2016 (build 14393.2368) Nonsecurity

Resolution
To resolve this issue, install the update that is appropriate for your environment.

For Connect Health for AD DS and AD FS

Install the Microsoft Entra Connect Health Agent, version 3.1.7.0 that was released
in July 2018. This update is available for [download here]/azure/active-
directory/hybrid/how-to-connect-health-agent-install#download-and-install-the-
azure-ad-connect-health-agent).

For Microsoft Entra Connect

Install the latest version of Microsoft Entra Connect that contains the fix for this
high CPU usage issue. This version is available for download here .

７ Note

If you have enabled the auto-upgrade feature on your Microsoft Entra

Connect server, the latest version will be installed automatically.

Virus-scan claim
Microsoft scanned this file for viruses, using the most current virus-detection software
that was available on the date that the file was posted. The file is stored on security-
enhanced servers that help prevent any unauthorized changes to it.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot Microsoft Entra Connect
upgrade issues
Article • 10/28/2024

This article describes how to troubleshoot problems that can occur when you upgrade
to the latest version of Microsoft Entra Connect from previous installations of Microsoft
Entra Connect, Azure AD Sync, or DirSync.

２ Warning

You might find some online documentation that includes steps to directly edit the
Windows registry. However, editing the registry can cause serious problems if you
modify the registry incorrectly. The Microsoft Entra Connect product team doesn't
support editing the Windows registry.

Original product version: Microsoft Entra ID

Original KB number: 4051210

Symptoms
Every time that you start the Microsoft Entra Connect setup wizard, the program
evaluates all the related products and Windows Installer packages (.msi) that are
currently installed. To trace this activity, follow these steps:

1. Start the Microsoft Entra Connect wizard, and wait for the first page to open.

2. Open the %ProgramData%\AADConnect\ folder, and analyze the latest installation

trace log.

3. Locate the entries for GetInstalledPackagesByUpgradeCode , where the wizard

evaluates all the related Windows Installer packages that are installed in Windows.
For example:

Output

[10:44:23.095] [ 1] [INFO ] Performing direct lookup of upgrade codes

for: Azure AD Sync Engine
[10:44:23.095] [ 1] [VERB ] Getting list of installed packages by
upgrade code
[10:44:23.095] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode
{545334d7-13cd-4bab-8da1-2775fa8cf7c2}: verified product code
{7c4397b7-9008-4c23-8cda-3b3b8faf4312}.
 [10:44:23.095] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode
{dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[10:44:23.095] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode
{bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.

You can find two similar symptoms near this part of the trace log:
Product was uninstalled but an inconsistent product code is still present in Windows
The wizard is detecting an old installation of the sync engine: "Product Azure AD Sync
Engine (version 1.1.343.0) is installed, needs to be upgraded to version 1.1.380.0."

Output

[10:44:23.095] [ 1] [VERB ] Package=Microsoft Azure AD Connect

synchronization services, Version=1.1.343.0, ProductCode=7c4397b7-9008-4c23-
8cda-3b3b8faf4312, UpgradeCode=545334d7-13cd-4bab-8da1-2775fa8cf7c2
[10:44:23.095] [ 1] [INFO ] Determining installation action for Azure AD
Sync Engine (545334d7-13cd-4bab-8da1-2775fa8cf7c2)
[10:44:23.298] [ 1] [VERB ] Check product code installed: {4e67cad2-d71b-
4f06-a7ae-bb49c566bb93}
[10:44:23.298] [ 1] [INFO ] GetProductInfoProperty({4e67cad2-d71b-4f06-a7ae-
bb49c566bb93}, VersionString): unknown product
[10:44:23.298] [ 1] [INFO ] AzureADSyncEngineComponent: Product Azure AD
Sync Engine (version 1.1.343.0) is installed, needs to be upgraded to
version 1.1.380.0.

However, the Windows Installer information might be inconsistent after this product is
uninstalled and the sync engine is no longer present.

Because the setup wizard is still detecting an old product code, it decides to upgrade
Azure AD Sync Engine instead of doing a clean installation. Later in the upgrade process,
while the installer is checking for the current service status, the installation fails because
the ADSync service isn't present:

Output

[10:44:28.260] [ 1] [INFO ] ServiceControllerProvider: verifying ADSync is

in state (Running)
[10:44:28.291] [ 1] [ERROR] Caught an exception while creating the initial
page set on the root page.
Exception Data (Raw): System.InvalidOperationException: Service ADSync was
not found on computer '.'. ---> System.ComponentModel.Win32Exception: The
specified service does not exist as an installed service

Product was uninstalled but a stale product code is still present in Windows

A stale product code that you find in Windows Installer packages can also cause
upgrade issues.
 Output

[15:29:06.958] [ 1] [INFO ] Performing direct lookup of upgrade codes for:

Azure AD Sync Engine
[15:29:06.959] [ 1] [VERB ] Getting list of installed packages by upgrade
code
[15:29:06.959] [ 1] [INFO ] GetProductInfoProperty({7c4397b7-9008-4c23-8cda-
3b3b8faf4312}, VersionString): unrecognized error (1608)
[15:29:06.959] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-
13cd-4bab-8da1-2775fa8cf7c2}: stale product code {7c4397b7-9008-4c23-8cda-
3b3b8faf4312}.
[15:29:06.959] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-
13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[15:29:06.959] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-
37b0-4efc-b429-21721cf49d0d}: no registered products found.
[15:29:06.959] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-
2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[15:29:06.963] [ 1] [INFO ] Determining installation action for Azure AD
Sync Engine (545334d7-13cd-4bab-8da1-2775fa8cf7c2)
[15:29:07.059] [ 1] [INFO ] Product Azure AD Sync Engine is not installed.

Microsoft Entra Connect Setup wizard can't detect that an Azure AD Sync Engine is
installed. Setup fails and returns the following error message:

Output

[15:52:17.674] [ 13] [ERROR] PerformConfigurationPageViewModel: Caught

exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the
Synchronization Service. Please see the event log for additional details. --
->
Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedExcep
tion: Error installing msi package 'Synchronization Service.msi'. Full log
is available at 'C:\ProgramData\AADConnect\Synchronization Service_Install-
20170525-155217.log'.
...
MSI (s) (C0!08) [15:52:17:605]: Product: Microsoft Azure AD Connect
synchronization services -- Error 25019.The Microsoft Azure AD Connect
synchronization services setup wizard cannot open registry key
SYSTEM\CurrentControlSet\Services\ADSync\Parameters. Try verifying the key
and running this wizard again. The system cannot find the file specified.
CustomAction DetectStoreServer returned actual error code 1603 (note this
may not be 100% accurate if translation happened inside sandbox)
Action ended 15:52:17: DetectStoreServer.
--->
Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedExcep
tion: Exception: Execution failed with errorCode: 1603.

This error occurs because the MSIEXEC process still tries to upgrade the Azure AD Sync
Engine, as shown in the Synchronization Service_Install-20170525-155217.log file:
 Output

MSI (s) (C0:0C) [15:52:17:386]: PROPERTY CHANGE: Adding WIX_UPGRADE_DETECTED

property. Its value is '{7C4397B7-9008-4C23-8CDA-3B3B8FAF4312}'.
MSI (s) (C0:0C) [15:52:17:386]: PROPERTY CHANGE: Adding MIGRATE property.
Its value is '{7C4397B7-9008-4C23-8CDA-3B3B8FAF4312}'.
...
MSI (s) (C0:D4) [15:52:17:598]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSI1D9A.tmp, Entrypoint: DetectStoreServer
Action start 15:52:17: DetectStoreServer.
MSI (s) (C0!08) [15:52:17:605]: Product: Microsoft Azure AD Connect
synchronization services -- Error 25019.The Microsoft Azure AD Connect
synchronization services setup wizard cannot open registry key
SYSTEM\CurrentControlSet\Services\ADSync\Parameters. Try verifying the key
and running this wizard again. The system cannot find the file specified.

As in the previous case, the Windows Installer upgrading process fails because the
ADSync service entries in the registry aren't present. The product has been previously
uninstalled, leaving the Windows Installer database inconsistent.

Solution
You can clean up the inconsistency on the Windows Installer database for the Azure AD
Sync Engine product code that's identified in the trace log. (The product code can vary.
For the previous examples, the problematic product code is 7c4397b7-9008-4c23-8cda-
3b3b8faf4312.)

After you identify the problematic product code from the trace log, use the following
methods, as appropriate.
Fix Windows Installer issues (if applicable)
The KB3139923 Windows hotfix can cause these Windows Installer issues. Therefore, we
recommend that you uninstall it.

To check whether KB3139923 is installed, go to Settings > Windows Update > Update
history. Or use PowerShell to export a list of all installed hotfixes:

PowerShell

Get-Hotfix |
Select-Object HotFixID, InstalledOn, Description, InstalledBy |
Sort-Object –Property InstalledOn –Descending |
Out-File –FilePath ".\$env:COMPUTERNAME-HotFixes.txt"

1. If the KB3139923 hotfix is present, uninstall it, and then restart the server.

2. Download and install the KB3072630 Windows hotfix , and then restart again.
 Use the Windows Installer command-line tool to uninstall product code

To uninstall the product code for the Azure AD Sync Engine, run the Windows Installer
command-line tool (MsiExec.exe) as follows:

1. Identify the inconsistent or stale product code from the trace log (GUID), as shown
in the "Symptoms" section.

2. Open an administrative Command Prompt window.

3. Enter the following line by susbtituting the actual GUID of the problematic product
code:

Windows Command Prompt

SET productcode={<12345678-0000-abcd-0000-0123456789ab>}

4. Enter the following command, repeat the command, and then restart the server.

７ Note

You might see numerous reported errors because of the corrupted Windows
Installer database. For any dialog box that appears, select Yes.

Windows Command Prompt

SET /a counter+=1
& MSIEXEC /x %productcode% /qn /norestart /l*v
"%ProgramData%\AADConnect\AADConnect_Uninstall-
ForcedUninstall_%counter%.log" EXECUTE_UNINSTALL="1"

5. Start the Microsoft Entra Connect wizard, and wait for the first page to open.

6. Open the %ProgramData%\AADConnect\ folder, and analyze the latest installation

trace log.

7. If the inconsistent or stale product code is no longer present in the log file,
continue the wizard, and complete the installation. Otherwise, go to the next
solution.

Use Program Install and Uninstall troubleshooter tool

The Program Install and Uninstall troubleshooter helps you automatically repair issues if
you're blocked from installing or removing programs. It also fixes corrupted registry
keys.

Fix problems that block programs from being installed or removed (microsoft.com)

After you run the tool, restart the server, and then follow these steps:

1. Start the Microsoft Entra Connect wizard, and wait for the first page to open.

2. Open the %ProgramData%\AADConnect\ folder, and analyze the latest installation

trace log.

3. If the inconsistent or stale product code is no longer present in the log file,
continue the wizard, and complete the installation. If the stale product code is
present, we recommend that you reinstall the Windows operating system because
you can't recover the Windows Installer database from an inconsistent state.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot Azure Active Directory Sync
tool installation and Configuration Wizard
errors
Article • 10/28/2024

This article describes how to troubleshoot Azure Active Directory Sync tool installation and
Directory Sync tool Configuration Wizard issues.

Original product version: Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365
Identity Management
Original KB number: 2684395

Introduction
This article provides resolutions and common causes of error messages that may occur when
you install or set up the Directory Sync tool.

Check system requirements

The Azure Active Directory Sync tool can be installed on a computer if all the following
conditions are true:

Windows PowerShell 1.0 is installed on the computer.

You're logged on to the computer as a member of the local Administrators group.
The computer has a 64-bit processor.
The computer is running one of the following operating systems:
Windows Server 2003 x64 with Service Pack 2 (SP2) or a later version
An x64-based version of Windows Server 2008
The computer isn't a domain controller.
The computer is joined to an Active Directory domain. And it's located in the forest that
you want to sync with Microsoft Entra ID.
The Microsoft .NET Framework 3.5 or a later version is installed on the computer.

Check permissions
To start the Directory Sync tool Configuration Wizard successfully, users who log on to the
computer on which the Directory Sync tool is installed must be a member of the local
Microsoft Identity Integration Server (MIIS) Admins group that was added during installation of
the tool.
When you run the Directory Sync tool Configuration Wizard, you must provide the following
information:

Enterprise admin credentials for the on-premises Active Directory schema

Global admin credentials for the Microsoft cloud service

Check domain connectivity by using nltest

Nltest is a command-line tool that is built into Windows Server. It is available as part of the
Remote Server Administration Tools for Windows 10 .

To check the domain controllers of the domain, run the following command at the
command prompt:

Console

nltest /dsgetdc:<FQDN of the domain>

７ Note

The nltest tool requires installation of the Windows Server 2003 Support Tools.

