What causes AADSTS80007?

Pass-through Authentication Agent service stopped or crashed on the host server. Network/firewall blocking outbound 443 from the PTA Agent to *.msappproxy.net or inbound LDAP/Kerberos to domain controllers. All reachable domain controllers are down, unreachable, or returning errors. Time skew (>5 minutes) between PTA Agent host and domain controllers breaking Kerberos. Account lockout, disabled account, or expired password in on-prem Active Directory

How do I fix AADSTS80007?

On the server running the Microsoft Entra Connect Authentication Agent, open Event Viewer → Applications and Services Logs → Microsoft → AzureAdConnect → AuthenticationAgent → Admin and locate the failure event matching the sign-in timestamp.. Verify the 'Microsoft Entra Connect Authentication Agent' service is running; restart it and confirm the agent shows 'Active' under Entra admin center → Hybrid management → Microsoft Entra Connect → Pass-through authentication.. From the agent host, test connectivity to the nearest domain controller (`nltest /sc_query: `, `Test-NetConnection -Port 389`) and validate AD health (`dcdiag`, replication, time sync via `w32tm /query /status`).. Confirm the affected user account in AD is enabled, not locked out, and password is not expired (`Get-ADUser -Properties LockedOut,Enabled,PasswordExpired`).. Deploy a second PTA Agent on a different server for redundancy so a single agent failure no longer causes AADSTS80007 storms.

Low severityauthentication

Power BI Error:
AADSTS80007

What does this error mean?

Microsoft Entra ID (Azure AD) Pass-through Authentication Agent failed to validate the user's password against on-prem Active Directory.

Common causes

1Pass-through Authentication Agent service stopped or crashed on the host server
2Network/firewall blocking outbound 443 from the PTA Agent to *.msappproxy.net or inbound LDAP/Kerberos to domain controllers
3All reachable domain controllers are down, unreachable, or returning errors
4Time skew (>5 minutes) between PTA Agent host and domain controllers breaking Kerberos
5Account lockout, disabled account, or expired password in on-prem Active Directory

How to fix it

1On the server running the Microsoft Entra Connect Authentication Agent, open Event Viewer → Applications and Services Logs → Microsoft → AzureAdConnect → AuthenticationAgent → Admin and locate the failure event matching the sign-in timestamp.
2Verify the 'Microsoft Entra Connect Authentication Agent' service is running; restart it and confirm the agent shows 'Active' under Entra admin center → Hybrid management → Microsoft Entra Connect → Pass-through authentication.
3From the agent host, test connectivity to the nearest domain controller (`nltest /sc_query:<domain>`, `Test-NetConnection <DC> -Port 389`) and validate AD health (`dcdiag`, replication, time sync via `w32tm /query /status`).
4Confirm the affected user account in AD is enabled, not locked out, and password is not expired (`Get-ADUser <user> -Properties LockedOut,Enabled,PasswordExpired`).
5Deploy a second PTA Agent on a different server for redundancy so a single agent failure no longer causes AADSTS80007 storms.

Frequently asked questions

What does AADSTS80007 mean?

The Authentication Agent is unable to validate user's password. Check the agent logs for more info and verify

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes