Forcing Azure AD to reset when you've lost your Passthrough authentication servers

Jon Morby 1 Reputation point
2021-05-16T21:55:28.823+00:00

So, I was in the process of setting up a new VDI farm for a customer and as we couldn't migrate their forest (easily) it seemed easier to just create everything from scratch and do it right (as this old old old setup was a mess anyway)

All was going well and during testing / getting ready to go live we enabled passthrough authentication from Azure AD ... had some issues, and tried to disable it / mis-read an FAQ and uninstalled the passthrough daemon without first running AD Connect to turn on Hash sync .. worse yet, we also removed AD Connect

So now, we can't log into Azure AD to do anything and the client can't log into their O365 email

I've been on to AzureSupport and they've said raise a ticket, which I've done and they also suggested posting here for ideas

So, any ideas how I can fix this myself? The "break glass" account is missing Azure/AD permissions so I can't unfubar things using that ... in fact we had a hell of a job even getting into that as the recovery details still point to the guy who originally set the whole thing up, even though we were sure we'd changed them to point to one of our lead engineers

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-05-17T11:59:16.383+00:00

    Hi @Jon Morby · Thank you for reaching out.

    If you don't have access to AD Connect and PTA agent, you can still disable Pass-through Authentication for your tenant. Please follow the steps below:

    1. Download and install PTA agent on any computer using Azure Portal > Azure AD > AD Connect > Pass Through Authentication > Download or Click Here to download
    2. In elevated PowerShell window, run cd "C:\Program Files\Microsoft Azure AD Connect Authentication Agent"
    3. Run Import-Module .\Modules\PassthroughAuthPSModule
    4. Run Get-PassthroughAuthenticationEnablementStatus -Feature PassthroughAuth to see if the Pass through authentication is enabled.
    5. Run Disable-PassthroughAuthentication -Feature PassthroughAuth to disable Pass through authentication.
    6. Run Get-PassthroughAuthenticationEnablementStatus -Feature PassthroughAuth again to confirm if Pass through authentication is disabled.

    You can also, go to Azure Portal > Azure AD > AD Connect and confirm if Pass Through Authentication is disabled.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.