If the settings are correct, the output resembles the following example:

Output

DC: \DC.contoso.com
Address:\ <IP Address>
Dom Guid: <GUID>
Dom Name: contoso.com
Forest Name: contoso.com
DC Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE
The command completed successfully

To check the computer's site membership, run the following command at the command
prompt:

Console

nltest /dsgetsite

A successful result resembles the following example:

Output
 Default-First-Site-Name
The command completed successfully

Error 1: The computer must be joined to a domain

To troubleshoot this issue, check the domain membership of the computer by following these
steps:

1. Log on to the computer.

2. Right-click My Computer, and then select Properties.
3. Select the Computer Name tab. If the computer is a domain member, the Full Computer
Name resembles ComputerName.Domain.xxx. The domain name appears next to
Domain.

If the computer is a domain member, and you still receive the error message, verify that:

The computer can communicate with the domain.

The computer can discover the domain controller.

To do so, follow these steps:

1. Use the ipconfig command-line tool to check the Domain Name System (DNS) settings
on the server.

2. Confirm that you can ping the DNS server that's listed in the network properties on the
problem computer.

3. Run the nslookup command-line tool. If the DNS server is unreachable, you receive an
error message. For example, you receive an error message that resembles the following
example:

DNS request timed out.

timeout was 2 seconds.
*** Can't find server name for address <IP Address>: Timed out
Default Server: UnKnown
Address: <IP Address>

Sometimes, joining the computer to a workgroup, and then joining the computer back to the
domain may resolve this error message. If the computer can't join the domain, it indicates one
of the following problems:

The computer is experiencing an issue in contacting the domain controllers.

The Active Directory domain is rejecting the request.
Error 2: The Azure Active Directory Sync Tool is
already installed
In this case, the Directory Sync tool may not be installed because of a previous pending
installation. The Setup package also installs software in the background during installation. To
resolve this issue, follow these steps:

1. In Control Panel, check whether Microsoft Identity Integration Server is listed in Add or
Remove Programs or in Programs and Features. If it's present, you must remove it.
2. Verify that the Program Files folder contains a subfolder that's named Microsoft Identity
Integration Server. If the subfolder exists, you must rename the folder to Microsoft Identity
Integration Server_Old.
3. Run Setup again.

Troubleshoot other error messages

All directory synchronization logging is viewable in Event Viewer. To view all events that are
related to directory synchronization, follow these steps:

1. Open Event Viewer.

2. Expand Windows Logs, and then expand Application.
3. In the Actions pane, select Filter Current Log.
4. In the Event sources box, select the Directory Synchronization check box.
5. Select OK. The following table lists the error name, the error details, the error source, and
the steps to help resolve the error.

ﾉ Expand table

Error name Details Source Resolution

AdminRequired Local administrator Event

permissions are Viewer/
required to install Error
Directory prompt
Synchronization

DirSyncAlreadyInstalled The Directory Sync Event Uninstall all earlier versions of the
tool is already Viewer Directory Sync tool before you try
installed. Version {0} to install the latest version.

DirSyncInstallKeyNotRemoved Windows Installer Event Manually remove the registry keys

could not remove Viewer to complete the installation.
the uninstall registry
key from the Azure
Active Directory
Sync MSI. Retry
uninstall or contact
Error name Details Source Resolution

Microsoft Online
Support.

DirSyncNotInstalledError A complete Event Uninstall all earlier versions of the

installation of the Viewer Directory Sync tool before you try
Azure Active to install the latest version.
Directory Sync tool
was not detected on
this machine. Please
uninstall any
versions of this tool
and then reinstall
the most recent
version.

ErrorReRunConfigWizard Unable to start Event Run the Directory Sync tool

synchronization due Viewer Configuration Wizard.
to configuration
issues. To fix the
issues, try running
the Configuration
Wizard. If you
continue to see this
error, please contact
Microsoft Online
Support.

WindowsInstaller45Required Microsoft Windows Event Make sure that the server on

Installer 4.5 is Viewer which the Directory Sync tool is
required for being installed meets the
installation. Please minimum requirements.
install Microsoft
Windows Installer
4.5 and try again.

ErrorClearRunHistory Could not clear the Event

run history on the Viewer
MIIS Server. Error
returned is '{0}'.
Contact Microsoft
Online support.

ErrorNoStartConnection Synchronization Event Confirm that the local Active

failed to start Viewer Directory domain controllers can
because of be accessed from the server
connection issues or running the Directory Sync tool.
domain controllers
could not be
contacted by the
server. Verify that
you are connected
to the server and all
Error name Details Source Resolution

the configured
domain controllers
are connected to the
network. If you have
recently deleted
domain or naming
context, please rerun
the Configuration
Wizard.

ErrorNoStartCredentials Synchronization Event Run the Directory Sync tool

failed to start Viewer Configuration Wizard, and reenter
because of credentials. Also, confirm that the
credential problems. credentials have Administrator
Rerun Configuration access to the portal.
Wizard to update
credentials for
Synchronization.

ErrorNoStartNoDomainController Synchronization Event Confirm that the local Active

failed to start Viewer Directory domain controllers can
because the domain be accessed from the server
controller could not running the Directory Sync tool.
be contacted by the
server. Verify that
the domain
controller is
connected to the
network.

ErrorStoppedConnectivity Synchronization Confirm that the local computer

stopped because of can access the Internet. Have the
connectivity loss. user try to ping
Restore connectivity provisioning.microsoftonline.com
to the server. to verify that the computer can
reach the Microsoft Entra
authentication system.

ErrorStoppedDatabaseDiskFull Synchronization Event Free up space on the storage used

stopped because the Viewer to hold the directory
SQL Server database synchronization SQL database. If
used by the the issue isn't resolved, the
Synchronization Directory Sync tool will be unable
server is full. Create to run successfully, and the SQL
some space in the database may be permanently
SQL Server damaged.
database.
Error name Details Source Resolution

InstallNotAllowedOnDomainController Microsoft Online Event The Directory Sync tool can be

Services Coexistence Viewer installed only on domain-joined
cannot be installed computers that aren't domain
on a domain controllers.
controller.

InstallPathLengthTooLong The installation path Event If you use a custom path for the
is too long. Provide Viewer installation of the Directory Sync
a path of 116 tool, the total path must contain
characters or fewer fewer than 116 characters.
and then try again.

InsufficientDiskSpace Insufficient Disk Event There's insufficient space to install

Space Viewer the Directory Sync tool on the
local workstation.

InvalidPlatform The Azure Active Event Make sure that the server on
Directory Sync tool Viewer which the Directory Sync tool is
must be installed on being installed meets the
a computer running minimum requirements.
Windows Server
2003 Service Pack 2
or later.

InvalidUPNFormat User Principal Name Event Enter valid credentials.

(UPN) is your logon Viewer
name. This error is
displayed when the
user enters
credentials for
Microsoft Online
that do not contain
an "@" character.

ADCredsNotValid The Enterprise Event The installation wizard couldn't

Administrator Viewer verify that the user account that's
credentials that you used to install the tool is an
supplied are not enterprise administrator.
valid. Supply valid
credentials and try
again.

MachineIsDomainJoinedUserIsNot The computer is Event Log on as a domain user by using

joined to a domain, Viewer an account that meets the
but the current user minimum requirements before
credentials do not you try to install the Directory
have access Sync tool.
permissions on the
domain.
Error name Details Source Resolution

MachineIsNotDomainJoined The computer is not Event Make sure that the server on
joined to any Viewer which the Directory Sync tool is
domain. installed meets the minimum
requirements.

MachineNotDomainJoined The computer must Event Make sure that the server on
be joined to a Viewer which the Directory Sync tool is
domain. installed meets the minimum
requirements.

MIISSyncIsInProgressError The synchronization Event There's an existing operation

engine is busy. Retry Viewer being completed by MIIS. Any
this operation after new operation can be completed
this synchronization only after the current operation is
session is complete. complete.

MIISUserAddRight_AccountNotFound Account name:'{0}' Event The Directory Sync tool couldn't

could not be found. Viewer add the local account that's being
Error Code:{1} used to complete the installation
to the MIIS Admin Group.
Manually add the user to the
group to continue with the
installation.

MIISUserAddRight_AddFailed '{0}' could not be Event The Directory Sync tool couldn't
added to the Viewer add the local account that's being
account rights for used to complete the installation
'{1}'. Error code:{2} to the MIIS Admin Group.
Manually add the user to the
group to continue with the
installation.

MIISUserAddRight_PolicyHandleNotFound Failed to obtain the Event The Directory Sync tool couldn't
policy handle. Error Viewer add the local account that's being
Code:{0} used to complete the installation
to the MIIS Admin Group.
Manually add the user to the
group to continue with the
installation.

PowerShellRequired PowerShell must be Event Make sure that the server on

installed. Viewer which the Directory Sync tool is
installed meets the minimum
requirements.

UnsupportedNameFormat The name format is Event Enter valid credentials.

not supported. Two Viewer
examples of the
supported user
name formats are:
Error name Details Source Resolution

someone@example.com
or example\someone .

UserNotAMemberOfMIISAdmins The current user is Event Manually add the local Active
not a member of the Viewer Directory user account that's used
Microsoft Identity to run the Directory Sync tool to
Integration Server the MIIS Admin Group.
(MIIS) Admin group.
If you have recently
installed the Azure
Active Directory
Sync tool, you may
need to log off and
then log on.

UserNotAnEnterpriseAdmin User '{0}' is not a Event Manually add the local Active
member of the Viewer Directory user account that's used
Enterprise Admins to run the Directory Sync tool to
group. the Active Directory Enterprise
Admin Group.

UnsupportedClientVersion This version of the Event Download the latest version of the
Directory Sync tool Viewer Directory Sync tool. To do so, go
is no longer to Install or upgrade the Directory
supported. Remove Sync tool.
this version and then
install the latest
version from the
Directory
Synchronization
page of the
Migration tab in the
Microsoft Online
Services
Administration
Center.

InternetQueryOptionError Internet Explorer Event The installation wizard couldn't

proxy settings were Viewer read or change proxy settings in
not read. Initial Internet Explorer. Verify that the
configuration using proxy settings that are set in
setup wizard may Internet Explorer are formatted
not be able to correctly.
access online help.
WinInet Error {0}
 Error name Details Source Resolution

InternetSetOptionError Internet Explorer Event The installation wizard couldn't

proxy settings were Viewer read or change proxy settings in
not set. Initial Internet Explorer. Verify that the
configuration using proxy settings that are set in
setup wizard may Internet Explorer are formatted
not be able to correctly.
access online help.
WinInet Error {0}

RichCoexistenceNotAllowed Current local Event Install all the prerequisites for a

directory does not Viewer hybrid deployment before you try
have Exchange 2010 to install the Directory Sync tool.
installed. Rich
coexistence is not
allowed.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

End-to-end troubleshooting of Microsoft
Entra Connect objects and attributes
Article • 03/04/2025

This article is intended to establish a common practice for how to troubleshoot synchronization
issues in Microsoft Entra ID.

This method is used when an object or attribute fails to synchronize with the Microsoft Entra ID
directory and no errors are shown in the sync engine, Application event viewer logs, or
Microsoft Entra logs. It's easy to get lost in the details if there's no obvious error. However, by
using best practices, you can isolate the issue and provide insights for Microsoft Support
engineers.

As you apply this troubleshooting method to your environment, over time, you'll be able to do
the following steps:

Troubleshoot the sync engine logic from end to end.

Resolve synchronization issues more efficiently.
Identify issues more quickly by predicting the step in which they occur.
Identify the starting point for reviewing data.
Determine the optimal resolution.
The steps that are provided here start at the local Active Directory level and progress toward
Microsoft Entra ID. These steps are the most common direction of synchronization. However,
the same principles apply to the inverse direction (for example, for attribute writeback).

Prerequisites
For a better understanding of this article, first read the following prerequisite articles for a
better understanding of how to search for an object in different sources, and to understand
how to check the connectors and lineage of an object.

Microsoft Entra Connect: Accounts and permissions

Troubleshoot an object that isn't synchronizing with Microsoft Entra ID
Troubleshoot object synchronization with Microsoft Entra Connect Sync
Ineffective troubleshooting practices
The onPremisesSyncEnabled attribute in Microsoft Entra ID controls whether the tenant is
prepared to accept synchronization of objects from on-premises AD DS.

It's common to disable DirSync on the tenant while troubleshooting object or attribute
synchronization issues. Directory synchronization can be turned off using Graph or PowerShell.
However, this process might cause disruptions.

Disabling DirSync at the tenant level triggers a complex and lengthy backend operation to
transfer the Source of Authority (SoA) from local Active Directory to Microsoft Entra ID and
Exchange Online for all the synced objects on the tenant. This operation is necessary to convert
each object from onPremisesSyncEnabled=True to a cloud-only object ( onPremisesSyncEnabled=
<null> ), and clean up all the shadow properties that are synced from on-premises AD DS (for
example, ShadowUserPrincipalName and ShadowProxyAddresses ). Depending on the tenant's size,
this operation might take over 72 hours, and its completion time can't be predicted.

