A cloud-based identity and access management service for securing user authentication and resource access
Hi Network Admin ,
This behavior is expected after migrating the Cloud Sync agent servers to a different hypervisor. Although the agent services may appear healthy and some sync operations continue, the agent’s machine‑bound registration and certificates become invalid after the migration. This causes Microsoft Entra Cloud Sync to lose proper authorization to your on‑premises domain, which results in the error “Unable to reach the domain” and repeatedly places provisioning into a quarantined state.
Re‑running the provisioning wizard or executing Repair-AADCloudSyncToolsAccount does not resolve this scenario because those actions do not re‑register the agent’s underlying identity. The supported resolution is to fully uninstall the Microsoft Entra Provisioning Agent, remove the stale agent entries from the Entra admin center, reboot the servers, and then reinstall and re‑register the agents so they can recreate the service account bindings and certificates correctly. Once reinstalled, provisioning should remain healthy and no longer return to quarantine.
Please let us know if this does not fully resolve the issue or if you need assistance validating the agent status after reinstallation. Refer: Microsoft Entra Cloud Sync troubleshooting - Microsoft Entra ID | Microsoft Learn
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".