Microsoft Entra Hybrid Sync Agent Installation Issues - No privileges to install MSI

This troubleshooting guide focuses on when you don't have privileges to install MSI. Without these privileges, you may be unable to successfully install the Microsoft Entra Connect Provisioning Agent.

Prerequisites

To install Cloud Provisioning Agent, the following prerequisites are required: Prerequisites for Microsoft Entra Connect cloud sync.

No privileges to install MSI

While installing Cloud Provisioning Agent, you may get the following error:

Service 'Microsoft Entra Connect Provisioning Agent' (AADConnectProvisioningAgent) failed to start. Verify that you have sufficient privileges to start system services.

To verify that you have sufficient privileges:

1. Make sure the user context credentials are set to either Domain Administrator or Enterprise Administrator.

2. Open the Local Security Policy snap-in (secpol.msc). In the Security Settings pane, select Local policies > User Rights Assignment. Then select the Log on as a service policy.

   

3. Select Action > Properties. Then in Local Security Setting, make sure the NT SERVICE\ALL SERVICES group appears.

   

During package installation, the service AADConnectProvisioningAgent is created, and logon credentials are temporarily set to NT Service\AADConnectProvisioningAgent.

If Log on as a service doesn't have ALL SERVICES listed, the installation fails to start, and it shows the previously listed error message.

To resolve this issue, provide ALL SERVICES user rights to Log on as a service.

The wizard now completes successfully.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.