Don't use this method to troubleshoot a sync issue because such an operation can cause more
harm and doesn't fix the root issue. You can't enable DirSync again until this disabling
operation is complete. After re-enabling DirSync, the Entra Connect server must match all on-
premises objects with existing Microsoft Entra ID objects.

Disabling DirSync is supported only in the following scenarios:

You're decommissioning your on-premises synchronization server, and you want to

continue managing your identities entirely from the cloud instead of from hybrid
identities.
You have some synced objects in the tenant that you want to keep as cloud-only in
Microsoft Entra ID and remove from on-premises AD permanently.
You're currently using a custom attribute as the SourceAnchor in Entra Connect (for
example, employeeId), and you're re-installing AADC to start using ms-Ds-Consistency-
Guid/ObjectGuid as the new SourceAnchor attribute (or vice versa).
Certain scenarios within your mailbox migration strategy might result in potential issues.

In some situations, you might have to temporarily stop synchronization or manually control
Entra Connect sync cycles. For example, you might have to pause synchronization to run one
sync step at a time. Instead of disabling DirSync, you can just stop the sync scheduler by
running the following cmdlet:

PowerShell

Set-ADSyncScheduler -SyncCycleEnabled $false

When you're ready, restore the normal sync scheduler by running the following cmdlet:

PowerShell

Start-ADSyncSyncCycle

Glossary
ﾉ Expand table

Acronym/abbreviation Name/description

AADC Microsoft Entra Connect

AADCA Microsoft Entra Connector Account

AADCS Microsoft Entra Connector Space

AADCS:AttributeA Attribute 'A' in Microsoft Entra Connector Space

ACLs Access Control Lists (also known as ADDS permissions)

ADCA AD Connector Account

ADCS Active Directory Connector Space

ADCS:AttributeA Attribute 'A' in Active Directory Connector Space

ADDS or AD Active Directory Domain Services

CS Connector Space

MV Metaverse

MSOL Account Automatically generated AD Connector Account (MSOL_########)

MV:AttributeA Attribute 'A' in the Metaverse object

SoA Source of Authority

Step 1: Synchronization between ADDS and ADCS

Objective for Step 1

Determine whether the object or attribute is present and consistent in ADCS. If you can locate
the object in ADCS, and all attributes have the expected values, go to Step 2.
Description for Step 1
Synchronization between ADDS and ADCS occurs at the import step, and is the moment when
AADC reads from the source directory and stores data in the database. That is, when data is
staged in the connector space. During a delta import from AD, AADC requests all the new
changes that occurred after a given directory watermark. This call is initiated by AADC by using
the Directory Services DirSync Control against the Active Directory Replication Service. This
step provides the last watermark as the last successful AD import, and gives AD the point-in-
time reference from when all the (delta) changes should be retrieved. A full import is different
because AADC imports from ADCS all the data in sync scope, and then marks as obsolete (and
deletes) all the objects that are still in ADCS but weren't imported from AD. All the data
between AD and AADC is transferred through LDAP and is encrypted by default.

If the connection with AD is successful, but the object or attribute isn't present in ADCS
(assuming the domain or object is in sync scope), the issue most likely involves ADDS
permissions. The ADCA requires ay least read permissions on the object in AD in order to
import data to ADCS. By default, the MSOL account has explicit read/write permissions for all
user, group, and computer properties. However, this situation might still be problematic if the
following conditions are true:

AADC uses a custom ADCA, but it wasn't provided sufficient permissions in AD.
A parent OU has blocked inheritance, which prevents propagation of permissions from
the root of the domain.
The object or attribute itself has blocked inheritance, which prevents propagation of
permissions.
 The object or attribute has an explicit Deny permission that prevents ADCA from reading
it.

Troubleshooting Active Directory

Connectivity with AD

In the Synchronization Service Manager, the "Import from AD" step shows which domain
controller is contacted under Connection Status. You'll most likely see an error here when there
is a connectivity issue that affects AD.

If you have to further troubleshoot connectivity for AD, especially if no errors surfaced in
Microsoft Entra Connect server or if you're still in the process of installing the product, start by
using the ADConnectivityTool.

Connection issues to ADDS have the following causes:

Invalid AD credentials. For example, the ADCA has expired or the password has changed.
A "failed-search" error, which occurs when DirSync Control doesn't communicate with the
AD Replication Service, typically because of high-network packet fragmentation.
A "no-start-ma" error, which occurs when there are name resolution issues (DNS) in AD.
Other problems that can be caused by name resolution issues, network routing problems,
blocked network ports, high network packet fragmentation, no writable DCs available,
and so on. In such cases, you will likely have to involve the Directory Services or
networking support teams to help troubleshoot.

Troubleshooting summary:

Identify which domain controller is used.

Use preferred domain controllers to target the same domain controller.
Correctly identify the ADCA.
 Use the ADConnectivityTool to identify the problem.
Use the LDP tool to try to bind against the domain controller with the ADCA.
Contact Directory Services or a networking support team to help you troubleshoot.

Run the Synchronization Troubleshooter

After you troubleshoot AD connectivity, run the Troubleshoot Object Synchronization tool
because this alone can detect the most obvious reasons for an object or attribute not to
synchronize.

AD Permissions
A lack of AD permissions can affect both directions of the synchronization:

When you import from ADDS to ADCS, a lack of permissions can cause AADC to skip
objects or attributes so that AADC can't get ADDS updates in the import stream. This
error occurs because the ADCA doesn't have enough permissions to read the object.
When you export from ADCS to ADDS, a lack of permissions generates a "permission-
issue" export error.

To check permissions, open the Properties window of an AD object, select Security >
Advanced, and then examine the object's allow/deny ACLs by selecting the Disable Inheritance
button (if inheritance is enabled). You can sort the column contents by Type to locate all the
"deny" permissions. AD permissions can vary widely. However, by default, you might only see
one "Deny ACL" for "Exchange Trusted Subsystem." Most permissions will be marked as Allow.

The following default permissions are the most relevant:

Authenticated Users
 Everyone

Custom ADCA or MSOL account

Pre-Windows 2000 Compatible Access

SELF

The best way to troubleshoot permissions is to use the "Effective Access" feature in AD Users
and Computers console. This feature checks the effective permissions for a given account (the
ADCA) on the target object or attribute that you want to troubleshoot.
 ） Important

Troubleshooting AD permissions can be difficult because a change in ACLs doesn't take

immediate effect. Always consider that such changes are subject to AD replication.

Troubleshooting summary:

Identify which domain controller is used.

Use preferred domain controllers to target the same domain controller.
Correctly identify the ADCA.
Use the Configure AD DS Connector Account Permissions tool.
Use the "Effective Access" feature in AD Users and Computers.
Use the LDP tool to bind against the domain controller that has the ADCA, and try to read
the failing object or attribute.
Temporarily add the ADCA to the Enterprise admins or Domain admins, and restart the
ADSync service.

２ Warning

Don't use this as a permanent solution to permission issues. After determining the
permission issue, remove the ADCA from any highly privileged groups, and grant the
required AD permissions directly to the ADCA.
 ７ Note

Engage Directory Services or a network support team to help you troubleshoot the
situation.

AD replications
This issue is less likely to affect Microsoft Entra Connect because it causes greater problems.
However, when Microsoft Entra Connect is importing data from a domain controller by using
delayed replication, it will not import the latest information from AD, which causes sync issues
in which an object or attribute that was recently created or changed in AD doesn't sync to
Microsoft Entra ID because it wasn't replicated to the domain controller that Microsoft Entra
Connect is contacting. To verify that this is the issue, check the domain controller that AADC
uses for import (see "Connectivity to AD"), and use the AD Users and Computers console to
directly connect to this server (see Change Domain Controller in the next image). Then, verify
that the data on this server corresponds to the latest data, and whether it's consistent with the
respective ADCS data. At this stage, AADC will generate a greater load on the domain
controller and networking layer.

Another approach is to use the RepAdmin tool to check the object's replication metadata on all
domain controllers, get the value from all domain controllers, and check replication status
between domain controllers:
 Attribute value from all domain controllers:

RepAdmin /showattr * "DC=contoso,DC=com" /subtree /filter:"sAMAccountName=User01"

/attrs:pwdLastSet,UserPrincipalName

Object metadata from all DCs:

RepAdmin /showobjmeta * "CN=username,DC=contoso,DC=com" > username-ObjMeta.txt

AD Replication Summary

RepAdmin /replsummary

Troubleshooting summary:

Identify which domain controller is used.

Compare data between domain controllers.
Analyze the RepAdmin results.
Contact Directory Services or the network support team to help troubleshoot the issue.

Domain and OU changes, and object types or attributes filtered or

excluded in ADDS Connector

Changing domain or OU filtering requires a full import

Keep in mind that even if the domain or OU filtering is confirmed, any changes to domain
or OU filtering take effect only after running a full import step.

Attribute filtering with Microsoft Entra app and attribute filtering

 An easy-to-miss scenario for attributes not synchronizing is when Microsoft Entra
Connect is configured with the Microsoft Entra app and attribute filtering feature. To
check whether the feature is enabled, and for which attributes, get a General Diagnostics
Report from the Troubleshooting Task, or run (Get-ADSyncGlobalSettings).Parameters |
where Name -eq 'Microsoft.OptionalFeature.FilterAAD' | select Name, Value from

PowerShell.

Object type excluded in ADDS Connector configuration

This situation doesn't occur as commonly for users and groups. However, if all the objects
of a specific object type are missing in ADCS, it might be useful to examine which object
types enabled in ADDS Connector configuration.

Use the Get-ADSyncConnector cmdlet to retrieve the object types that are enabled on the
Connector, as shown in the next image.

PowerShell

$connectorName = "Contoso.com"
(Get-ADSyncConnector | where Name -eq $connectorName).ObjectInclusionList`

The following list shows the object types that should be enabled by default (The publicFolder
object type exists only when the Mail Enabled Public Folder feature is enabled.):

Attribute excluded in ADCS

In the same manner, if the attribute is missing for all objects, check whether the attribute
is selected on the AD Connector.

To check for enabled attributes in ADDS Connector, use the Synchronization Manager, as
shown in the next image, or run the following PowerShell cmdlet:

PowerShell

$connectorName = "Contoso.com"
(Get-ADSyncConnector | where Name -eq $connectorName).AttributeInclusionList
 ） Important

Including or excluding object types or attributes in the Synchronization Service

Manager isn't supported.

Troubleshooting summary:

Check the Microsoft Entra app and attribute filtering feature

Verify that the object type is included in ADCS.
Verify that the attribute is included in ADCS.
Run a full import.

Resources for Step 1

Main resources:

Get-ADSyncConnectorAccount - Identify the correct Connector account used by AADC

ADConnectivityTool

Identify connectivity problems with ADDS

Trace-ADSyncToolsADImport (ADSyncTools) - Trace data being imported from ADDS

LDIFDE - Dump object from ADDS to compare data between ADDS and ADCS

LDP - Test AD Bind connectivity and permissions to read object in the security context of
ADCA

DSACLS - Compare and evaluate ADDS permissions

 Set-ADSync< Feature >Permissions - Apply default AADC permissions in ADDS

RepAdmin - Check AD object metadata and AD replication status

Step 2: Synchronization between ADCS and MV

Objective for Step 2

This step checks whether the object or attribute flows from CS to MV (in other words, whether
the object or attribute is projected to the MV). At this stage, make sure that the object is
present, or that the attribute is correct in ADCS (covered in Step 1), and then start looking at
the synchronization rules and lineage of the object.

Description for Step 2

The synchronization between ADCS and MV occurs on the delta/full synchronization step. At
this point, AADC reads the staged data in ADCS, processes all sync rules, and updates the
respective MV object. This MV object will contain CS links (or connectors) pointing to the CS
objects that contribute to its properties and the lineage of sync rules that were applied in the
synchronization step. During this stage, AADC generates more load on the SQL Server (or
LocalDB) and networking layers.

Troubleshooting ADCS > MV for objects

Check the inbound sync rules for provisioning

An object that is present in ADCS but missing in MV indicates that there were no scoping
filters on any of the provisioning sync rules that applied to that object. Therefore, the
object wasn't projected to MV. This issue might occur if there are disabled or customized
sync rules.

To get a list of inbound provisioning sync rules, run the following command:
Get-ADSyncRule | where {$_.Name -like "In From AD*" -and $_.LinkType -eq
"Provision"} | select Name,Direction,LinkType,Precedence,Disabled | ft

Check the lineage of the ADCS object

You can retrieve the failing object from the ADCS by searching on "DN or Anchor" in
"Search Connector Space." On the Lineage tab, you will probably see that the object is a
Disconnector (no links to MV), and the lineage is empty. Also, check whether the object
has any errors, in case there is a sync error tab.

