Hi @@Utility: azure ,
Thank you for sharing your detailed issue and I am sorry to hear that you are facing this problem. For your first problem of receiving the invalid username and password error when the cloud password works fine, there are several issues that could cause this:
1) The can happen if the on-premises UPN does not match the cloud UPN.
2) If you have not enabled modern authentication, users will log in with basic authentication and will be blocked if you have Conditional Access set up. You need to make sure modern authentication is enabled. https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online
3) The Azure AD Connect server needs to be properly joined to the domain and if there is an issue affecting the domain join, the "invalid username or password" error will occur.
4) The Azure AD Authentication Agent needs to be active. (See troubleshooting.)
5) There is a known issue that can cause this message to get triggered correctly if your domain is using third party MFA providers. If you are using the ROPC (Username/Password) flow for federated users, this error can occur when user get redirected to the federated identity provider for authentication. In this case, you need to follow the steps here to get around this issue.
6) If the credentials are correct, there still might be a policy in place that is blocking the agent from verifying some of the users' credentials (for example, something limiting the users from being signed in on those machines). I have seen this error before in those scenarios where it gets triggered even though the username and password are correct, which could explain why you receive the message that the Windows login was successful.
As you mentioned though, it would be easier to know for certain what is going on by taking a deeper look at your tenant. A tenant that is linked to an active subscription (not in a disabled state) is required in order to open any support case, and the tenant needs to have a credit card on file. The steps to open a support case are covered here, and we also have the global phone support lines listed here. If you are having issues creating a support case, I can attempt to enable one on your behalf, but your tenant does need to meet the prerequisites I mentioned. I'll leave an email in a private comment in case you would like to reach out.
I've also reached out to some contacts on the authentication team to share your scenario with them, and if the troubleshooting steps I mentioned do not work, they may have additional suggestions.
-
If the information helped narrow down your issue, please Accept the answer. This will help us as well as others in the community who might be researching similar information.