Why is Azure Entra no longer syncing with our servers?

Question

Why is Azure Entra no longer syncing with our servers?

Julien Carpenter 0

After changing our SKU from Basic to Standard last week, our Entra Domain services have stopped syncing with our internal servers. When we add or modify a user in the Office 365 admin portal, the changes are not reflected on our servers. We are getting error AADDS500 and AADDS104. We have checked the Azure Firewall rules and everything seems to be alright. Everything was working smoothly until we made this change and we are unable to track down the source of the issue.

Smaran Thoomu 34,070 Reputation points Microsoft External Staff Moderator

2026-03-01T04:50:33.3433333+00:00
Hey Julien, it sounds like after you bumped your Azure AD Domain Services SKU from Basic to Standard, the managed domain’s sync pipeline to your servers started failing with errors AADDS500 and AADDS104. Those codes usually point at connectivity or provisioning interruptions between your Azure AD tenant and the Domain Services instances. Here’s what you can try:

Verify outbound connectivity • Make sure your Azure Firewall (and any NSGs/UDRs) isn’t blocking the required FQDNs over port 443: – *.msappproxy.net and *.servicebus.windows.net (used by the Cloud Sync/AD DS provisioning agent) – login.microsoftonline.com and management.azure.com (for authentication and management) – crl3.digicert.com / ocsp.microsoft.com (for cert revocation checks) • Disable any SSL inspection on those flows. • Use Azure Firewall’s flow logs or flow trace to confirm packets are flowing both ways.

Force a manual sync or restart the Domain Services • In the Azure portal, go to Azure AD Domain Services > your managed domain > Overview > Sync now. • If that doesn’t help, try restarting the managed domain (under Properties), which reboots the domain controller VMs and can clear transient issues.

Check the health of your sync agents • If you’re using Azure AD Connect Health, ensure the Health agent is registered and up-to-date (no registration failures). • Review “Health Service data not up to date” steps to ensure your agent is reporting fresh data.

Guard against provisioning quarantine (Cloud Sync) • If you’ve adopted the Cloud Sync agent (instead of full Azure AD Connect), look in Azure AD > Provisioning and see if the job is in quarantine. • You can clear the quarantine or restart the provisioning job.

If you’re still stuck, can you share a bit more detail?

Are you using Azure AD Connect (the on-prem agent) or the new Cloud Sync agent?

Which region is your managed domain deployed in?

A screenshot or exact timestamp/details of the AADDS500 and AADDS104 errors?

The current NSG/UDR rules or a summary of your Firewall setup after the SKU change?

References

Connect Health for Microsoft Entra Synchronization https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-health-agent-install

Troubleshoot Cloud Sync https://docs.microsoft.com/azure/active-directory/cloud-sync/how-to-troubleshoot

Agent outbound requirements (FQDNs & ports) https://docs.microsoft.com/entra/identity/hybrid/cloud-sync/how-to-troubleshoot#agent-problems

Azure Firewall flow trace & logs https://docs.microsoft.com/azure/firewall/logs-and-metrics

Hope this helps! Let me know what you find or if you need more guidance.

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Raja Pothuraju 46,105 Reputation points Microsoft External Staff Moderator

2026-03-03T09:01:47.7633333+00:00

@Julien Carpenter, Just checking in to see if you're still experiencing the issue. Let me know, and we can discuss it offline to better understand the configuration.

1 answer

Your answer

Raja Pothuraju 46,105 Reputation points Microsoft External Staff Moderator

2026-03-03T09:01:47.7633333+00:00

@Julien Carpenter, Just checking in to see if you're still experiencing the issue. Let me know, and we can discuss it offline to better understand the configuration.

Answer 1

Julien Carpenter hi (old one q, but still need to be answered)

сhanging the SKU itself normally does not break synchronization, so the timing suggests something else changed during or after the upgrade. Azure Entra Domain Services (AAD DS) does not sync back to on-prem servers. It synchronizes from Microsoft Entra ID into the managed domain. If u expect changes made in Office 365 to appear on on-prem AD that only works if Azure AD Connect (or Cloud Sync) is correctly configured and running.

Errors AADDS500 & AADDS104 indicate directory synchronization or domain services health issues not firewall blocking. I guess after SKU change common for one of these to happen

• Azure AD Connect service stopped or lost credentials

• Password hash sync disabled

• Service account permissions changed

• Domain Services resource went into degraded state

• Network rules changed for required outbound endpoints

But we can check )))))

On the Azure AD Connect server, open Synchronization Service Manager and see – Sync service is running – No export errors – Last successful sync time
In Azure portal Entra ID > Azure AD Connect > check sync status Entra ID > Domain Services > Health > look for alerts
check is password hash sync is enabled. AAD DS requires password hash sync to work correctly.
see if required ports are open from Domain Controllers / Connect server TCP 443 outbound to Microsoft endpoints LDAP/LDAPS if applicable
If u are using Azure Firewall look if no outbound rule was tightened during SKU change.

Most cases like this end up being Azure AD Connect not running or stuck after a service credential change. The SKU upgrade likely triggered a backend reconfiguration that exposed an existing sync issue.

Focus first on Azure AD Connect health, if that service is not successfully syncing, nothing from O365 will reach ur servers.

rgds,

Alex

Share via

Why is Azure Entra no longer syncing with our servers?

1 answer

Your answer