Run a preview on the ADCS object

Select Preview > Generate Preview > Commit Preview to see whether the object is
projected to MV. If that's the case, then a full sync cycle should fix the issue for other
objects in the same situation.
Export the object to XML

For a more detailed analysis (or for offline analysis), you can collect all the database data
that's related to the object by using the Export-ADSyncToolsObjects cmdlet. This exported
information will help determine which rule is filtering out the object. In other words,
which Inbound Scoping Filter in the Provisioning Sync Rules is preventing the object from
being projected to the MV.

Here are some examples of the Export-ADSyncToolsObjects syntax:

PowerShell
 [Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
Install-Module ADSyncTools

Import-Module ADSyncTools
Export-ADSyncToolsObjects -DistinguishedName
'CN=TestUser,OU=Sync,DC=Contoso,DC=com' -ConnectorName 'Contoso.com' -
ExportSerialized
Export-ADSyncToolsObjects -ObjectId '{46EBDE97-7220-E911-80CB-000D3A3614C0}'
-Source Metaverse -ExportSerialized

 Tip

To read the exported data, use the Import-Clixml <filename>.xml cmdlet.

Troubleshooting summary (objects)

Check the scoping filters on the "In From AD" inbound provisioning rules.
Create a preview of the object.
Run a full sync cycle.
Export the object data by using the Export-ADSyncToolsObjects cmdlet.

Troubleshooting ADCS > MV for attributes

1. Identify the inbound sync rules and transformation rules of the attribute

Each attribute has its own set of transformations rules that are responsible for directing
the value from ADCS to MV. The first step is to identify which sync rules contain the
transformation rule for the attribute that you're troubleshooting.

The best way to identify which sync rules have a transformation rule for a given attribute
is to use the built-in filtering capabilities of the Synchronization Rules Editor.
2. Check the Lineage of the ADCS Object

Each connector (or link) between the CS and MV will have a lineage that contains
information about the sync rules that are applied to that CS object. The previous step will
tell you which set of inbound sync rules (whether provisioning or joining sync rules) must
be present in the object's lineage to flow the correct value from ADCS to MV. By
examining the lineage on the ADCS object, you'll be able to determine whether that sync
rule was applied to the object.

If there are multiple connectors (multiple AD forests) linked to the MV object, you might
have to examine the Metaverse Object Properties to determine which connector is
contributing the attribute value to the attribute that you're trying to troubleshoot. After
you've identified the connector, examine the lineage of that ADCS object.

3. Check the scoping filters on the inbound sync rule

 If a sync rule is enabled but not present in the object's lineage, the object should be
filtered out by the sync rule's scoping filter. By checking the sync rule's scoping filters, the
data on the ADCS object, and whether the sync rule is enabled or disabled, you should be
able to determine why that sync rule wasn't applied to the ADCS object.

Here is an example of a common troublesome scoping filter from a sync rule responsible
for synchronizing Exchange properties. If the object has a null value for mailNickName,
then none of the Exchange attributes in the transformation rules will flow to Microsoft
Entra ID.

4. Run a preview on ADCS object

If you can't determine why the sync rule missing in the ADCS object's lineage, run a
preview by using Generate Preview and Commit Preview for a full synchronization of the
object. If the attribute is updated in the MV and has a preview, then a full sync cycle
should fix the issue for other objects in the same situation.

5. Export the object to XML

For a more detailed analysis or offline analysis, you can collect all the database data that's
related to the object by using Export-ADSyncToolsObjects cmdlet. This exported
information can help you determine which sync rule or transformation rule is missing on
the object that's preventing the attribute from being projected to the MV (see the
Export-ADSyncToolsObjects examples earlier in this article).

Troubleshooting summary (for attributes)

Identify the correct sync rules and transformation rules responsible for flowing the
attribute to the MV.
Check the lineage of the object.
Check whether sync rules have been enabled.
Check the scoping filters of the sync rules that are missing in the object's lineage.
Advanced troubleshooting of the sync rule pipeline
If you have to further debug the ADSync engine (also known as the MiiServer) in terms of sync
rule processing, you can enable ETW tracing on the .config file (C:\Program Files\Microsoft
Azure AD Sync\Bin\miiserver.exe.config). This method generates an extensive verbose text file
that shows all the processing of sync rules. However, it might be difficult to interpret all the
information. Use this method as a last resort or if it's indicated by Microsoft Support.

Resources for Step 2

Synchronization Service Manager UI

Synchronization Rules Editor
Export-ADSyncToolsObjects cmdlet
Start-ADSyncSyncCycle -PolicyType Initial
ETW tracing SyncRulesPipeline (miiserver.exe.config)

Step 3: Synchronization between MV and AADCS

Objective for Step 3

This step checks whether the object or attribute flows from MV to AADCS. At this point, make
sure that the object is present, or that the attribute is correct in ADCS and MV (covered in
Steps 1 and 2). Then, examine the synchronization rules and lineage of the object. This step is
similar to Step 2, in which the inbound direction from ADCS to MV was examined, However, at
this stage, we'll concentrate on the outbound sync rules and attribute that flows from MV to
AADCS.

Description for Step 3

The synchronization between MV and AADCS occurs in the delta/full synchronization step,
when AADC reads the data in MV, processes all sync rules, and updates the respective AADCS
object. This MV object will contain CS links (also known as connectors) that point to the CS
objects that contribute to its properties and the lineage of the sync rules that were applied in
the synchronization step. At this point, AADC generates more load on SQL Server (or localDB)
and the networking layer.

Troubleshooting MV to AADCS for objects

1. Check the outbound sync rules for provisioning

An object that is present in MV but missing in AADCS indicates that there were no
scoping filters on any of the provisioning sync rules that applied to that object. For
example, see the "Out to Microsoft Entra ID" sync rules shown in the next image.
Therefore, the object wasn't provisioned in AADCS. This error can occur if there are
disabled or customized sync rules.

To get a list of inbound provisioning sync rules, run the following command:

Get-ADSyncRule | where {$_.Name -like "Out to AAD*" -and $_.LinkType -eq

"Provision"} | select Name,Direction,LinkType,Precedence,Disabled | ft

2. Check the lineage of the ADCS object

To retrieve the failing object from the MV, use a Metaverse Search, and then examine the
connectors tab. On this tab, you can determine whether the MV object is linked to an
AADCS object. Also, check whether the object has any errors, in case a sync error tab is
present.
 If no AADCS connector is present, the object is most likely set to cloudFiltered=True. You
can verify whether the object is cloud-filtered by examining the MV attributes for which
sync rule is contributing with the cloudFiltered value.

3. Run a Preview on AADCS object

Select Preview > Generate Preview > Commit a Preview to determine whether the object
connects to AADCS. If so, then a full sync cycle should fix the issue for other objects in the
same situation.

4. Export the object to XML

For a more detailed analysis or offline analysis, you can collect all the database data that's
related to the object by using Export-ADSyncToolsObjects cmdlet. This exported
information, together with the (outbound) sync rules configuration, can help determine
which rule is filtering out the object, and can determine which outbound scoping filter in
the provisioning sync rules is preventing the object from connecting with the AADCS.

Here are some examples of the Export-ADSyncToolsObjects syntax:

PowerShell

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module ADSyncTools

Import-Module ADSyncTools
Export-ADSyncToolsObjects -DistinguishedName
'CN=TestUser,OU=Sync,DC=Contoso,DC=com' -ConnectorName 'Contoso.com' -
ExportSerialized
Export-ADSyncToolsObjects -ObjectId '{46EBDE97-7220-E911-80CB-000D3A3614C0}' -
Source Metaverse -ExportSerialized

 Tip

To read the exported data, use Import-Clixml <filename>.xml

Troubleshooting summary for objects

Check the scoping filters on the "Out to Microsoft Entra ID" outbound provisioning rules.
Create a preview of the object.
Run a full sync cycle.
Export the object data by using the Export-ADSyncToolsObjects cmdlet.
Troubleshooting MV to AADCS for attributes
1. Identify the outbound sync rules and transformation rules of the attribute

Each attribute has its own set of transformation rules that are responsible to flow the
value from MV to AADCS. Begin by identifying which sync rules contain the
transformation rule for the attribute that you're troubleshooting.

The best way to identify which sync rules have a transformation rule for a given attribute
is to use the built-in filtering capabilities of the Synchronization Rules Editor.

2. Check the lineage of the ADCS object

Each connector (or link) between the CS and MV will have a lineage that contains
information about the sync rules applied to that CS object. The previous step will tell you
which set of outbound sync rules (whether provisioning or joining sync rules) must be
present in the object's lineage to flow the correct value from MV to AADCS. By examining
the lineage on the AADCS object, you can determine whether that sync rule has been
applied to the object.
 3. Check the scoping filters on the outbound sync rule

If a sync rule is enabled but not present in the object's lineage, it should be filtered out by
the sync rule's scoping filter. By checking the presence of the sync rule's scoping filters,
and the data on the MV object, and whether the sync rule is enabled or disabled, you
should be able to determine why that sync rule wasn't applied to the AADCS object.

4. Run a preview on AADCS object

If you determine why the sync rule is missing from the ADCS object's lineage, run a
preview that uses Generate Preview and Commit Preview for a full synchronization of the
object. If the attribute is updated in the MV by having a preview, then a full sync cycle
should fix the issue for other objects in the same situation.

5. Export the object to XML

For a more detailed analysis or offline analysis, you can collect all the database data that's
related to the object by using the Export-ADSyncToolsObjects cmdlet. This exported
information, together with the (outbound) sync rules configuration, can help you
determine which sync rule or transformation rule is missing from the object that's
preventing the attribute from flowing to AADCS (see the Export-ADSyncToolsObjects
examples earlier).

Troubleshooting summary for attributes

 Identify the correct sync rules and transformation rules that are responsible to flow the
attribute to AADCS.
Check the lineage of the object.
Check that the sync rules are enabled.
Check the scoping filters of the sync rules that are missing in the object's lineage.

Troubleshoot the sync rule pipeline

If you have to further debug the ADSync engine (also known as the MiiServer) in terms of sync
rule processing, you can enable ETW tracing on the .config file (C:\Program Files\Microsoft
Azure AD Sync\Bin\miiserver.exe.config). This method generates an extensive verbose text file
that shows all the processing of sync rules. However, it might be difficult to interpret all the
information. Use this method only as a last resort or if it's indicated by Microsoft Support.

Resources
Synchronization Service Manager

Synchronization Rules Editor

Export-ADSyncObjects cmdlet

Start-ADSyncSyncCycle -PolicyType Initial

ETW tracing SyncRulesPipeline (miiserver.exe.config)

Step 4: Synchronization between AADCS and Entra

ID
Objective for Step 4
This stage compares the AADCS object with the respective object that's provisioned in
Microsoft Entra ID.

Description for Step 4

Multiple components and processes that are involved in importing and exporting data to and
from Microsoft Entra ID can cause the following issues:

Connectivity to the internet

Internal firewalls and ISP connectivity (for example, blocked network traffic)
The Microsoft Entra Gateway in front of DirSync Webservice (also known as
AdminWebService)
The DirSync Webservice API
The Microsoft Entra Core directory service

Fortunately, the issues that affect these components usually generate an error in event logs
that can be traced by Microsoft Support. Therefore, these issues are out of scope for this
article. Nevertheless, there are still some "silent" issues that can be examined.

Troubleshooting AADCS
Multiple Active AADC servers exporting to Microsoft Entra ID
In a common scenario in which objects in Microsoft Entra ID flip attribute values back and
forth, there are more than one active Microsoft Entra Connect servers, and one of these
servers loses contact with the local AD but is still connected to the internet and able to
export data to Microsoft Entra ID. Therefore, every time that this "stale" server imports a
change from Microsoft Entra ID on a synchronized object that's made by the other active
server, the sync engine reverts that change based on the stale AD data that's in the ADCS.
A typical symptom in this scenario is that you make a change in AD that's synced to
Microsoft Entra ID, but the change reverts to the original value a few minutes later (up to
30 minutes). To quickly mitigate this issue, return to any old servers or virtual machines
that have been decommissioned, and check whether the ADSync service is still running.

Mobile attribute with DirSyncOverrides

When the Admin uses the legacy MSOnline or AzureAD PowerShell modules, or if the
user goes to the Office Portal and updates the Mobile attribute, the updated phone
number will be overwritten in Microsoft Entra ID despite the object being synced from
on-premises AD ( onPremisesSyncEnabled=true ).

Together with this update, Microsoft Entra ID also sets a DirSyncOverrides on the object
to flag that this user has the mobile phone number "overwritten" in Microsoft Entra ID.
From this point on, any update to the mobile attribute that originates from on-premises
will be ignored because this attribute will no longer be managed by on-premises AD.

