Azure AD Hybrid Sync Agent Installation Issues - Cannot start service AADConnectProvisioningAgent

This troubleshooting guide focuses on when you can't start the AADConnectProvisioningAgent service. This problem may block you from installing the Azure AD Connect Provisioning Agent successfully.


To install Cloud Provisioning Agent, the following prerequisites are required: Prerequisites for Azure AD Connect cloud sync.

Cannot start service AADConnectProvisioningAgent

While installing Cloud Provisioning Agent, you may get the following error:

Service 'Microsoft Azure AD Connect Provisioning Agent' (AADConnectProvisioningAgent) failed to start. Verify that you have sufficient privileges to start system services.

Screenshot of error when installing Microsoft Azure AD Connect Provisioning Agent, about how the Connect Provisioning Agent service failed to start.

Assign domain administrator credentials to the AADConnectProvisioningAgent service, as shown in How to troubleshoot agent failed to start.

Screenshot of the 'Log On' tab of the Microsoft Azure AD Connect Provisioning Agent Properties window, including the account and password entries.

After assigning credentials to the service, you may still be unable to complete the installation wizard, and receive the following error message:

Failed changing Windows service credentials to gMSA. Please check the logs for more detailed information. If that doesn't help resolve this issue, please contact support.

Screenshot of the agent configuration window. It shows an error about how it couldn't change the Windows service credentials to g M S A.

If you select the confirm button again, following message will be displayed:

Unable to create gMSA because KDS may not be running on domain controller. Please create/run KDS manually.

Screenshot of the agent configuration window. It shows an error about how it can't create g M S A, and to create or run K D S manually first.

To resolve this issue, check the System event logs for eventID 7041. The event details describe how to assign a Log on as a service user right at the Local Security Policy snap-in (secpol.msc).

Screenshot of the Event 7041, Service Control Manager window. It notes that the service account doesn't have the required user right.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support.