Hi @Gary Raboen · Thank you for reaching out.
When you enable PTA in your tenant, all authentication requests are routed to PTA Agent installed in On-premises server. PTA Agent then forward the requests to a Domain Controller which performs the authentication by validating the credentials. Now, when user atest@X .onmicrosoft.com tries to sign-in, Domain Controller won't be able to find a UPN atest@X .onmicrosoft.com and fails the authentication with error: The user name or password is incorrect.
Changing UPN to verified domain, might be matching it with the UPN in the On-premises AD due to which sign-in succeeds afterwards. If you don't want to switch your account to custom domain, try adding xxx.onmicrosoft.com as UPN suffix to on-prem AD and test again.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.