For more information about the BypassDirSyncOverrides feature and how to restore
synchronization of Mobile and otherMobile attributes from Microsoft Entra ID to on-
premises Active Directory, see How to use the BypassDirSyncOverrides feature of a
Microsoft Entra tenant.

UserPrincipalName changes don't update in Microsoft Entra ID

If the UserPrincipalName attribute isn't updated in Microsoft Entra ID, while other
attributes synchronize as expected, it's possible that a feature called
SynchronizeUpnForManagedUsers isn't enabled on the tenant.

Before this feature is added, any updates to the UPN from on-premises are silently
ignored after the user is provisioned in Microsoft Entra ID and assigned a license. An
admin must use the legacy MSOnline or AzureAD PowerShell to update the UPN directly
in Microsoft Entra ID. After this feature is added, any updates to UPN will flow to
Microsoft Entra regardless of whether the user is licensed (managed).

７ Note
 After it's enabled, this feature can't be disabled.

UserPrincipalName updates will work if the user isn't licensed. However, without the
SynchronizeUpnForManagedUsers feature, UserPrincipalName changes after the user is
provisioned and is assigned a licensed that won't be updated in Microsoft Entra ID.
Notice that Microsoft doesn't disable this feature on behalf of customers.

Invalid characters and ProxyCalc internals

Issues that involve invalid characters that don't produce any sync error are more
troublesome in UserPrincipalName and ProxyAddresses attributes because of the
cascading effect in ProxyCalc processing that will silently discard the value synchronized
from on-premises AD. This situation occurs as follows:

1. The resulting UserPrincipalName in Microsoft Entra ID will be the MailNickName or

CommonName @ (at) initial domain. For example, instead of
John.Smith@Contoso.com, the UserPrincipalName in Microsoft Entra ID might
become smithj@Contoso.onmicrosoft.com because there's an invisible character in
the UPN value from on-premises AD.

2. If a ProxyAddress contains a space character, ProxyCalc will discard it and

autogenerate an email address based on MailNickName at Initial Domain. For
example, "SMTP: John.Smith@Contoso.com" will not appear in Microsoft Entra ID
because it contains a space character after the colon.

3. Either a UserPrincipalName that includes a space character or a ProxyAddress that

includes an invisible character will cause the same issue.

To troubleshoot an invalid character in the UserPrincipalName or ProxyAddress,

examine the value that's stored in the local AD from an LDIFDE or PowerShell
exported to a file. An easy trick to detect an invisible character is to copy the
contents of the exported file, and then paste it into a PowerShell window. The
invisible character will be replaced by a question mark (?), as shown in the following
example.

ThumbnailPhoto attribute (KB4518417)

 There's a general misconception that after you sync ThumbnailPhoto from AD for the first
time, you can no longer update it, which is only partly true.

Usually, the ThumbnailPhoto in Microsoft Entra ID is continually updated. However, an

issue occurs if the updated picture is no longer retrieved from Microsoft Entra ID by the
respective workload or partner (for example, EXO or SfBO). This issue causes the false
impression that the picture wasn't synced from on-premises AD to Microsoft Entra ID.

Basic steps to troubleshoot ThumbnailPhoto:

1. Make sure that the image is correctly stored in AD and doesn't exceed the size limit
of 100 KB.

2. Check the image in the Accounts Portal or call Get profilePhoto via Graph.

3. If the ADDS (or Entra ID) thumbnailPhoto has the correct image but it's not the
correct image on other online services, the following conditions might apply:

The user's mailbox contains an HD image and isn't accepting low-resolution images
from Microsoft Entra thumbnailPhoto. The solution is to directly update the user's
mailbox image.
The user's mailbox image was updated correctly, but you're still seeing the original
image. The solution is to wait at least six hours to see the updated image in the Office
365 User Portal or the Azure portal.

Additional resources
Troubleshooting errors during synchronization

Troubleshoot object synchronization with Microsoft Entra Connect Sync

Troubleshoot an object that isn't synchronizing with Microsoft Entra ID

Microsoft Entra Connect Single Object Sync

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Troubleshoot Microsoft Entra
Certificate-Based Authentication issues
Article • 10/28/2024

The Certificate-Based Authentication feature in Microsoft Entra ID for iOS or Android

devices allows Single Sign-On (SSO) by using X.509 certificates. By enabling this feature,
you can log in to accounts or services without having to enter a user name and
password when you connect to your Exchange Online account or Office mobile
applications.

This article provides information to help you troubleshoot Certificate-Based

Authentication issues.

Original product version: Microsoft Entra ID

Original KB number: 4032987

General requirements
Certificate-Based Authentication supports only Federated environments by using
Modern Authentication (ADAL). The one exception is Exchange ActiveSync (EAS)
for Exchange Online that can be used by Managed Accounts.
The user certificate that's issued in the user's profile requires the user's routable
email address to be listed in the Subject Alternative Name. This can be in either
the UserPrincipalName or RFC822 format. Microsoft Entra ID maps the RFC822
value to the Proxy Address attribute in the directory.

Determine if Certificate-Based Authentication

works on Azure portal
1. Browse to the Azure portal from the device for testing the Certificate-Based
Authentication.

７ Note

The browser cache must be cleared before you try the connection in order for
the user to see the certificate approval prompt.

2. Type the user's email address. This redirects to the ADFS authentication page.
 3. Instead of typing a password (if the forms-based authentication method is enabled
in ADFS), select Sign in using an X.509 certificate, and approve the use of the
client certificate when you are prompted.

If no certificate approval prompt is received after you clear the browser cache on a
device, follow these steps:
a. Verify that the user certificate and the issuing certificate authority root
certificates are installed on the device.
b. Verify that TCP port 49443 is open on the ADFS/Web Application Proxy servers,
and that the certificate chain of the issuing certificate authority is installed on all
ADFS/Web Application Proxy servers.

Determine if Microsoft Entra ID is correctly

configured
1. Run the following PowerShell command to Install the Azure Active Directory
PowerShell (Preview) module:

PowerShell

Install-Module AzureAD

2. To create a trusted certificate authority, use the New-

AzureADTrustedCertificateAuthority cmdlet, and set the crlDistributionPoint
attribute to a correct value.

７ Note

When you create the TrustedRootCertificateAuthority objects in Microsoft

Entra ID, the CRL URLs that are defined within the .CER file are not used. The
CrlDistributionPoint and DeltaCrlDistributionPoint values must be manually
populated by a web location where Microsoft Entra ID can access the CRLs.
The CRL paths within the issued certificates do not have to contain the URLs
that are accessible to Microsoft Entra ID. Also, large CRLs that take more than
15 seconds to download should be put on a faster link, such as Azure Storage,
to avoid caching delays that can cause intermediate authentication failures.

PowerShell

$cert=Get-Content -Encoding byte "[LOCATION OF THE CER FILE]"

$new_ca=New-Object -TypeName
 Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$new_ca.AuthorityType=0 $new_ca.TrustedCertificate=$cert
$new_ca.crlDistributionPoint="<CRL Distribution URL>"
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation
$new_ca

3. Make sure that the following values are correctly defined on the
TrustedCertificateAuthority objects according to the following guidelines:

All CrlDistributionPoint and DeltaCrlDistributionPoint URLs must be

accessible from the Internet by the client devices and the ADFS and Web
Application Proxy servers.

The *.CER for the Root CA should be listed as AuthorityType =

RootAuthority.

The *.CER for the Intermediate CA should be listed as follows:

AuthorityType = IntermediateAuthority
AuthorityType = 0 = RootAuthority
AuthorityType = 1 = IntermediateAuthority

７ Note

To make changes to these objects, see Configure the certificate authorities.

4. Run the following commands to make sure that the ADFS settings are not set to
PromptLoginBehavior: true. Otherwise, users will be prompted to enter their user
name and password for some modern apps.

PowerShell

Connect-msolService

PowerShell

Get-MSOLDomainFederationSettings -DomainName contoso.com

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30,

2024. To learn more, read the deprecation update . After this date, support
for these modules are limited to migration assistance to Microsoft Graph
 PowerShell SDK and security fixes. The deprecated modules will continue to
function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions,
refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience
disruption after June 30, 2024.

７ Note

This occurs because some modern apps send prompt=login to Microsoft Entra
ID in their request. Microsoft Entra ID translates this in the ADFS request to
wauth=usernamepassworduri (this tells ADFS to do username/password
authentication) and wfresh=0 (tells ADFS to ignore the SSO state and do a
fresh authentication). If users have to use Certificate Based Authentication, the
PromptLoginBehavior must be set to False.

To disable PromptLoginBehavior on the Microsoft Entra domain, run the following

command:

PowerShell

Set-MSOLDomainFederationSettings -domainname <domain> -

PromptLoginBehavior Disabled

Determine if the ADFS and Web Application

Proxy configurations are configured correctly
1. Certificate-Based Authentication requires ADFS 2012R2 or a later version, and it
must use Web Application Proxy.

７ Note

Using a third-party Web Application Proxy is not supported unless it supports

all the MUSTs in the MS-ADFSPIP protocol document.

2. The Root *.CER file must be in the computer's Trusted Root Certificate
Authority\Certificates container. Also, all Intermediate *.CER files must be in the
computer's Intermediate Root Certificate Authority\Certificates container. You
 can verify this by running certlm.msc or by running the following certutil.exe
commands at an elevated command prompt:

Console

certutil -verifystore root

Console

certutil -verifystore CA**

3. The client devices, the ADFS servers, and the Web Application Proxy must be able
to resolve the CRL endpoints that exist on the Intermediate CA *.CER and on the
user certificates that were issued to the user profile on the devices.

To verify that the ADFS servers and the Web Application Proxy can resolve these,
follow these steps:
a. Export the Intermediate CA *.CER:
i. View the computer certificate store. To do this, run certlm.msc, expand
\Intermediate Certification Authorities\Certificates, and then double-click
the Intermediate CA certificate.
ii. Click the Details tab, and then click the Copy to file button.
iii. Click Next two times and accept all the defaults in the wizard.
iv. Specify a file name and location, click Next, and then click Finish.
b. On the issuing CA, export one of the user certificates that was issued to a
device. To do this, follow these steps:

i. Run certsrv.msc, and then select the Issued Certificates node.

ii. In the Issued Common Name column, locate the certificate that was issued
to the user who cannot connect.

iii. Double-click the certificate, and then click the Details tab to export the
certificate to a *.CER file.

７ Note

If more than one certificate is issued to the user, locate the serial
number for the certificate on the Details tab, and verify that it matches
the certificate on the device.
 iv. Download PSEXEC.EXE , and then copy psexec.exe together with the *.CER
files from the Intermediate CA and user to all ADFS and Web Application
Proxy servers.

v. Open a new command prompt in the SYSTEM security context. To do this,

open an elevated command prompt for each server, and then run the
following command:

Console

psexec -s -i -d cmd.exe

vi. At the new command prompt, run the following commands to determine
whether the CRL can be accessed:

Console

certutil.exe -verify -urlfetch SubCA.cer >

%computername%_%username%_SubCA.txt

Console

certutil.exe -verify -urlfetch usercert.cer >

%computername%_%username%_usercert.txt

vii. In the output, check the ---------------- Certificate CDP ----------------

section, and determine whether all endpoints can be resolved.

viii. If the ADFS servers cannot resolve the HTTP URL, make sure that the Group
Managed Service Accounts that ADFS is running under has access through
the firewall and proxy. The Web Application Proxy service runs under
Network Service, so the ComputerName$ account requires access through
the firewall and proxy.

4. Pass Through Claims for serialNumber and issuer must be configured for the
Active Directory Claims Provider Trust and for the Microsoft Office 365 Identity
Platform Relying Party Trust. These can be retrieved from the ADFS servers by
running the following PowerShell commands at an elevated prompt:

PowerShell

Get-AdfsClaimsProviderTrust -Name "Active Directory"

@RuleTemplate = "PassThroughClaims"
@RuleName = "<serialnumber AD for cert based auth>"
 c:[Type ==
http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber]
=> issue(claim = c);
@RuleTemplate = "PassThroughClaims"
@RuleName = "<Issuer AD for cert based auth>"
c:[Type ==
http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer]
=> issue(claim = c);

PowerShell

Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity

Platform"
@RuleTemplate = "PassThroughClaims"
@RuleName = "<serialnumber RP for cert based auth>"
c:[Type ==
http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber]
=> issue(claim = c);
@RuleTemplate = "PassThroughClaims"
@RuleName = "<Issuer RP for cert based auth>"
c:[Type ==
http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer]
=> issue(claim = c);

5. Because most devices that use certificate authentication are likely to be located
on the extranet (out of the corporate network), you could enable Certificate-Based
Authentication only for the extranet or also for the Intranet, as necessary. To
determine whether the "Certificate Authentication" method is enabled for either or
both options, run the following cmdlet from an elevated PowerShell command
prompt:

PowerShell

Get-AdfsAuthenticationProvider:

----------Output sample----------

AdminName : Certificate Authentication

AllowedForPrimaryExtranet : True
AllowedForPrimaryIntranet : True
AllowedForAdditionalAuthentication : True
AuthenticationMethods : {urn:ietf:rfc:2246,
urn:oasis:names:tc:SAML:1.0:am:X509-PKI,

urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,

urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
Descriptions : {}
DisplayNames : {}
Name : CertificateAuthentication
 IdentityClaims : {}
IsCustom : False
RequiresIdentity : False

a. Locate the AdminName entry that is named Certificate Authentication.

b. Verify that AllowedForPrimaryExtranet is set to True.
c. Optionally, you can also set AllowedForPrimaryIntranet to True if you want
Certificate-Based Authentication from Intranet users.
d. Click the Details tab, and then click the Copy to file button.

