Can not logon with @xxx.onmicrosoft.com

Question

Hi,

Recently we've been migrated from ADFS to PTA with SSSO enabled.
It does the job perfectly, however, I was unable to login with my onmicrosoft.com account afterwards, which is Global Administrator.

My colleague changed my domain to our custom domain and then I was able to login. When I changed it back to the xxx.onmicrosoft.com domain, I got the following:

cmdlet Invoke-PassthroughAuthOnPremLogonTroubleshooter at command pipeline position 1
Supply values for the following parameters:
Trying to log on using credentials atest@X .onmicrosoft.com
Logon failed with error code: 1326
Details: The user name or password is incorrect

When I change it back to the custom domain name, with the same password, I'm able to login.

Can someone explain this to me?

Kind regards,

Gary

Answer 1

Hi @Gary Raboen · Thank you for reaching out.

When you enable PTA in your tenant, all authentication requests are routed to PTA Agent installed in On-premises server. PTA Agent then forward the requests to a Domain Controller which performs the authentication by validating the credentials. Now, when user atest@X .onmicrosoft.com tries to sign-in, Domain Controller won't be able to find a UPN atest@X .onmicrosoft.com and fails the authentication with error: The user name or password is incorrect.

Changing UPN to verified domain, might be matching it with the UPN in the On-premises AD due to which sign-in succeeds afterwards. If you don't want to switch your account to custom domain, try adding xxx.onmicrosoft.com as UPN suffix to on-prem AD and test again.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.