Remove Azure Pass-through Authentication without a domain controller

Adam Krasuski 1 Reputation point
2021-02-01T19:51:33.963+00:00

Our Domain Controller has been removed from the network and is not available. Before removal the AAD connect software was not run to disable Single Sign-On and Pass-Through Authentication. Is there a way to disable Single Sign-On and Pass-Through Authentication without Azure AD Connect software and the domain controller?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,417 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,926 Reputation points Microsoft Employee
    2021-02-02T00:22:54.813+00:00

    Hi @Adam Krasuski ,

    Please check in the AAD Admin portal if the agent is Active or Inactive. If it is Inactive, it should be automatically removed after few days from the portal and you should be good to go. But if it's still showing as Active then it's more complicated and users may be blocked from authenticating.

    62721-image.png

    62675-image.png

    If you still have access to the PTA server, you can rerun the Azure AD Connect wizard and change the user sign-in method from Pass-through Authentication to another method. Then you can log on and go to Control Panel -> Programs -> Programs and Features and uninstall both the Microsoft Azure AD Connect Authentication Agent and the Microsoft Azure AD Connect Agent Updater programs.

    If the agent is listed as Active and Azure is still reaching out to try to authenticate then your best option may be to recreate the users.

    From the FAQ

    How can I disable Pass-through Authentication?

    Rerun the Azure AD Connect wizard and change the user sign-in method from Pass-through Authentication to another method. This change disables Pass-through Authentication on the tenant and uninstalls the Authentication Agent from the server. You must manually uninstall the Authentication Agents from the other servers.

    What happens when I uninstall a Pass-through Authentication Agent?

    If you uninstall a Pass-through Authentication Agent from a server, it causes the server to stop accepting sign-in requests. To avoid breaking the user sign-in capability on your tenant, ensure that you have another Authentication Agent running before you uninstall a Pass-through Authentication Agent.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.