6. TCP port 49443 must be accessible between the client device and ADFS, also
between the client device and Web Application Proxy servers. To verify that TCP
49443 is listening and bound to ADFS on the ADFS servers and Web Application
Proxy, run the following command:

Console

netsh http show urlacl > %computername%_49443.txt

If the TCP port 49443 is accessible, you should see output such as the following:

Console

Reserved URL: https://<URL>:49443/adfs/

User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-
975697593)

7. On a client device, try to connect to the CertificateTransport endpoint. For

example, use the following URL for Contoso.com :

https://sts.contoso.com:49443/adfs/services/trust/2005/certificatetransport

７ Note

If the endpoint is accessible and listening, the connection attempt should spin
indefinitely while it waits for an answer.

More information
 Microsoft Entra ID: Certificate based authentication for iOS and Android now in
preview.
Get started with certificate based authentication on iOS - Public Preview
ADFS: Certificate Authentication with Microsoft Entra ID & Office 365

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

How to troubleshoot password synchronization
when using Microsoft Entra Connect
Article • 03/05/2025

This article helps you troubleshoot common issues that you may encounter when you synchronize passwords from the on-
premises environment to Microsoft Entra ID by using Microsoft Entra Connect.

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft Intune, Azure Backup,
Office 365 Identity Management
Original KB number: 2855271

７ Note

Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know
how well this article worked for you or how we can improve it.

Before you start troubleshooting

Before you perform the troubleshooting steps, make sure that you have the latest version of Microsoft Entra Connect
installed.

Additionally, make sure that directory synchronization is in a healthy state. For more information, see Troubleshoot object
synchronization with Microsoft Entra Connect Sync.

Some users can't sign in to Microsoft 365, Microsoft Entra,

or Microsoft Intune
In this scenario, passwords of most users appear to be syncing. However, there are some users whose passwords appear
not to sync. The following are scenarios in which a user can't sign in to a Microsoft cloud service, such as Microsoft 365,
Entra, or Intune.

Scenario 1: The "User must change password at next logon" check box
is selected for the user's account
To resolve this issue, follow these steps:

1. Take one of the following actions:

In the user account properties in Active Directory Users and Computers, clear the User must change password
at next logon check box.
Have the user change their on-premises user account password.
Enable the ForcePasswordChangeOnLogOn feature in Microsoft Entra ID.

2. Wait a few minutes for the change to sync between the on-premises Active Directory Domain Services (AD DS) and
Microsoft Entra ID.

Scenario 2: The user changed their password in the cloud service portal
To resolve this issue, follow these steps:

1. Have the user change their on-premises user account password.

 2. Wait a few minutes for the change to sync between the on-premises AD DS and Microsoft Entra ID.

To change the password in the cloud service and have Microsoft Entra Connect update the respective on-premises user
account password, enable Password Writeback.

Scenario 3: Some users don't appear to be syncing to Microsoft Entra ID

Possible causes are duplicate user names or email addresses.

To resolve this issue, use the IdFix DirSync Error Remediation Tool (IdFix) to help identify potential object-related issues in
the on-premises AD DS. You can install IdFix at the following Microsoft website: IdFix DirSync Error Remediation Tool

For more info about how to troubleshoot this issue, see One or more objects don't sync when using the Azure Active
Directory Sync tool

Scenario 4: Users are moved between included and excluded sync

scopes
In this scenario, the user is moved to a scope that now allows the user to be synced. It could be when filtering is set up for
domains, organizational units, or attributes.

To resolve this issue, see the How to perform an initial sync section.

Scenario 5: Users can't sign in by using a new password but they can
sign in by using their old password
In this scenario, you're using Microsoft Entra Connect together with password synchronization. After you disable directory
synchronization or password synchronization, users can't sign in by using a new password. However, their old password
still works.

To resolve this issue, re-enable directory synchronization and password synchronization. To do it, start Microsoft Entra
Connect configuration wizard, select Configure and Customize synchronization options, then continue through the
screens until you see the option to enable password synchronization.

Scenario 6: Users can't sign in by using their password

In this scenario, the password hash doesn't successfully sync to Microsoft Entra ID. If the user account was created in on-
premises AD DS on a version of Windows Server earlier than Windows Server 2003, the account doesn't have a password
hash.

Directory synchronization is running but passwords of all

users aren't synced
In this scenario, passwords of all users appear not to sync. It usually occurs if one of the following conditions is true:

The check box to Start the synchronization process when configuration completes, wasn't selected.

Entra Connect server is in Staging mode.

Password synchronization is disabled.

A full directory sync hasn't yet completed.

） Important
 Password sync will not start until a full directory sync has completed.

To resolve this issue, first make sure that you enable password synchronization. To do it, start Microsoft Entra Connect
configuration wizard, select Configure and Customize synchronization options, then continue through the screens until
you see the option to enable password synchronization.

After password synchronization is enabled, you must wait for a full password sync to finish. Check the Windows Event
Viewer logs to monitor the password synchronization process.

Troubleshoot one user whose password isn't synced

To troubleshoot this issue, see Troubleshoot password hash synchronization with Microsoft Entra Connect Sync

You're changing from a single-sign on (SSO) solution to

password synchronization
To resolve this issue, see How to switch from Single Sign-On to Password Sync.

Event ID messages in Event Viewer

The following tables list event ID messages in the Application log that are related to password synchronization.

Informational (no action required)

ﾉ Expand table

Event Description Cause

ID

622 Full password hash synchronization completed for domain: Full password synchronization cycle finishes retrieving the recent
contoso.local passwords from the on-premises AD DS domain.

623 Full password hash synchronization completed for forest: Full password synchronization cycle finishes retrieving the recent
contoso.local passwords from the on-premises AD DS forest.

650 Provision credentials batch start. Count: 1 Password synchronization starts retrieving updated passwords
from the on-premises AD DS.

651 Provision credentials batch end. Count: 1 Password synchronization finishes retrieving updated passwords
from the on-premises AD DS.

653 Provision credentials ping start. Password synchronization starts informing Microsoft Entra ID
that there are no passwords to be synced. It occurs every 30
minutes if no passwords have been updated in the on-premises
AD DS.

654 Provision credentials ping end. Password synchronization finishes informing Microsoft Entra ID
that there are no passwords to be synced. It occurs every 30
minutes if no passwords were updated in the on-premises AD
DS.

656 Password Change Request - Anchor: Password synchronization indicates that a password change was
H552hI9GwEykZwosf74JeOQ==, Dn: CN=Viola detected and tries to sync it to Microsoft Entra ID. It identifies
Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change the user or users whose password changed and will be synced.
Date: 05/01/2013 16:34:08 Each batch contains at least one user and at most 50 users.

657 Password Change Result - Anchor: Users whose password successfully synced.
eX5b50Rf+UizRIMe2CA/tg==, Dn: CN=Viola
Event Description Cause
ID

Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result:

Success.

657 Password Change Result - Anchor: Users whose password didn't sync.
eX5b50Rf+UizRIMe2CA/tg==, Dn: CN=Viola
Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result:
Failed.

Informational (may require action)

ﾉ Expand table

Event Description Cause More information

ID

0 The following password changes failed to User or users whose Configure directory synchronization
synchronized and have scheduled for retry. password wasn't synced
One or more objects don't sync when using
DN = CN=Eli McLean,OU=Cloud the Azure Active Directory Sync tool
Objects,DC=contoso,DC=local

115 Access to Windows Azure Active Directory has Microsoft Entra credentials Run the Microsoft Entra Configuration Wizard
been denied. Contact Technical Support. were updated through again. See Password hash synchronization
Forefront Identity Manager stops working after you update Microsoft
(FIM). Entra credentials in FIM

657 Password Change Result - Anchor: User or users whose Configure directory synchronization
B0H+OD3LM0GEnYODwdPhpg==, Result: failed, password wasn't synced
Extended Error: One or more objects don't sync when using
the Azure Active Directory Sync tool

Error (action required)

ﾉ Expand table

Event Description Cause More

ID information

0 The user name or password is incorrect. Verify your user name, and then type your password again. Microsoft Entra Run the
credentials Microsoft Entra
were updated Configuration
through Wizard again.
Forefront See Password
Identity hash
Manager (FIM). synchronization
stops working
after you
update
Microsoft Entra
credentials in
FIM

611 Password synchronization failed for domain: Contoso.com . Windows Password hash
Server 2003 synchronization
Microsoft.Online.PasswordSynchronization.SynchronizationManagerException: Recovery task failed. domain for Microsoft
---> Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC controllers Entra ID stops
Error 8439: The distinguished name specified for this replication operation is invalid. There was an handle certain working and
error calling _IDL_DRSGetNCChanges. scenarios Event ID 611 is
unexpectedly. logged
Event Description Cause More
ID information

611 Password synchronization failed for domain: Contoso.com . It was a known To resolve this
issue that was issue, update to
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error fixed in Azure latest version of
8593: The directory service cannot perform the requested operation because the servers involved Active the Azure
are of different replication epochs (which is usually related to a domain rename that is in progress). Directory Sync Active Directory
tool build Sync tool.
1.0.6455.0807.

611 Password synchronization failed for domain: Contoso.com It was a known To resolve this
issue that was issue, update to
System.ArgumentOutOfRangeException: Not a valid Win32 fixed in Azure latest version of
Active the Azure
Directory Sync Active Directory
tool build Sync tool.
1.0.6455.0807.

611 Password synchronization failed for domain: Contoso.com . It was a known To resolve this
issue that was issue, update to
System.ArgumentException: An item with the same key has already been added. fixed in Azure latest version of
Active the Azure
Directory Sync Active Directory
tool build Sync tool.
1.0.6455.0807.

652 Failed credential provisioning batch. Error: Microsoft.Online.Coexistence.ProvisionException: An Password Configure

error occurred. Error Code: 90. Error Description: Password Synchronization has not been activated synchronization directory
for this company. Tracking ID: 07e93e8a-cf2d-4f67-9e95-53169c4875e0 Server Name: failed when synchronization
BL2GR1BBA003. ---> retrieving
System.ServiceModel.FaultException1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: updated One or more
Password Synchronization has not been activated for this company. (Fault Detail is equal to passwords objects don't
Microsoft.Online.Coexistence.Schema.AdminWebServiceFault). from the on- sync when
premises AD using the Azure
DS. Active Directory
Sync tool

652 Failed credential provisioning batch. Error: Microsoft.Online.Coexistence. ProvisionRetryException: It was a known To resolve this
An error occurred. Error Code: 81. Error Description: Windows Azure Active Directory is currently issue that was issue, update to
busy. This operation will be retried automatically. fixed in Azure latest version of
Active the Azure
Directory Sync Active Directory
tool build Sync tool.
1.0.6455.0807

655 Failed credential provisioning ping. Error: Microsoft.Online.Coexistence.ProvisionException: An error Password Configure
occurred. Error Code: 90. Error Description: Password Synchronization has not been activated for synchronization directory
this company. Tracking ID: 0744fa31-1d9b-453a-83d8-c2555d843802 Server Name: BL2GR1BBA005. failed to inform synchronization
---> Microsoft Entra
System.ServiceModel.FaultException1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: ID that there One or more
Password Synchronization has not been activated for this company. (Fault Detail is equal to are no objects don't
Microsoft.Online.Coexistence.Schema.AdminWebServiceFault). passwords to sync when
be synced. It using Azure
occurs every 30 Active Directory
minutes. Sync tool

655 The user name or password is incorrect. Verify your user name, and then type your password again. Microsoft Entra Run the
credentials Microsoft Entra
were updated Configuration
through FIM. Wizard again.
See the
following
Microsoft
Knowledge
Base article:
Password hash
 Event Description Cause More
ID information

synchronization
stops working
after updating
Microsoft Entra
credentials in
FIM

6900 The server encountered an unexpected error while processing a password change notification: Microsoft Entra Run the
credentials Microsoft Entra
"The user name or password is incorrect. Verify your user name, and then type your password again. were updated Configuration
through FIM. Wizard again.
See the
following
Microsoft
Knowledge
Base article:
Password hash
synchronization
stops working
after updating
Microsoft Entra
credentials in
FIM

6900 The server encountered an unexpected error while processing a password change notification: Password sync See the
isn't enabled following
"An error occurred. Error Code: 90. Error Description: Password Synchronization has not been for the Microsoft
activated for this company organization. Knowledge
Base article:
User passwords
aren't synced,
and "Password
Synchronization
has not been
activated for
this company"
error is logged
in Event Viewer

More information

How to perform an initial sync

To do a full sync, follow these steps, as appropriate on the Microsoft Entra Connect that you're using.

