Troubleshoot Microsoft Entra Connect connectivity issues

This article explains how connectivity between Microsoft Entra Connect and Microsoft Entra ID works and how to troubleshoot connectivity issues. These issues are most likely to be seen in an environment that uses a proxy server.

Microsoft Entra Connect uses the Microsoft Authentication Library (MSAL) for authentication. The installation wizard and the sync engine require machine.config to be properly configured because these two are .NET applications.

In this article, we show how Fabrikam connects to Microsoft Entra ID through its proxy. The proxy server is named fabrikamproxy and uses port 8080.

First, make sure that machine.config is correctly configured and that the Microsoft Entra ID Sync service has been restarted once after the machine.config file update.

The proxy server must also have the required URLs opened. The official list is documented in Office 365 URLs and IP address ranges.

Of these URLs, the URLs listed in the following table are the absolute bare minimum to be able to connect to Microsoft Entra ID at all. This list doesn't include any optional features, such as password writeback or Microsoft Entra Connect Health. The information is provided here to help with troubleshooting for the initial configuration.

The installation wizard uses two different security contexts. On the Connect to Microsoft Entra ID page, it uses the user who is currently signed in. On the Configure page, it changes to the account running the service for the sync engine. If an issue occurs, the error most likely will appear on the Connect to Microsoft Entra ID page in the wizard because the proxy configuration is global.

The following issues are the most common errors you might encounter in the installation wizard.

This error appears when the wizard itself can't reach the proxy.

If you see this error, verify that the machine.config file is correctly configured. If machine.config looks correct, complete the steps in Verify proxy connectivity to see if the issue is also present outside the wizard.

If you use a Microsoft account instead of a school or organization account, you see a generic error:

This error appears if the endpoint https://secure.aadcdn.microsoftonline-p.com can't be reached and your Hybrid Identity Administrator has MFA enabled.

If you see this error, verify that the endpoint secure.aadcdn.microsoftonline-p.com has been added to the proxy.

If the installation wizard is successful in connecting to Microsoft Entra ID but the password itself can't be verified, you see this error:

Is the password a temporary password that must be changed? Is it actually the correct password? Try to sign in to https://login.microsoftonline.com on a different computer than the Microsoft Entra Connect server and verify that the account is usable.

To check whether the Microsoft Entra Connect server is connecting to the proxy and the internet, use some PowerShell cmdlets to see if the proxy is allowing web requests. In PowerShell, run Invoke-WebRequest -Uri https://adminwebservice.microsoftonline.com/ProvisioningService.svc. (Technically, the first call is to https://login.microsoftonline.com, and this URI also works, but the other URI is quicker to respond.)

PowerShell uses the configuration in machine.config to contact the proxy. The settings in winhttp/netsh shouldn't affect these cmdlets.

If the proxy is correctly configured, a success status appears:

If you see the message Unable to connect to the remote server, PowerShell is trying to make a direct call without using the proxy or DNS isn't correctly configured. Make sure that the machine.config file is correctly configured.

If the proxy isn't correctly configured, a 403 or 407 error message appears:

The following table describes 403 and 407 proxy errors:

When Microsoft Entra Connect sends an export request to Microsoft Entra ID, Microsoft Entra ID can take up to 5 minutes to process the request before generating a response. The response is especially likely to be delayed if many group objects that have large group memberships are included in the same export request. Ensure that the proxy idle timeout is configured to be greater than 5 minutes. Otherwise, you might have intermittent connectivity issues with Microsoft Entra ID on the Microsoft Entra Connect server.

If you've followed all the steps described in this article and you still can't connect, at this point you might look at network logs. This section describes a normal and successful connectivity pattern.

But first, here are some common concerns about data in the network logs that you can ignore:

• There are calls to https://dc.services.visualstudio.com. It's not required to have this URL open in the proxy for the installation to succeed, and these calls can be ignored.
• You see that DNS resolution lists the actual hosts as being in the DNS namespace nsatc.net and other namespaces that aren't under microsoftonline.com. However, there aren't any web service requests on the actual server names. You don't have to add these URLs to the proxy.
• The endpoints adminwebservice and provisioningapi are discovery endpoints, and they're used to find the actual endpoint to use. These endpoints are different depending on your region.

The following example is a dump from an actual proxy log and the installation wizard page from where it was taken (duplicate entries to the same endpoint have been removed). This section can be used as a reference for your own proxy and network logs. The actual endpoints might be different in your environment (in particular, the URLs in italic).

Connect to Microsoft Entra ID

Configure

Initial sync

This section covers errors that might be returned from the ADAL and PowerShell. The error explanation should help you identify your next steps.

You entered an invalid username or password. For more information, see The password can't be verified.

Your Microsoft Entra directory can't be found or resolved. Maybe you tried to sign in with a username in an unverified domain?

Network or proxy configuration issues. The network can't be reached. See Connectivity issues in the installation wizard.

Your credentials have expired. Change your password.

Microsoft Entra Connect failed to authorize the user to perform an action in Microsoft Entra ID.

The MFA challenge was canceled.

Authentication was successful, but Microsoft Entra PowerShell has an authentication problem.

Authentication was successful, but Privileged Identity Management has been enabled and the user currently isn't a Hybrid Identity Administrator. For more information, see Privileged Identity Management.

Authentication was successful, but company information couldn't be retrieved from Microsoft Entra ID.

Authentication was successful, but domain information couldn't be retrieved from Microsoft Entra ID.

Shown as Unexpected error in the installation wizard. This error might occur if you try to use a Microsoft account instead of a school or organization account.

In releases starting with build number 1.1.105.0 (released February 2016), the sign-in assistant was retired. Configuring the sign-in assistant should no longer be required, but the information in the next sections is included for reference.

For the single sign-in assistant to work, Microsoft Windows HTTP Services (WinHTTP) must be configured. You can configure WinHTTP by using netsh.

This error appears when the sign-in assistant can't reach the proxy or the proxy isn't allowing the request.

If you see this error, look at the proxy configuration in netsh and verify that it's correct.

If the proxy configuration looks correct, complete the steps in Verify proxy connectivity to see if the issue occurs outside the wizard.

Learn more about integrating your on-premises identities with Microsoft Entra ID.