Inactive azure authentication agent

GRamirez 1 Reputation point


After an active directory domain migration, I face a strange behavior with azure authentication: they are always inactive (but user connection are OK). If I restart the azure authentication service where the PTA is installed, both agent are seen as "active" on azure portal and came back inactive (30min later approx).
I have seen this error because after 10 days, inactive direct authentification are automatically deleted from azure portal. So, no one can log to o365. With the service restart, both PTA had been recreated and user can log on again.

Domain migration from 2008R2 to 2016.
One PTA was deleted from an old 2012 DC and reinstalled on a new 2016 without problem during the installation.
On direct authentication portal, both PTA show good public IP and FQDN.

Someone had faced this issue ?
Thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee

    @GRamirez Few others customer seems to be facing this. Can you try something like this to repair your Azure AD connect setup and see if this fix it for you.
    The inactive agent indeed gets removed by Azure portal automatically after some time.

    Let me know how it goes for you.

    0 comments No comments

  2. GRamirez 1 Reputation point

    Thank you for your answer, but the repair didn't solve the issue: same effect as restart the service (active for 30min then go back inactive).

    I go deeper and see that the day I add a new DC 2016 on the domain, the AZUREADSSOACC (used for direct authentication) add been modified. Maybe, it is related to this.
    So I tried the steps to roll over the Kerberos decryption key of the AZUREADSSO computer account (link =

    But error on steps one :
    Get-AzureADSSOStatus : https://[...] can't accept this message. Maybe du to incorrect address or incorect SOAP action. (translation here)

    On event viewer:
    Event ID 12020: The Connector was unable to connect to the service due to networking issues. The Connector tried to access the following URL: 'https://[...]', Request ID: '{...}'. See Connector troubleshooting for more information:

    On logs (%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace), I can see the IP from where the authentication agent want to communicate (100% Microsoft).

    Hard to figure it out when never work with azure ! Maybe, I will try to open a case on MS.
    Than you

    0 comments No comments

  3. GRamirez 1 Reputation point

    I Didn't notice that you want I had to repair the AzureAdConnect.
    Anayway I cannot, at it seems that there is already a newer azure ad connect installed.
    In fact, there is only the azure ad connect v (check with powershell and same version as control panel).