Microsoft Entra Provisioning Agent install errors and fixes

Question

This not a question, but feedback. I encountered a couple of issues installing Microsoft Entra Provisioning Agent v1.1.1586.0, here's the errors and the workarounds. These should be fixed in the installer.

1. Error: "The user is not a Global Administrator or a Hybrid Administrator" when the account is an PIM activated Global Admin. Cause: We use PIM role groups, so I activate a membership in "global admins access" group, which again is an active member in the directory role "Global Admins". The installer looks for my UPN in the membership list of "Global Admins", where it can only find the "global admins access" group, not my UPN. I assume the same method is used for "Hybrid Administrator" role. Fix: Installer must use other validation method or support group nesting.
2. When choosing to create a new gMSA: Unable to install service account pGMSA_123456$ after 6 retries. The gmsa is created in AD, and applied to the service, but starting the service fails. Cause: The service is not marked as using a managed service account. Fix: Set "ServiceAccountManaged" flag to "01 00 00 00". Either directly in registry "HKLM:\SYSTEM\CurrentControlSet\Services\AADConnectProvisioningAgent" or with "sc.exe managedaccount AAdConnectProvisioningAgent true" Possibly related to Windows Server 2022/2025 changes, I don't believe I had to set this flag on Windows Server 2019, but I'm not sure.
3. When choosing to use a custom gMSA: Failed changing Windows service credentials to gMSA. Same as 2: Set "ServiceAccountManaged" flag to "01 00 00 00"

Answer 1

Hello @David Rukavina ,

Thank you for sharing your feedback regarding the installation issues with the Microsoft Entra Provisioning Agent. The errors you've encountered highlight some important considerations for users, especially those utilizing PIM role groups and managed service accounts.

I’m posting your feedback as an answer please take a moment to review and accept it so it can help other community members facing the same issue.

1. Error: The user is not a Global Administrator or a Hybrid Administrator" when the account is an PIM activated Global Admin.**
   Cause:** You use PIM role groups, so you activated a membership in "global admins access" group, which again is an active member in the directory role "Global Admins". The installer looks for your UPN in the membership list of "Global Admins", where it can only find the "global admins access" group, not your UPN.
   Suggestion Fix: Installer must use other validation method or support group nesting.
2. Error: When choosing to create a new gMSA: Unable to install service account pGMSA_123456$ after 6 retries. The gmsa is created in AD, and applied to the service, but starting the service fails.
   Cause: The service is not marked as using a managed service account.
   Fix: Set "ServiceAccountManaged" flag to "01 00 00 00".Either directly in registry "HKLM:\SYSTEM\CurrentControlSet\Services\AADConnectProvisioningAgent" or with "sc.exe managedaccount AAdConnectProvisioningAgent true"
3. Error: When choosing to use a custom gMSA: Failed changing Windows service credentials to gMSA, Same as the above step.
   Fix: Set "ServiceAccountManaged" flag to "01 00 00 00"

You can share the same feedback on the Azure feedback community, where our product team actively monitors submissions and will consider it for future improvements or fixes.

Let me know if you have any additional queries. Happy to assist you further.