This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 31%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi. Pretty basic scenario. Installed Azure AD Connect (latest version) on Server 2016. All goes fine, except at end it says:
Registration failed for your Azure AD Connect Health Agent for sync
Manually re-ran Health registration with PowerShell, as per recommendations, and still ended up the same. Specific error is:
Error: This tenant is not onboarded to Microsoft Entra Connect Health. Only Tenant owners can onboard a new tenant The remote server returned an error: (400) Bad Request
Googled as much as possible, but no info at all on this specific error? Users sync to cloud fine, but nothing for the AD Health Sync Services. Have un/reinstalled AD Connect, but to no avail. Full logs says exactly the same thing:
2023-10-17 21:38:46.532 api Uri: https://management.azure.com/providers/Microsoft.ADHybridHealthService/services?serviceType=AadSyncService&api-version=2014-01-01
2023-10-17 21:38:46.609 The service is null, will make a new service and send a request to add it in database
2023-10-17 21:38:46.609 --> https://management.azure.com/providers/Microsoft.ADHybridHealthService/services?api-version=2014-01-01
TraceEntry.Start
Timestamp = 10/17/2023 21:38:46
TenantId = 00000000-0000-0000-0000-000000000000
AgentId =
ServiceId = 00000000-0000-0000-0000-000000000000
ServiceMemberId = 00000000-0000-0000-0000-000000000000
ActivityId = 15324d45-2690-4a80-af98-c33c2a2519b2
CorrelationId = 15324d45-2690-4a80-af98-c33c2a2519b2
TraceType = Warning
CallerName = IsTransient
CallerSourceInfo = C:\__w\1\s\src\dev\common\Utils\AdHealthRetryPolicy.cs#25
Message = Operation failed. The remote server returned an error: (400) Bad Request.. Retrying...
Exception =
TraceEventType = Registration
AgentType = NotAnAgent
ServiceType =
Version = 3.2.01823.12
TraceEntry.End
TraceEntry.Start
Timestamp = 10/17/2023 21:38:46
TenantId = 00000000-0000-0000-0000-000000000000
AgentId =
ServiceId = 00000000-0000-0000-0000-000000000000
ServiceMemberId = 00000000-0000-0000-0000-000000000000
ActivityId = 15324d45-2690-4a80-af98-c33c2a2519b2
CorrelationId = 15324d45-2690-4a80-af98-c33c2a2519b2
TraceType = Warning
CallerName = IsTransient
CallerSourceInfo = C:\__w\1\s\src\dev\common\Utils\AdHealthRetryPolicy.cs#25
Message = Operation failed. The remote server returned an error: (400) Bad Request.. Retrying...
Exception =
TraceEventType = Registration
AgentType = NotAnAgent
ServiceType =
Version = 3.2.01823.12
TraceEntry.End
TraceEntry.Start
Timestamp = 10/17/2023 21:38:57
TenantId = 00000000-0000-0000-0000-000000000000
AgentId =
ServiceId = 00000000-0000-0000-0000-000000000000
ServiceMemberId = 00000000-0000-0000-0000-000000000000
ActivityId = 15324d45-2690-4a80-af98-c33c2a2519b2
CorrelationId = 15324d45-2690-4a80-af98-c33c2a2519b2
TraceType = Warning
CallerName = IsTransient
CallerSourceInfo = C:\__w\1\s\src\dev\common\Utils\AdHealthRetryPolicy.cs#25
Message = Operation failed. The remote server returned an error: (400) Bad Request.. Retrying...
Exception =
TraceEventType = Registration
AgentType = NotAnAgent
ServiceType =
Version = 3.2.01823.12
TraceEntry.End
TraceEntry.Start
Timestamp = 10/17/2023 21:39:07
TenantId = 00000000-0000-0000-0000-000000000000
AgentId =
ServiceId = 00000000-0000-0000-0000-000000000000
ServiceMemberId = 00000000-0000-0000-0000-000000000000
ActivityId = 15324d45-2690-4a80-af98-c33c2a2519b2
CorrelationId = 15324d45-2690-4a80-af98-c33c2a2519b2
TraceType = Warning
CallerName = IsTransient
CallerSourceInfo = C:\__w\1\s\src\dev\common\Utils\AdHealthRetryPolicy.cs#25
Message = Operation failed. The remote server returned an error: (400) Bad Request.. Retrying...
