Low severityauthentication
Power BI Error:
AADSTS80001, Authentication Agent cannot reach AD
What does this error mean?
The Microsoft Entra ID (Azure AD) Pass-through Authentication Agent cannot connect to an on-premises Active Directory domain controller.
Common causes
- 1The PTA Agent server is not a member of the same AD forest as the user attempting to sign in (cross-forest scenario without an agent in that forest)
- 2No reachable writable domain controller — firewall, DNS, or routing blocks LDAP/Kerberos (TCP 88, 389, 445, 464) from the agent to a DC
- 3The Microsoft Entra Connect Authentication Agent service (AzureADConnectAuthenticationAgentService) is stopped or crashed on all PTA servers
- 4Only one PTA Agent installed and it is offline/unreachable — no high-availability fallback
- 5Stale or broken computer-account secure channel between the agent server and the domain (NETLOGON / trust relationship failure)
How to fix it
- 1On the PTA Agent server, open Services.msc and verify 'Microsoft Entra Connect Authentication Agent' is Running; restart it and check the Application event log for source 'AzureADConnectAuthenticationAgent' errors
- 2Run `nltest /dsgetdc:<domain>` and `Test-ComputerSecureChannel` on the agent server to confirm a writable DC is reachable and the secure channel is healthy; fix DNS/firewall if not (open 88, 389, 445, 464 outbound to DCs)
- 3In the Microsoft Entra admin center → Hybrid management → Microsoft Entra Connect → Pass-through authentication, confirm at least 2 agents show status 'Active'; deploy an additional agent for HA if only one is listed
- 4If the affected user lives in a different AD forest, install a PTA Agent on a domain-joined server inside that forest — a single agent cannot validate users from a forest it isn't a member of
- 5Collect PTA Agent logs from `%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace` and correlate with the failing sign-in's CorrelationId from Entra sign-in logs before escalating to Microsoft support