1. On the server where Microsoft Entra Connect is installed, open PowerShell, and then import ADSync module:

PowerShell

Import-Module ADSync

2. Run the following commands to start an initial sync cycle:

PowerShell

Start-ADSyncSyncCycle -PolicyType Initial

How to perform a full password sync

To do a full password sync, run the script that's on this page: Azure AD Sync: How to Use PowerShell to Trigger a Full
Password Sync

Contact us for help

If you have questions or need help, create a support request , or ask Azure community support. You can also submit
product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you try to use the New-
MSOLDomain command to add a
subdomain to an existing domain: New-
MsolDomain: Unable to add this domain
Article • 10/28/2024

Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID,
Microsoft Intune, Azure Backup, Office 365 User and Domain Management, Office 365
Identity Management
Original KB number: 2666578

Symptoms
You try to add a subdomain to an existing domain in a Microsoft cloud service such as
Office 365, Microsoft Intune, or Microsoft Azure by using the New-MSOLDomain
command. However, you receive the following error message:

New-MsolDomain: Unable to add this domain. It is a subdomain and its

authentication type is different from the authentication type of the root domain.

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

Cause
This issue occurs if you try to use the New-MSOLDomain command to add a subdomain
to an existing domain that's set up for federated authentication. The New-MSOLDomain
command tries to add the subdomain as a standard authentication domain.

Resolution
To add a subdomain to a domain that's set up for federated authentication, follow these
steps:

1. Connect to Microsoft Entra ID by using Windows PowerShell. For more

information, see Connect to Microsoft Entra ID Using Windows PowerShell.

2. Use the New-MSOLFederatedDomain command.

The syntax to add a subdomain is as follows, where <subdomain> is the name of

the subdomain that you want to add:

PowerShell

New-MSOLFederatedDomain -DomainName:<subdomain>

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

"Unable to authenticate your
credentials" error when you try to
connect to Microsoft Entra ID
Article • 10/28/2024

Original product version: Microsoft Entra ID, Cloud Services (Web roles/Worker roles),
Microsoft Intune, Azure Backup, Office 365 User and Domain Management, Office 365
Identity Management
Original KB number: 2929554

Symptoms
When you try to connect to Microsoft Entra ID by using the Azure Active Directory
module for Windows PowerShell, you receive the following error message:

Console

Connect-MsolService : Unable to authenticate your credentials. Make sure

that
your user name is in the format: <username>@<domain>. If this issue
persists,
contact Support.

At line:1 char:1
+ Connect-MsolService
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], Mic
rosoftOnlineException
+ FullyQualifiedErrorId : 0x80048862,Microsoft.Online.Administration.Autom
ation.ConnectMsolService

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
 the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

Cause
This issue occurs if one of the following conditions is true:

You used an incorrect format when you entered your user name.
Your user account is enabled for Microsoft Entra multifactor authentication.

Resolution
Do one of the following, as appropriate for your situation.

Scenario 1: You used an incorrect format when you

entered your user name
Use the following format when you enter your user name:

<user_name >@<domain>

For example, john@contoso.com is in the correct format. Entering john or contoso\john

doesn't work.

Scenario 2: Your user account is enabled for Microsoft

Entra multifactor authentication
If your user account is enabled for Microsoft Entra multifactor authentication, Microsoft
doesn't currently support using the Azure Active Directory module for Windows
PowerShell to connect to Microsoft Entra ID.

To perform administrative tasks by using the Azure Active Directory module for
Windows PowerShell, use either of the following methods:

Disable Microsoft Entra multifactor authentication for the user account.

Use a different admin account that isn't enabled for Microsoft Entra multifactor
authentication.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run the Microsoft Entra
Connect wizard: Unable to configure
password writeback
Article • 10/28/2024

This article describes an issue in which an error message appears when you run the
Microsoft Entra Connect wizard to set up password writeback.

Original product version: Microsoft Entra ID

Original KB number: 3185990

Symptoms
When you run the Microsoft Entra Connect wizard, you receive the following error
message during configuration of password writeback:

Unable to configure password writeback. Ensure you have the required license.

Cause
This issue occurs if one of the following conditions are true:

The administrator account that's used to set up Microsoft Entra Connect does not
have the appropriate license.
The time on the server on which Microsoft Entra Connect is installed is out of sync.
The TLS setting is configured correctly.

Resolution
To reoslve this problem, follow these steps:

1. Enable TLS 1.2.

2. Make sure that the administrator account that you use to enable password
writeback is a cloud administrator account (created in Microsoft Entra ID) and not a
federated account (created in the on-premises Active Directory and synchronized
to Microsoft Entra ID). Also, make sure that the account has the appropriate
Microsoft Entra subscription license.
 3. Make sure that the time isn't skewed. On the authoritative time server, perform the
steps in the Configuring the Windows Time service to use an external time
source section of How to configure an authoritative time server in Windows Server

Make sure that the time on the server on which Microsoft Entra Connect is installed
matches the time on the authoritative time server.

More information
If the issue you're experiencing is a scenario in which there's a large time difference
between your local environment and Microsoft cloud services,

you may see the following entries in the Microsoft Entra Connect Sync logs. The logs are
located in the %appdata%\Local\AADConnect folder.

Console

Error <Date> <Time> ADSync 6306 Server "The server encountered an unexpected
error while performing an operation for the client.

Error <Date> <Time> ADSync 6800 MA Extension "The password management

extension encountered an error.
The stack trace is:
""Couldn't connect to any service bus endpoint(s)

Error <Date> <Time> PasswordResetService 32001 None TrackingId: 3f369fe9-

c121-4450-8661-82b095bdbf0a,
Couldn't connect to any service bus endpoint(s), Details:

Error <Date> <Time> PasswordResetService 31044 None TrackingId: 3f369fe9-

c121-4450-8661-82b095bdbf0a,
Password writeback service is not in a healthy state. No serviceHost for
service bus endpoints are in
running state. Please refer aka.ms/ssprtroubleshoot, Details: Version:
5.0.0.686

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Error when you run the Azure Active
Directory Sync Tool Configuration
Wizard: Unknown error (0x80005000)
Article • 10/28/2024

This article provides a resolution to resolve an issue where you receive an error message
when you run the Azure Active Directory Sync Tool Configuration Wizard.

Original product version: Office 365 Identity Management, Microsoft Entra ID, Cloud
Services (Web roles/Worker roles), Microsoft Intune, Azure Backup
Original KB number: 3003331

Symptoms
When you run the Azure Active Directory Sync Tool Configuration Wizard, the tool fails,
and you receive the following error message:

Error
Unknown error (0x80005000)

Cause
This problem occurs if the Azure Active Directory Sync Tool Configuration Wizard cannot
configure the domain.

Resolution
To resolve this problem, make sure that all domain controllers are running in a healthy
state. To determine which domain or domain controller is causing the problem, follow
these steps:

1. On the server on which the Azure Active Directory Sync Tool is installed, start
Windows PowerShell.

2. Run the following commands:

PowerShell
 $Forest =
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().d
omains

PowerShell

$Forest

3. Examine the information in the output.

In the following example, the dev.contoso.com domain is unreachable. You can

determine this because information about the domain is missing in the output, as
in the following example.

Forest : contoso.com
DomainControllers : {ContosoDC01.contoso.com}
Children : {dev.contoso.com}
DomainMode : Windows2008R2Domain
Parent :
PdcRoleOwner : ContosoDC01.contoso.com
RidRoleOwner : ContosoDC01.contoso.com
InfrastructureRoleOwner : ContosoDC01.contoso.com
Name : contoso.com

Forest :
DomainControllers :
Children :
DomainMode :
Parent :
PdcRoleOwner :
RidRoleOwner :
InfrastructureRoleOwner :
Name : dev.contoso.com

4. Investigate and resolve the problem. Most likely, the domain controller that's
hosting the domain is not running or is not in the network.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

How to use UPN matching for identity
synchronization in Office 365, Azure, or
Intune
Article • 10/28/2024

Original product version: Microsoft Entra ID, Cloud Services (Web roles/Worker roles),
Microsoft Intune
Original KB number: 3164442

Introduction
Sometimes you may have to transfer the source of authority for a user account if that
account was originally authored by using Microsoft cloud services management tools.
These tools include:

The Office 365 portal

Microsoft Azure Active Directory module for Windows PowerShell
Azure Management Portal
Intune portal

You can transfer the source of authority, so the account can be managed through your
local directory service when using identity synchronization with Microsoft Entra ID.

This article discusses how to perform the transfer by using a process known as UPN
matching. This process uses the user principal name (UPN) to match the on-premises
user account to a work or school account in Microsoft Entra ID.

UPN matching limitations

The UPN matching process has the following technical limitations:

UPN matching can be run only when SMTP matching fails. For more information
about SMTP matching, see How to use SMTP matching to match on-premises user
accounts to Office 365 user accounts for directory synchronization . For UPN
matching to work, make sure that there are no primary SMTP address matches
between on-premises user accounts and user accounts in Microsoft Entra ID.

UPN matching can be used only one time for user accounts that were originally
authored by using Office 365 management tools. After that, the work or school
 account is bound to the on-premises user by an immutable identity value, not the
UPN.

The cloud user's UPN can't be updated during the UPN matching process. It's
because the UPN is the value that's used to link the on-premises user to the cloud
user.

UPNs are considered unique values. Make sure that no two users have the same
UPN. Otherwise, the sync process fails, and you may receive an error message that
resembles the following example:

Unable to update this object in Microsoft Online Services because the user
principal name that is associated with this object in the local Active Directory is
already associated with another object. To resolve this error, remove the
associated object in your local Active Directory.

How to use UPN matching to match an on-

premises user to a cloud identity

７ Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024.
To learn more, read the deprecation update . After this date, support for these
modules are limited to migration assistance to Microsoft Graph PowerShell SDK
and security fixes. The deprecated modules will continue to function through
March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with

Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to
the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption
after June 30, 2024.

To start the UPN matching process, follow these steps:

1. If you started syncing to Microsoft Entra ID before March 30, 2016, run the
following Azure AD PowerShell cmdlet to enable UPN soft match for your
organization only:

PowerShell

Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $True

 ７ Note

UPN soft match is automatically enabled for organizations that started

syncing to Microsoft Entra ID on or after March 30, 2016.

2. Obtain the UPN from the user account in Microsoft Entra ID. To do so, use one of
the following methods:

Method 1: Use the Office 365 portal.

a. Sign in to the Office 365 portal as a global admin.
b. Go to the users management page.
c. Find and then select the user.
d. Note the user name, which is the UPN.

Method 2: Use the Azure portal.

a. Sign in to the Azure portal as a global admin.
b. Select the Active Directory extension, and then select your directory.
c. Go to the users management page.
d. Find and then select the user.
e. Note of the user name, which is the UPN.

3. On a domain controller or a computer that has the Remote Server Administration

Tools installed (RSAT), open Active Directory Users and Computers. Create a user
account, or update an existing user account, by using a user name/UPN that
matches the target user account in Microsoft Entra ID. For more information, see
Create a User Account in Active Directory Users and Computers.

4. Force directory synchronization. For more information, see Force directory

synchronization .

More information
For more information about UPN soft match, see Microsoft Entra Connect Sync service
features.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Feedback
Was this page helpful?  Yes  No

Provide product feedback

User object is missing or filtered from
the Microsoft Entra connector in Azure
Active Directory Sync
Article • 10/28/2024

This article describes an issue that blocks synchronization for a user object from on-
premises to Azure. A workaround is provided.

Original product version: Microsoft Entra ID

Original KB number: 3066176

Symptoms
When you try to sync a user object to Microsoft Entra ID, the operation is unsuccessful.

When you search for the user object in the metaverse objects, you see only the Active
Directory connector listed on the Connectors tab. The Windows Microsoft Entra
connector is not listed. Additionally, no error is returned for this particular user.

You may also notice that the msExchRecipientTypeDetails value for the user object that's
not synchronized correctly is 2. This corresponds with the Linked Mailbox type, and the
user does not have this value.

７ Note

The following value is the only value that triggers filtering of a user object:
msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR
0x800000 OR 0x1000000 OR 0x20000000) .

For more information about user objects that are filtered, see How directory
synchronization determines what isn't synced from the on-premises environment to
Windows Azure AD .