Exception =
TraceEventType = Registration
AgentType = NotAnAgent
ServiceType =
Version = 3.2.01823.12
TraceEntry.End
2023-10-17 21:39:07.226 WebException caught: System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Identity.Health.Common.RestRequest.<>c__DisplayClass6_0.<SendData>b__0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.ExecuteAction[TResult](Func`1 func)
at Microsoft.Identity.Health.Common.RestRequest.SendData(HttpMethod httpMethod, String uri, String accessToken, String content, String contentType, X509Certificate2 clientCertificate, RemoteCertificateValidationCallback customRemoteCertificateValidation, Guid correlationId, RetryPolicy retryPolicy)
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.RegisterTenantAndServiceIfNotExist(String serviceTypeName, String serviceSignature, String serviceDisplayName)
2023-10-17 21:39:07.227 Http Status Code: BadRequest
2023-10-17 21:39:07.228 Error Response: {"CorrelationId":"15324d45-2690-4a80-af98-c33c2a2519b2","Error":"This tenant is not onboarded to Microsoft Entra Connect Health. Only Tenant owners can onboard a new tenant.","Message":"Invalid request."}
ERROR: 2023-10-17 21:39:07.236 CorrelationId: 15324d45-2690-4a80-af98-c33c2a2519b2, Error: This tenant is not onboarded to Microsoft Entra Connect Health. Only Tenant owners can onboard a new tenant., Message: Invalid request.
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Identity.Health.Common.RestRequest.<>c__DisplayClass6_0.<SendData>b__0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.ExecuteAction[TResult](Func`1 func)
at Microsoft.Identity.Health.Common.RestRequest.SendData(HttpMethod httpMethod, String uri, String accessToken, String content, String contentType, X509Certificate2 clientCertificate, RemoteCertificateValidationCallback customRemoteCertificateValidation, Guid correlationId, RetryPolicy retryPolicy)
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.RegisterTenantAndServiceIfNotExist(String serviceTypeName, String serviceSignature, String serviceDisplayName)2023-10-17 21:39:07.238 The remote server returned an error: (400) Bad Request.
2023-10-17 21:39:07.24 WebException caught: System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Identity.Health.Common.RestRequest.<>c__DisplayClass6_0.<SendData>b__0()
at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.ExecuteAction[TResult](Func`1 func)
at Microsoft.Identity.Health.Common.RestRequest.SendData(HttpMethod httpMethod, String uri, String accessToken, String content, String contentType, X509Certificate2 clientCertificate, RemoteCertificateValidationCallback customRemoteCertificateValidation, Guid correlationId, RetryPolicy retryPolicy)
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.RegisterTenantAndServiceIfNotExist(String serviceTypeName, String serviceSignature, String serviceDisplayName)
at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.ProcessRecord()
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 52%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
Here the same.....
Encountering the exact same issue right now.
User has GA and an A5 directly assigned
AAD P2 is active
"Error: This tenant is not onboarded to Microsoft Entra Connect Health. Only Tenant owners can onboard a new tenant."
Really strange indeed, I've done dozens of setups before and it's the first I've seen this.
I’m currently trying to search for a solution with a Microsoft engineer. But still The problem exist . I’ve tried several powershell scripts on behalf of The engineer to check tls1.2 . Somehow it was not turned on / status was not available. Sober turned it on with a other powershell script , and now we can see Some values but The problem is stil there .
what we noticed yesterday when trying to configure The health service again … when The login prompt was coming to login with The GA admin account, we did not needed to enter The mfa .
last night i received a update that Microsoft is still investigating this issue .
when i have more info I Will post it
Does the account you are using have a P1 or P2? and you meet the role requirements?
the account we use is having a Microsoft 365 Business Premium, so P1 is included.
i installed the ad connect 1 month ago on a other server and was not having any problems.
we also getting the error message when i do a gui configuration of the "MS AAD Connect Health agent for sync";
Error; This Tenant is not onboarded to microsoft entra connect health. Only tenants owners can onboard a new tenant.
we are using a Global admin account.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 12%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
I have the same problem.
User is Global Administrator (via PIM)
Entra ID P2 license is active.
I also tried the give the user Owner role assignment in Entra Connect Health -> same error
Any other suggestions?
Many thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 77%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Same problem here. Same error.
It is a developer tenant (E5). User have licence.
In our case, it appeared to be an AD permissions inheritance issue.
Once we enabled inheritance on the onprem MSOL account, we were good to go.
As it turns out, this is very similar to: https://learn.microsoft.com/en-us/answers/questions/114601/azure-ad-sync-connect-issue-with-permission-error