25,148 questions
Do you have SSO enabled or conditional access policies preventing access perhaps?
Azure AD connect installation error at step Connect to Azure AD - Unable to retrieve the Azure Active Directory cinfiguration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 57.00000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Danish Anwar
46
Reputation points
We are installing new setup with new dedicated SQL server for our azure ad connect server.
No proxy involved.
We are able to connect our SQL but with global admin account of onmicrosoft it is giving error.
- No proxy
- Using Global admin
- tnc to login.microsoftonline.com is fine
- Already using latest AD connect version 2.0.28.0
More information - In logs I can see that used GA account is somehow resolving the tenant ID and also verified so means it is able to reach to tenant and resolve name. Still error is same. TLS 1.2 is enabled as per the MS blog already.
Already tested below commands
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor [System.Net.SecurityProtocolType]::Tls12
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
And to update Invoke-WebURI for
Invoke-WebRequest -Uri https://adminwebservice.microsoftonline.com/ProvisioningService.svc
Failing with error Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
However TNC to adminwebservice.microsoftonline.com on 443 is True.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
1 answer
Sort by: Most helpful
-
Alan Kinane 16,951 Reputation points MVP Volunteer Moderator2021-12-10T14:33:54.967+00:00 -
Danish Anwar 46 Reputation points
2021-12-10T15:06:13.64+00:00 Hello Alan,
Thank you for the reply.
No we don't have MFA enabled and already checked this article resolution 1 is URL's which we are able to reach and in logs we are able to see our GA name resolution succeed means we are able to reach and resolve user there.
Resolution 2 MFA is not applicable as we are not using SSO.Logs that our global admin resolved at tenant
Some Logs:
[11:09:46.956] [ 21] [INFO ] Authenticate-MSAL: successfully acquired an access token. TenantId=<ID>, ExpiresUTC=12/10/2021 12:23:18 PM +00:00, UserInfo=UN.domain.onmicrosoft.com, IdentityProvider=login.windows.net.
Sign in to comment -