Cause
This issue occurs because there is a rule for the sourceAnchor attribute. The rule is used
to determine whether the value of msexchRecipientTypeDetails is 2.
 ７ Note

You can view this rule in the following location: Sync Rules Configuration
Editor\Inbound\In From AD\Common\Transformation. You can also see the target
sourceAnchor attribute and the expression rule as follows:
IIF(IsPresent([msExchRecipientTypeDetails]),IIF([msExchRecipientTypeDetails]=2,NULL,
IIF(IsString([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID]))),IIF(IsStri
ng([objectGUID]),CStr([objectGUID]),ConvertToBase64([objectGUID])))

If msExchRecipientTypeDetails has a value of 2, the value of sourceAnchor is set to

NULL. However, if the value of sourceAnchor is NULL, the user will be filtered.

Workaround
To work around this issue, do one of the following:

Make sure that the Master user account (in Account forest) is synchronized first.
Change the attribute value of msExchRecipientTypeDetails to 1. Use any value
that's not supposed to be filtered by either of the rules.

More information
According to DirSync: List of attributes that are synced by the Azure Active Directory
Sync Tool , one reason a user object is filtered is because of the following:

Console

msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR

0x800000 OR 0x1000000 OR 0x20000000)

It's an assumption that if the msExchRecipientTypeDetails attribute on a user is set to a

value of 2, the AADSync server will filter this object. This is not true. AADSync is not
filtering this user object, it's just waiting for the master account (from account forest) to
join to the object because it's needed for the UPN and the sourceAnchor.

A value of 2 for the msExchRecipientTypeDetails attribute indicates that the mailbox

type is a "linked mailbox". A linked mailbox is found in an account-resource forest
topology and the user object in account forest must be synchronized before these
resource objects will be provisioned to Microsoft Entra ID.
Therefore, with the msExchRecipientTypeDetails set to 2 the object is not filtered.
However, when this flag is set, the AADSync waits for the master account (from account
forest) to be synced so that it could join the two objects and create a cloud connector
for the final user object in AADSync.

In the scenario that you do not have an account-resource forest topology, and a user
has msExchRecipientTypeDetails value is 2, changing the value to a value that is similar
to a usual object will sync the user object.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Entra Connect excludes a
user's primary group from its group
membership
Article • 10/28/2024

Original product version: Microsoft Entra ID

Original KB number: 4014115

Summary
Microsoft Entra Connect doesn't support primary group functionality. Therefore, it does
not query the PrimaryGroupID attribute to build the group membership of a user. This
may cause problems for users who are still using the primary group feature.

When you set the primary group for a user, that user is excluded from the
corresponding group membership in Active Directory. Instead, the PrimaryGroupID
attribute is set with that group.

For example:

1. User1 belongs to Group1, which means that Group1 has User1 as a member.
2. The primary group is changed on User1 from Domain Users to Group1:
a. User1 is excluded from Group1 Members.
b. User1 is added as a member of Domain Admins (because it's no longer the
primary group).
c. The User1 PrimaryGroupID attribute is set with the Group1 reference.

Programs that need to query groups to give users access that is based on group
membership should also query for the PrimaryGroupID attribute. However, Microsoft
Entra Connect does not support PrimaryGroupID because of the complexity of group
membership synchronization.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Users in a federated domain see a
yellow exclamation mark in Office 2013
applications
Article • 10/28/2024

This article describes an issue in which users in a federated domain who aren't synced to
Microsoft Entra ID see a yellow exclamation mark in Office 2013 applications.

Original product version: Microsoft Entra ID, Office Professional 2013, Office Standard
2013
Original KB number: 3158020

Symptoms
When a user who is in a federated domain but isn't synchronized to Microsoft Entra ID
opens an Office 2013 application, they see a yellow exclamation mark.

Cause
By default, Office 2013 uses the Microsoft Online Services Sign-in Assistant (also known
as IDCRL). IDCRL detects that the user's domain is federated and therefore tries to
authenticate the user to Microsoft Entra ID. Because the user isn't synced to Microsoft
Entra ID, the user doesn't exist in Microsoft Entra ID, and this triggers the yellow
exclamation mark in the Office 2013 application.

Resolution
Do one of the following.

Set the SignInOptions registry key value to 3

） Important

Follow the steps in this section carefully. Serious problems might occur if you
modify the registry incorrectly. Before you modify it, back up the registry for
restoration in case problems occur.
 ７ Note

Use this procedure for only those users who aren't synced to Microsoft Entra ID.
Using this procedure for synced users may cause those users to experience sign-in
failures.

To resolve this issue for only those users who aren't synced to Microsoft Entra ID, follow
these steps:

1. Select Start, select Run, type regedit, and then select OK.
2. Locate the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\SignIn\ .

3. Right-click the SignInOptions registry key, select Modify, type 3 in the Value data
box, and then select OK.
4. Exit Registry Editor. Set the SignInOptions registry key to 3 forces Office 2013 to
authenticate only against the user's local Active Directory service instead of trying
to sign the user in to Microsoft Entra ID.

Use Office 2016

The yellow exclamation mark isn't displayed in Office 2016 applications.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Collect HTTPS traffic using Fiddler for
Microsoft Entra ID apps
Article • 03/25/2025

This article provides instructions to use Fiddler to collect HTTPS traffic to troubleshoot
Microsoft Entra ID apps.

Collect HTTPS traffic

1. Download and install Fiddler on the device that's used to reproduce the
problem.

７ Note

Fiddler is third-party software, not owned by Microsoft.

2. On the Tool menu, select Options.

3. On the HTTPS tab, select Decrypt HTTPS Traffic. If you're prompted to install the
Fiddler certificate, select Yes.

4. Restart Fiddler.
 5. Prepare your environment for traffic collection. Depending on the type of
application you're troubleshooting, follow these steps:

For browser-based applications:

Use private browsing mode or clear the browser cache on the device that you'll
use for testing. This action makes sure that any outdated or unnecessary files from
previous sessions are cleared. It also lets the web app load the latest versions of
essential files, such as JavaScript and CSS stylesheets. Having the latest files is
especially important when you test changes or updates to the web app because it
prevents old cached files from interfering with the current version.

For non-browser-based applications:

Start the client application that you're testing.

6. Reproduce the issue. You should see HTTPS traffic appearing in the Fiddler
window.

7. On the File menu, select Save > All Sessions to save the sessions as SAZ files.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Collect HTTPS traffic by using Fiddler
from Python apps
Article • 03/31/2025

Capturing encrypted HTTPS web traffic in Python by using Fiddler can be challenging
because Python uses its own trusted certificate store instead of the operating system
certificate store. Additionally, by default, Python doesn't use a proxy in certain scenarios.
This article explains how to capture SSL traffic by using the Fiddler for Python app in
different scenarios.

ADAL for Python

When you use Fiddler to capture HTTPS traffic in a Python app that integrates Azure
Active Directory Authentication Library (ADAL), you might receive SSL error messages.
This issue occurs because Python doesn't trust the Fiddler certificate. You can use either
of two methods to work around this issue.

７ Note

Disabling SSL verification presents a security risk. You should use this method only
to troubleshoot. You should not use it in production environments.

Set an environment variable at the beginning of your Python app before the
AuthenticationContext object is initialized:

Python

import os
...
os.environ["ADAL_PYTHON_SSL_NO_VERIFY"] = "1"

Pass the verify_ssl=False flag to the AuthenticationContext method:

Python

context = adal.AuthenticationContext(authority, verify_ssl=False)

MSAL for Python

When you use the Microsoft Authentication Library (MSAL) for Python, you can disable
SSL verification as follows:

Python

app = msal.PublicClientApplication( client_id=appId,

authority="https://login.microsoftonline.com/" + tenantId, verify=False )

Python Requests module

By default, the Requests module doesn't use a proxy. You must force the request to go
through the Fiddler proxy, per the following example:

Python

import requests

…
access_token = token.get('accessToken')
endpoint = "api_endpoint"
headers = {"Authorization": "Bearer " + access_token}
json_output = requests.get(
endpoint,
headers=headers,
proxies={"http": "http://127.0.0.1:8888", "https":
"http://127.0.0.1:8888"},
verify=False
).json()

Azure Active Directory SDK for Python

(GraphRbacManagementClient)
The following example shows how to disable SSL verification:

Python

from azure.graphrbac import GraphRbacManagementClient

from azure.common.credentials import UserPassCredentials

credentials = UserPassCredentials(
<username>, # Your user name
<password>, # Your password
resource=”https://graph.windows.net”,
verify=False
)
tenant_id = <tenant name or tenant id>
 graphrbac_client = GraphRbacManagementClient(credentials, tenant_id)
graphrbac_client.config.connection.verify=False
res = graphrbac_client.users.get(<UPN or ObjectID>)
print(res.display_name)

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that
are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about
the performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Capture SSL traffic with Fiddler
Article • 04/15/2025

This article provides instructions to use Fiddler to capture Secure Sockets Layer (SSL) traffic to
troubleshoot Microsoft Entra apps.

Scenario 1: Capture Node.js web traffic with Fiddler

To capture Node.js web application traffic using Fiddler, you need to proxy Node.js requests
through Fiddler. The default proxy is 127.0.0.1:8888. To do so, before running the npm start
command to start the Node.js server, enable the proxy settings by running the following
commands:

Node.js

set https_proxy=http://127.0.0.1:8888
set http_proxy=http://127.0.0.1:8888
set NODE_TLS_REJECT_UNAUTHORIZED=0

７ Note

To find out which port Fiddler is listening on, select Tools > Options > Connections from
the Fiddler menu.

Scenario 2: Capture the Azure Key Vault secrets

client (from Azure SDK for .NET) with Fiddler
To capture Azure Key Vault traffic using Fiddler, set Fiddler as a proxy by setting the http_proxy
and https_proxy environment variables in the application code as follows:

C#

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
...
// add these lines in your method to call Azure Key Vault
Environment.SetEnvironmentVariable("HTTP_PROXY", "http://127.0.0.1:8888");
Environment.SetEnvironmentVariable("HTTPS_PROXY", "http://127.0.0.1:8888");
 var client = new SecretClient(new Uri(keyVaultUrl), credential);
KeyVaultSecret result = client.GetSecret("MySecret");

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .
Filter Fiddler traffic using domain names
and client processes
Article • 04/08/2025

This article explains how to filter traffic that's captured by Fiddler using domain/host names
owned by Microsoft Entra and client processes.

Prerequisites
Before filtering, ensure that Fiddler is configured to capture traffic for all processes. In the
lower-left corner of the Fiddler window, you can select All processes to change the selection.

Filter traffic using Fiddler's built-in filter feature

To filter traffic using Fiddler's built-in filter feature, follow these steps:

1. Open Fiddler and navigate to the right panel.

2. Select the Filters tab, and then select the Use Filters checkbox.

3. Under the Hosts section, select Show only the following Hosts.

4. In the text box, enter the host name list you want to filter on, separated by semicolons,
for example, localhost;login.microsoftonline.com;graph.microsoft.com .

７ Note

This text box will display a yellow background while editing the list, indicating
unsaved changes.

5. Select the Actions button to save the list. The background color will change to white,
confirming the list is saved.
Under the Client Process section, you can also select a specific process to filter on. This is
particularly useful for filtering a standalone application. It might be less effective for capturing
browser traffic because multiple processes with the same name can make it difficult to identify
the correct one.

Filter traffic using JavaScript code in the

OnBeforeRequest function

７ Note

This option is used especially for browser-based applications.

1. In Fiddler, go to Rules > Customize Rules. This action will open the CustomRules.js file in
the FiddlerScript editor.

2. Locate the OnBeforeRequest function in the FiddlerScript editor.

3. Insert the following JavaScript code at the beginning of the function:

JavaScript

// begin filter

// set this to false to disable filter and true to enable filter

var filterOn = true;
 if (filterOn)
{
// hide all requests by default
oSession["ui-hide"] = "true";

// list of domain names to filter on

var host = ["localhost", "login.microsoftonline.com",
"graph.microsoft.com"];

// list of processes to filter on

var processlist = ["chrome", "microsoftedgecp", "iisexpress",
"powershell"];

for (var j = 0; j < processlist.length; j++)

{
if (oSession.LocalProcess.Contains(processlist[j]))
{
for (var i = 0; i < host.length; i++)
{
if (oSession.HostnameIs(host[i]))
{
oSession["ui-hide"] = null;
}
}
}
}
}

// end filter

Here are the explanations of some variables in the JavaScript code:

 filterOn : Set it to true to enable the filter and false to disable it.
host : Contains the list of domain names to filter on.

processlist : Contains the list of process names to filter on.

4. Save the changes to the CustomRules.js file.

References
Modifying a Request or Response
FiddlerScript Cookbook
Understanding FiddlerScript

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are
independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the
performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request , or ask Azure community
support. You can also submit product feedback to Azure feedback community .