Edit

Troubleshoot account sign-in problems with an Azure Active Directory Domain Services managed domain

  • Article
  • 3 minutes to read

The most common reasons for a user account that can't sign in to an Azure Active Directory Domain Services (Azure AD DS) managed domain include the following scenarios:

Tip

Azure AD DS can't synchronize in credentials for accounts that are external to the Azure AD tenant. External users can't sign in to the Azure AD DS managed domain.

Account isn't synchronized into Azure AD DS yet

Depending on the size of your directory, it may take a while for user accounts and credential hashes to be available in a managed domain. For large directories, this initial one-way sync from Azure AD can take few hours, and up to a day or two. Make sure that you wait long enough before retrying authentication.

For hybrid environments that user Azure AD Connect to synchronize on-premises directory data into Azure AD, make sure that you run the latest version of Azure AD Connect and have configured Azure AD Connect to perform a full synchronization after enabling Azure AD DS. If you disable Azure AD DS and then re-enable, you have to follow these steps again.

If you continue to have issues with accounts not synchronizing through Azure AD Connect, restart the Azure AD Sync Service. From the computer with Azure AD Connect installed, open a command prompt window, then run the following commands:

net stop 'Microsoft Azure AD Sync'
net start 'Microsoft Azure AD Sync'

Azure AD DS doesn't have the password hashes

Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. For security reasons, Azure AD also doesn't store any password credentials in clear-text form. Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

Hybrid environments with on-premises synchronization

For hybrid environments using Azure AD Connect to synchronize from an on-premises AD DS environment, you can locally generate and synchronize the required NTLM or Kerberos password hashes into Azure AD. After you create your managed domain, enable password hash synchronization to Azure Active Directory Domain Services. Without completing this password hash synchronization step, you can't sign in to an account using the managed domain. If you disable Azure AD DS and then re-enable, you have to follow those steps again.

For more information, see How password hash synchronization works for Azure AD DS.

Cloud-only environments with no on-premises synchronization

Managed domains with no on-premises synchronization, only accounts in Azure AD, also need to generate the required NTLM or Kerberos password hashes. If a cloud-only account can't sign in, has a password change process successfully completed for the account after enabling Azure AD DS?

  • No, the password has not been changed.
    • Change the password for the account to generate the required password hashes, then wait for 15 minutes before you try to sign in again.
    • If you disable Azure AD DS and then re-enable, each account must follow the steps again to change their password and generate the required password hashes.
  • Yes, the password has been changed.
    • Try to sign in using the UPN format, such as driley@aaddscontoso.com, instead of the SAMAccountName format like AADDSCONTOSO\deeriley.
    • The SAMAccountName may be automatically generated for users whose UPN prefix is overly long or is the same as another user on the managed domain. The UPN format is guaranteed to be unique within an Azure AD tenant.

The account is locked out

A user account in a managed domain is locked out when a defined threshold for unsuccessful sign-in attempts has been met. This account lockout behavior is designed to protect you from repeated brute-force sign-in attempts that may indicate an automated digital attack.

By default, if there are 5 bad password attempts in 2 minutes, the account is locked out for 30 minutes.

For more information and how to resolve account lockout issues, see Troubleshoot account lockout problems in Azure AD DS.

Next steps

If you still have problems joining your VM to the managed domain, find help and open a support ticket for Azure Active Directory.