question

JonMorby-3287 avatar image
0 Votes"
JonMorby-3287 asked amanpreetsingh-msft commented

Forcing Azure AD to reset when you've lost your Passthrough authentication servers

So, I was in the process of setting up a new VDI farm for a customer and as we couldn't migrate their forest (easily) it seemed easier to just create everything from scratch and do it right (as this old old old setup was a mess anyway)

All was going well and during testing / getting ready to go live we enabled passthrough authentication from Azure AD ... had some issues, and tried to disable it / mis-read an FAQ and uninstalled the passthrough daemon without first running AD Connect to turn on Hash sync .. worse yet, we also removed AD Connect

So now, we can't log into Azure AD to do anything and the client can't log into their O365 email

I've been on to AzureSupport and they've said raise a ticket, which I've done and they also suggested posting here for ideas

So, any ideas how I can fix this myself? The "break glass" account is missing Azure/AD permissions so I can't unfubar things using that ... in fact we had a hell of a job even getting into that as the recovery details still point to the guy who originally set the whole thing up, even though we were sure we'd changed them to point to one of our lead engineers

azure-active-directoryazure-ad-connect
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bit of an update ... I can see password hashing is enabled, but the sync isn't running as it can't authenticate ... authentication attempts fail with a time out (I presume because there's no response from our PT servers and Azure isn't falling back to the hashes)

I've tried manually resetting my password through SSR/web and whilst that worked, I still can't log in / still get the time exceeded error (try again)

0 Votes 0 ·

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @JonMorby-3287 · Thank you for reaching out.

If you don't have access to AD Connect and PTA agent, you can still disable Pass-through Authentication for your tenant. Please follow the steps below:

  1. Download and install PTA agent on any computer using Azure Portal > Azure AD > AD Connect > Pass Through Authentication > Download or Click Here to download

  2. In elevated PowerShell window, run cd "C:\Program Files\Microsoft Azure AD Connect Authentication Agent"

  3. Run Import-Module .\Modules\PassthroughAuthPSModule

  4. Run Get-PassthroughAuthenticationEnablementStatus -Feature PassthroughAuth to see if the Pass through authentication is enabled.

  5. Run Disable-PassthroughAuthentication -Feature PassthroughAuth to disable Pass through authentication.

  6. Run Get-PassthroughAuthenticationEnablementStatus -Feature PassthroughAuth again to confirm if Pass through authentication is disabled.

You can also, go to Azure Portal > Azure AD > AD Connect and confirm if Pass Through Authentication is disabled.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JonMorby-3287 · Just checking if you had a chance to test these steps out.

0 Votes 0 ·

Hi

This didn't work due to the fundamental problem of not being able to log into the Azure portal due to authentication time outs as Azure's Portal tried to talk to non-existent passthrough agents and then barfed

Likewise, disabling PT on the non existent agent was also impossible :(

Eventually (after 8+ hours) Azure AD for Office 365 decided that maybe it shouldn't be trying to talk to non-existent PT servers and disabled PT automatically ... which then meant I could log in as a Global Administrator, fix the permissions on the break glass account which didn't have GA permissions for some stupid reason, and re-sync password hashes so the client could re-gain access to their O365 emails

0 Votes 0 ·

@JonMorby-3287 · Thanks for the update. Glad that the issue is fixed.
Keep a cloud-only global admin as break-glass account to avoid such lockout event in future.

0 Votes 0 ·